Skip to main content

Assign a data authentication key to a FIPS drive or SED (onboard key management)

Contributors netapp-ahibbard netapp-thomi
PDFs

You can use the storage encryption disk modify command to assign a data authentication key to a FIPS drive or SED. Cluster nodes use this key to access data on the drive.

About this task

A self-encrypting drive is protected from unauthorized access only if its authentication key ID is set to a non-default value. The manufacturer secure ID (MSID), which has key ID 0x0, is the standard default value for SAS drives. For NVMe drives, the standard default value is a null key, represented as a blank key ID. When you assign the key ID to a self-encrypting drive, the system changes its authentication key ID to a non-default value.

Before you begin

You must be a cluster administrator to perform this task.

Steps

  1. Assign a data authentication key to a FIPS drive or SED:

    storage encryption disk modify -disk disk_ID -data-key-id key_ID

    For complete command syntax, see the man page for the command.

    Note

    You can use the security key-manager key query -key-type NSE-AK command to view key IDs.

    		 
    cluster1::> storage encryption disk modify -disk 0.10.* -data-key-id 0000000000000000020000000000010019215b9738bc7b43d4698c80246db1f4

Info: Starting modify on 14 disks.
      View the status of the operation by using the
      storage encryption disk show-status command.

  2. Verify that the authentication keys have been assigned:

    storage encryption disk show

    For complete command syntax, see the man page.

    cluster1::> storage encryption disk show
Disk    Mode Data Key ID
-----   ---- ----------------------------------------------------------------
0.0.0   data 0000000000000000020000000000010019215b9738bc7b43d4698c80246db1f4
0.0.1   data 0000000000000000020000000000010059851742AF2703FC91369B7DB47C4722
[...]