Restore external key management encryption keys
You can manually restore external key management encryption keys and push them to a different node. You might want to do this if you are restarting a node that was down temporarily when you created the keys for the cluster.
In ONTAP 9.6 and later, you can use the security key-manager key query -node node_name
command to verify if your key needs to be restored.
In ONTAP 9.5 and earlier, you can use the security key-manager key show
command to verify if your key needs to be restored.
If you are using NSE on a system with a Flash Cache module, you should also enable NVE or NAE. NSE does not encrypt data that resides on the Flash Cache module. |
You must be a cluster or SVM administrator to perform this task.
-
If you are running ONTAP 9.8 or later and your root volume is encrypted, do the following:
If you are running ONTAP 9.7 or earlier, or if you are running ONTAP 9.8 or later and your root volume is not encrypted, skip this step.
-
Set the bootargs:
setenv kmip.init.ipaddr <ip-address>
setenv kmip.init.netmask <netmask>
setenv kmip.init.gateway <gateway>
setenv kmip.init.interface e0M
boot_ontap
-
Boot the node to the boot menu and select option
(11) Configure node for external key management
. -
Follow prompts to enter management certificate.
After all management certificate information is entered, the system returns to the boot menu.
-
From the boot menu, select option
(1) Normal Boot
.
-
-
Restore the key:
For this ONTAP version…
Use this command…
ONTAP 9.6 and later
security key-manager external restore -vserver SVM -node node -key-server host_name|IP_address:port -key-id key_id -key-tag key_tag
ONTAP 9.5 and earlier
security key-manager restore -node node -address IP_address -key-id key_id -key-tag key_tag
node
defaults to all nodes. For complete command syntax, see the man pages. This command is not supported when onboard key management is enabled.The following ONTAP 9.6 command restores external key management authentication keys to all nodes in
cluster1
:clusterl::> security key-manager external restore