security key-manager query

Displays the key IDs stored in a key management server.

Availability: This command is available to cluster administrators at the admin privilege level.

Description

This command displays the IDs of the keys that are stored on the key management servers. This command does not update the key tables on the node. To refresh the key tables on the nodes with the key management server key tables, run the security key-manager restore command. This command is not supported when onboard key management is enabled.

Parameters

{ [-fields <fieldname>, ...]
If you specify the -fields <fieldname>, ... parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.
| [-instance ]}
If you specify the -instance parameter, the command displays detailed information about all fields.
[-node {<nodename>|local}] - Node
This parameter specifies the name of the node that queries the specified key management servers. If this parameter is not specified, then all nodes will query the specified key management servers.
[-address <IP Address>] - IP Address
This parameter specifies the IP address of the key management server that you want to query.
[-key-id <key id>] - Key ID
If you specify this parameter, then the command displays only the key IDs that match the specified value.
[-key-tag <text>] - Key Tag
If you specify this parameter, then the command displays only the key IDs that match the specified value. The key-tag for Volume Encryption Keys (VEKs) is set to the UUID of the encrypted volume.
[-key-type <Key Usage Type>] - Key Type
If you specify this parameter, then the command displays only the key IDs that match the specified value.
[-count <integer>] - (DEPRECATED)-Key Server's Total Key Count
The value count is deprecated and may be removed in a future release of Data ONTAP. This parameter specifies the total number of keys stored in the key management servers. If you specify this parameter, then the command displays only the key IDs retrieved from the key management servers whose total key count matches the specified count number.
[-restored {yes|no}] - Key/Key ID Pair Present in Node's Key Table?
This parameter specifies whether the key corresponding to the displayed key ID is present in the specified node's internal key table. If you specify 'yes' for this parameter, then the command displays the key IDs of only those keys that are present in the system's internal key table. If you specify 'no' for this parameter, then the command displays the key IDs of only those keys that are not present in the system's internal key table.
[-key-manager-server-status {available|not-responding|unknown}] - Command Error Code
This parameter specifies the connectivity status of the key management server. If you specify this parameter, then the command displays only the key IDs retrieved from the key management servers with specified status.

Examples

The following example shows all the keys on all configured key servers, and whether those keys have been restored for all nodes in the cluster:

cluster-1::> security key-manager query

          Node: node1
   Key Manager: 10.0.0.10
 Server Status: available

Key Tag                               Key Type  Restored
------------------------------------  --------  --------
node1                                 NSE-AK    yes
    Key ID: 000000000000000002000000000001001d71f3b2468d7e16a6e6972d3e6645200000000000000000
301a4e57-9efb-11e7-b2bc-0050569c227f  VEK       yes
    Key ID: 000000000000000002000000000005004d03aca5b72cd20b2f83eae1531c605e0000000000000000


          Node: node2
   Key Manager: 10.0.0.10
 Server Status: available

Key Tag                               Key Type  Restored
------------------------------------  --------  --------
node1                                 NSE-AK    yes
    Key ID: 000000000000000002000000000001001d71f3b2468d7e16a6e6972d3e6645200000000000000000
301a4e57-9efb-11e7-b2bc-0050569c227f  VEK       no
    Key ID: 000000000000000002000000000005004d03aca5b72cd20b2f83eae1531c605e0000000000000000

If any listed keys have "no" in the "Restored" column, run "security key-manager
restore" to restore those keys.
        

The following example shows all keys stored on the key server with address "10.0.0.10" from node "node1" with key-tag "node1":

cluster-1::> security key-manager query -address 10.0.0.10 -node node1 -key-tag node1

          Node: node1
   Key Manager: 10.0.0.10
 Server Status: available

Key Tag                               Key Type  Restored
------------------------------------  --------  --------
node1                                 NSE-AK    yes
    Key ID: 000000000000000002000000000001001d71f3b2468d7e16a6e6972d3e6645200000000000000000

If any listed keys have "no" in the "Restored" column, run "security key-manager
restore" to restore those keys.
        

The following example shows the Volume Encryption Key (VEK) with key-tag (i.e., volume UUID) "301a4e57-9efb-11e7-b2bc-0050569c227f" on nodes where that key has not been restored:

cluster-1::*> security key-manager query -key-type VEK -key-tag 301a4e57-9efb-11e7-b2bc-0050569c227f -restored no

          Node: node2
   Key Manager: 10.0.0.10
 Server Status: available

Key Tag                               Key Type  Restored
------------------------------------  --------  --------
301a4e57-9efb-11e7-b2bc-0050569c227f  VEK       no
    Key ID: 000000000000000002000000000005004d03aca5b72cd20b2f83eae1531c605e0000000000000000

If any listed keys have "no" in the "Restored" column, run "security key-manager restore" to restore those keys.