Enabling external key management in ONTAP 9.6 and later (NVE)

You can use one or more KMIP servers to secure the keys the cluster uses to access encrypted data. Starting with ONTAP 9.6, you can use one or more KMIP servers to secure the keys a given SVM uses to access encrypted data.

Before you begin

About this task

You can connect up to four KMIP servers to a cluster or SVM. A minimum of two servers is recommended for redundancy and disaster recovery.

The scope of external key management determines whether key management servers secure all the SVMs in the cluster or selected SVMs only:

You can use both scopes in the same cluster. If key management servers have been configured for an SVM, ONTAP uses only those servers to secure keys. Otherwise, ONTAP secures keys with the key management servers configured for the cluster.

You can configure onboard key management at the cluster scope and external key management at the SVM scope. You can use the security key-manager key migrate command to migrate keys from onboard key management at the cluster scope to external key managers at the SVM scope.

Procedure

  1. Configure key manager connectivity for the cluster: security key-manager external enable -vserver admin_SVM -key-servers host_name|IP_address:port,... -client-cert client_certificate -server-ca-cert server_CA_certificates
    Note: The security key-manager external enable command replaces the security key-manager setup command. If you run the command at the cluster login prompt, admin_SVM defaults to the admin SVM of the current cluster.

    You must be the cluster administrator to configure cluster scope. You can run the security key-manager external modify command to change the external key management configuration.

    The following command enables external key management for cluster1 with three external key servers. The first key server is specified using its hostname and port, the second is specified using an IP address and the default port, and the third is specified using an IPv6 address and port:

    clusterl::> security key-manager external enable -vserver cluster1 -key-servers ks1.local:15696,10.0.0.10,[fd20:8b1e:b255:814e:32bd:f35c:832c:5a09]:1234 -client-cert AdminVserverClientCert -server-ca-certs AdminVserverServerCaCert
  2. Configure key manager connectivity for an SVM: security key-manager external enable -vserver SVM -key-servers host_name|IP_address:port,... -client-cert client_certificate -server-ca-cert server_CA_certificates
    Note: If you run the command at the SVM login prompt, SVM defaults to the current SVM.

    You must be a cluster or SVM administrator to configure SVM scope. You can run the security key-manager external modify command to change the external key management configuration.

    The following command enables external key management for svm1 with a single key server listening on the default port 5696:

    svm1l::> security key-manager external enable -vserver svm1 -key-servers keyserver.svm1.com -client-cert SVM1ClientCert -server-ca-certs SVM1ServerCaCert
  3. Repeat the last step for any additional SVMs.
    Note: You can also use the security key-manager external add servers command to configure additional SVMs. The security key-manager external add servers command replaces the security key-manager add command. For complete command syntax, see the man page.
  4. Verify that all configured KMIP servers are connected: security key-manager external show-status -node node_name
    Note: The security key-manager external show-status command replaces the security key-manager show -status command. For complete command syntax, see the man page.
    cluster1::> security key-manager external show-status
    
    Node  Vserver  Key Server                                     Status
    ----  -------  ---------------------------------------        -------------
    node1
          svm1
                   keyserver.svm1.com:5696                        available
          cluster1
                   10.0.0.10:5696                                 available
                   fd20:8b1e:b255:814e:32bd:f35c:832c:5a09:1234   available
                   ks1.local:15696                                available
    node2
          svm1
                   keyserver.svm1.com:5696                        available
          cluster1
                   10.0.0.10:5696                                 available
                   fd20:8b1e:b255:814e:32bd:f35c:832c:5a09:1234   available
                   ks1.local:15696                                available
    
    8 entries were displayed.