Release notes
Return a FIPS drive or SED to unprotected mode
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Data protection with the CLI
-
-
Collection of separate PDF docs
Creating your file...
A FIPS drive or SED is protected from unauthorized access only if the authentication key ID for the node is set to a value other than the default. You can return a FIPS drive or SED to unprotected mode by using the storage encryption disk modify command to set the key ID to the default.
If an HA pair is using encrypting SAS or NVMe drives (SED, NSE, FIPS), you must follow this process for all drives within the HA pair prior to initializing the system (boot options 4 or 9). Failure to do this may result in future data loss if the drives are repurposed.
You must be a cluster administrator to perform this task.
-
Set the privilege level to advanced:
set -privilege advanced -
If a FIPS drive is running in FIPS-compliance mode, set the FIPS authentication key ID for the node back to the default MSID 0x0:
storage encryption disk modify -disk disk_id -fips-key-id 0x0You can use the
security key-manager querycommand to view key IDs.cluster1::> storage encryption disk modify -disk 2.10.11 -fips-key-id 0x0 Info: Starting modify on 14 disks. View the status of the operation by using the storage encryption disk show-status command.Confirm the operation succeeded with the command:
storage encryption disk show-statusRepeat the show-status command until the numbers in “Disks Begun” and “Disks Done” are the same.
cluster1:: storage encryption disk show-status FIPS Latest Start Execution Disks Disks Disks Node Support Request Timestamp Time (sec) Begun Done Successful ------- ------- -------- ------------------ ---------- ------ ------ ---------- cluster1 true modify 1/18/2022 15:29:38 3 14 5 5 1 entry was displayed. -
Set the data authentication key ID for the node back to the default MSID 0x0:
storage encryption disk modify -disk disk_id -data-key-id 0x0The value of
-data-key-idshould be set to 0x0 whether you are returning a SAS or NVMe drive to unprotected mode.You can use the
security key-manager querycommand to view key IDs.cluster1::> storage encryption disk modify -disk 2.10.11 -data-key-id 0x0 Info: Starting modify on 14 disks. View the status of the operation by using the storage encryption disk show-status command.Confirm the operation succeeded with the command:
storage encryption disk show-statusRepeat the show-status command until the numbers are the same. The operation is complete when the numbers in “disks begun” and “disks done” are the same.
Maintenance mode
Beginning with ONTAP 9.7, you can rekey a FIPS drive from maintenance mode. You should only use maintenance mode if you cannot use the ONTAP CLI instructions in the earlier section.
-
Set the FIPS authentication key ID for the node back to the default MSID 0x0:
disk encrypt rekey_fips 0x0 disklist -
Set the data authentication key ID for the node back to the default MSID 0x0:
disk encrypt rekey 0x0 disklist -
Confirm the FIPS authentication key was successfully rekeyed:
disk encrypt show_fips -
Confirm data authentication key was successfully rekeyed with:
disk encrypt showYour output will likely display either the default MSID 0x0 key ID or the 64-character value held by the key server. The
Locked?field refers to data-locking.
Disk FIPS Key ID Locked? ---------- --------------------------- ------- 0a.01.0 0x0 Yes