Setting up Storage Encryption on the new controller module

If the existing system used Storage Encryption, you must configure the new controller module for Storage Encryption, including installing and setting up the key managers, certificates, and servers.

About this task

This procedure includes steps that are performed on both the existing controller module and the new controller module. Be sure to enter the command on the correct system.

You must enter the commands in the steps below in the nodeshell. For more information about the nodeshell, see the System Administration Reference.

Steps

  1. On the existing controller module, enter the following commands to verify that the key server is still available: key_manager statuskey_manager query
    Example
    The following command checks the status of all key management servers linked to the storage system:
    storage-system> key_manager status                       
    Key server                       Status
    172.18.99.175                    Server is responding

    The following command checks the status of all key management servers linked to the storage system and displays additional information:

    storage-system> key_manager query                         
    Key server 172.18.99.175 is responding.
    
    Key server 172.18.99.175 reports 4 keys.
    
    Key tag                           Key ID
    --------                          -------
    storage-system                    080CF0C80...
    storage-system                    080CF0C80...
    storage-system                    080CF0C80...
    storage-system                    080CF0C80...
    
  2. On the new controller module, complete the following steps to install the same SSL certificates that are on the existing controller module:
    1. Copy the certificate files to a temporary location on the storage system.
    2. Install the public certificate of the storage system by entering the following command at the storage system prompt: keymgr install cert /path/client.pem
    3. Install the private certificate of the storage system by entering the following command at the storage system prompt: keymgr install cert /path/client_private.pem
    4. Install the public certificate of the key management server by entering the following command at the storage system prompt: keymgr install cert /path/key_management_server_ipaddress_CA.pem
    5. If you are linking multiple key management servers to the storage system, repeat the preceding steps for each public certificate of each key management server.
  3. On the new controller module, run the Storage Encryption setup wizard to set up and install the key servers.
    You must install the same key servers that are installed on the existing controller module.
    1. Enter the following command at the storage system prompt: key_manager setup
    2. Complete the steps in the wizard to configure Storage Encryption.
    Example

    The following example shows how to configure Storage Encryption:

    storage-system*> key_manager setup
    Found client certificate file client.pem.
    Registration successful for client.pem.
    Found client private key file client_private.pem.
    Is this file protected by a passphrase? [no]: 
    Registration successful for client_private.pem.
    Enter the IP address for a key server, 'q' to quit:  172.22.192.192
    Enter the IP address for a key server, 'q' to quit:  q
    Enter the TCP port number for kmip server [6001] :
    
    You will now be prompted to enter a key tag name. The
    key tag name is used to identify all keys belonging to this
    Data ONTAP system. The default key tag name is based on the
    system's hostname.
    
    Would you like to use <storage-system> as the default key tag name? [yes]: 
    
    Registering 1 key servers...
    Found client CA certificate file 172.22.192.192_CA.pem.
    Registration successful for 172.22.192.192_CA.pem.
    Registration complete.
    
    You will now be prompted for a subset of your network configuration
    setup.  These parameters will define a pre-boot network environment
    allowing secure connections to the registered key server(s).
    
    Enter network interface:  e0a
    Enter IP address:  172.16.132.165
    Enter netmask:   255.255.252.0
    Enter gateway:  172.16.132.1
    
    Do you wish to enter or generate a passphrase for the system's
    encrypting drives at this time? [yes]:  yes
    
    Would you like the system to autogenerate a passphrase? [yes]:  yes
    
    Key ID: 080CDCB20000000001000000000000003FE505B0C5E3E76061EE48E02A29822C
    
    Make sure that you keep a copy of your passphrase, key ID, and key tag
    name in a secure location in case it is ever needed for recovery purposes.
    
    Should the system lock all encrypting drives at this time? yes
    Completed rekey on 4 disks: 4 successes, 0 failures, including 0 unknown key and 0 authentication failures.
    Completed lock on 4 disks: 4 successes, 0 failures, including 0 unknown key and 0 authentication failures.
    
  4. On the existing controller module, enter the applicable command to restore authentication keys either from all linked key management servers or from a specific one:
    • key_manager restore -all
    • key_manager restore -key_server key_server_ip_address
  5. On the existing controller module, rekey all of the disks by entering the following command at the prompt: key_manager rekey -keytag key_tag
    key_tag is the key tag name specified in the setup wizard in step 3.