Release notes
Create authentication keys in ONTAP 9.6 and later
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Data protection with the CLI
-
-
Collection of separate PDF docs
Creating your file...
You can use the security key-manager key create command to create the authentication keys for a node and store them on the configured KMIP servers.
If your security setup requires you to use different keys for data authentication and FIPS 140-2 authentication, you should create a separate key for each. If that's not the case, you can use the same authentication key for FIPS compliance that you use for data access.
ONTAP creates authentication keys for all nodes in the cluster.
-
This command is not supported when Onboard Key Manager is enabled. However, two authentication keys are created automatically when Onboard Key Manager is enabled. The keys can be viewed with the following command:
security key-manager key query -key-type NSE-AK -
You receive a warning if the configured key management servers are already storing more than 128 authentication keys.
-
You can use the
security key-manager key deletecommand to delete any unused keys. Thesecurity key-manager key deletecommand fails if the given key is currently in use by ONTAP. (You must have privileges greater than “admin” to use this command.)
In a MetroCluster environment, before you delete a key, you must make sure that the key is not in use on the partner cluster. You can use the following commands on the partner cluster to check that the key is not in use:
-
storage encryption disk show -data-key-id key-id -
storage encryption disk show -fips-key-id key-id
-
You must be a cluster administrator to perform this task.
-
Create the authentication keys for cluster nodes:
security key-manager key create -key-tag passphrase_label -prompt-for-key true|false
Setting
prompt-for-key=truecauses the system to prompt the cluster administrator for the passphrase to use when authenticating encrypted drives. Otherwise, the system automatically generates a 32-byte passphrase. Thesecurity key-manager key createcommand replaces thesecurity key-manager create-keycommand. For complete command syntax, see the man page.The following example creates the authentication keys for
cluster1, automatically generating a 32-byte passphrase:cluster1::> security key-manager key create Key ID: 000000000000000002000000000001006268333f870860128fbe17d393e5083b0000000000000000
-
Verify that the authentication keys have been created:
security key-manager key query -node node
The
security key-manager key querycommand replaces thesecurity key-manager query keycommand. For complete command syntax, see the man page. The key ID displayed in the output is an identifier used to refer to the authentication key. It is not the actual authentication key or the data encryption key.The following example verifies that authentication keys have been created for
cluster1:cluster1::> security key-manager key query Vserver: cluster1 Key Manager: external Node: node1 Key Tag Key Type Restored ------------------------------------ -------- -------- node1 NSE-AK yes Key ID: 000000000000000002000000000001000c11b3863f78c2273343d7ec5a67762e0000000000000000 node1 NSE-AK yes Key ID: 000000000000000002000000000001006f4e2513353a674305872a4c9f3bf7970000000000000000 Vserver: cluster1 Key Manager: external Node: node2 Key Tag Key Type Restored ------------------------------------ -------- -------- node2 NSE-AK yes Key ID: 000000000000000002000000000001000c11b3863f78c2273343d7ec5a67762e0000000000000000 node2 NSE-AK yes Key ID: 000000000000000002000000000001006f4e2513353a674305872a4c9f3bf7970000000000000000