Skip to main content

Return a FIPS drive or SED to service when authentication keys are lost

Contributors netapp-ahibbard netapp-thomi

The system treats a FIPS drive or SED as broken if you lose the authentication keys for it permanently and cannot retrieve them from the KMIP server. Although you cannot access or recover the data on the disk, you can take steps to make the SED's unused space available again for data.

Before you begin

You must be a cluster administrator to perform this task.

About this task

You should use this process only if you are certain that the authentication keys for the FIPS drive or SED are permanently lost and that you cannot recover them.

If the disks are partitioned, they must first be unpartitioned before you can start this process.

Note The command to unpartition a disk is only available at the diag level and should be performed only under NetApp Support supervision. It is highly recommended that you contact NetApp Support before you proceed. You can also refer to the Knowledge Base article How to unpartition a spare drive in ONTAP.
Steps
  1. Return a FIPS drive or SED to service:

    If the SEDS are…​

    Use these steps…​

    Not in FIPS-compliance mode, or in FIPS-compliance mode and the FIPS key is available

    1. Set the privilege level to advanced:
      set -privilege advanced

    2. Reset the FIPS key to the default manufacture secure ID 0x0:
      storage encryption disk modify -fips-key-id 0x0 -disk disk_id

    3. Verify the operation succeeded:
      storage encryption disk show-status
      If the operation failed, use the PSID process in this topic.

    4. Sanitize the broken disk:
      storage encryption disk sanitize -disk disk_id
      Verify the operation succeeded with the command storage encryption disk show-status before proceeding to the next step.

    5. Unfail the sanitized disk:
      storage disk unfail -spare true -disk disk_id

    6. Check whether the disk has an owner:
      storage disk show -disk disk_id

      If the disk does not have an owner, assign one.
      storage disk assign -owner node -disk disk_id

      1. Enter the nodeshell for the node that owns the disks you want to sanitize:

        system node run -node node_name

        Run the disk sanitize release command.

    7. Exit the nodeshell. Unfail the disk again:
      storage disk unfail -spare true -disk disk_id

    8. Verify that the disk is now a spare and ready to be reused in an aggregate:
      storage disk show -disk disk_id

    In FIPS-compliance mode, the FIPS key is not available, and the SEDs have a PSID printed on the label

    1. Obtain the PSID of the disk from the disk label.

    2. Set the privilege level to advanced:
      set -privilege advanced

    3. Reset the disk to its factory-configured settings:
      storage encryption disk revert-to-original-state -disk disk_id -psid disk_physical_secure_id
      Verify the operation succeeded with the command storage encryption disk show-status before proceeding to the next step.

    4. If you are running ONTAP 9.8P5 or earlier, skip to the next step. If you are running ONTAP 9.8P6 or later, unfail the sanitized disk.
      storage disk unfail -disk disk_id

    5. Check whether the disk has an owner:
      storage disk show -disk disk_id

      If the disk does not have an owner, assign one.
      storage disk assign -owner node -disk disk_id

      1. Enter the nodeshell for the node that owns the disks you want to sanitize:

        system node run -node node_name

        Run the disk sanitize release command.

    6. Exit the nodeshell.. Unfail the disk again:
      storage disk unfail -spare true -disk disk_id

    7. Verify that the disk is now a spare and ready to be reused in an aggregate:
      storage disk show -disk disk_id

For complete command syntax, see the command reference.