Skip to main content
Install and maintain

Check onboard encryption keys - AFF A250

Contributors dougthomp netapp-martyh netapp-jsnyder thrisun

Prior to shutting down the impaired controller and checking the status of the onboard encryption keys, you must check the status of the impaired controller, disable automatic giveback, and check which version of ONTAP is running on the system.

If you have a cluster with more than two nodes, it must be in quorum. If the cluster is not in quorum or a healthy controller shows false for eligibility and health, you must correct the issue before shutting down the impaired controller; see the Synchronize a node with the cluster.

Steps
  1. Check the status of the impaired controller:

    • If the impaired controller is at the login prompt, log in as admin.

    • If the impaired controller is at the LOADER prompt and is part of HA configuration, log in as admin on the healthy controller.

    • If the impaired controller is in a standalone configuration and at LOADER prompt, contact mysupport.netapp.com.

  2. If AutoSupport is enabled, suppress automatic case creation by invoking an AutoSupport message: system node autosupport invoke -node * -type all -message MAINT=number_of_hours_downh

    The following AutoSupport message suppresses automatic case creation for two hours: cluster1:*> system node autosupport invoke -node * -type all -message MAINT=2h

  3. Check the version of ONTAP the system is running on the impaired controller if up, or on the partner controller if the impaired controller is down, using the version -v command:

    • If <lno-DARE> or <1Ono-DARE> is displayed in the command output, the system does not support NVE, proceed to shut down the controller.

    • If <lno-DARE> is not displayed in the command output, and the system is running ONTAP 9.6 or later, go to the next section.

  4. If the impaired controller is part of an HA configuration, disable automatic giveback from the healthy controller: storage failover modify -node local -auto-giveback false or storage failover modify -node local -auto-giveback-after-panic false

Check NVE or NSE on systems running ONTAP 9.6 and later

Before shutting down the impaired controller, you need to verify whether the system has either NetApp Volume Encryption (NVE) or NetApp Storage Encryption (NSE) enabled. If so, you need to verify the configuration.

  1. Verify whether NVE is in use for any volumes in the cluster: volume show -is-encrypted true

    If any volumes are listed in the output, NVE is configured and you need to verify the NVE configuration. If no volumes are listed, check whether NSE is configured and in use.

  2. Verify whether NSE is configured and in use: storage encryption disk show

    • If the command output lists the drive details with Mode & Key ID information, NSE is configured and you need to verify the NSE configuration and in use.

    • If no disks are shown, NSE is not configured.

    • If NVE and NSE are not configured, no drives are protected with NSE keys, it's safe to shut down the impaired controller.

Verify NVE configuration

  1. Display the key IDs of the authentication keys that are stored on the key management servers: security key-manager key query

    Note After the ONTAP 9.6 release, you may have additional key manager types. The types are KMIP, AKV, and GCP. The process for confirming these types is the same as confirming external or onboard key manager types.
    • If the Key Manager type displays external and the Restored column displays yes, it's safe to shut down the impaired controller.

    • If the Key Manager type displays onboard and the Restored column displays yes, you need to complete some additional steps.

    • If the Key Manager type displays external and the Restored column displays anything other than yes, you need to complete some additional steps.

    • If the Key Manager type displays onboard and the Restored column displays anything other than yes, you need to complete some additional steps.

  2. If the Key Manager type displays onboard and the Restored column displays yes, manually back up the OKM information:

    1. Go to advanced privilege mode and enter y when prompted to continue: set -priv advanced

    2. Enter the command to display the key management information: security key-manager onboard show-backup

    3. Copy the contents of the backup information to a separate file or your log file. You'll need it in disaster scenarios where you might need to manually recover OKM.

    4. Return to admin mode: set -priv admin

    5. Shut down the impaired controller.

  3. If the Key Manager type displays external and the Restored column displays anything other than yes:

    1. Restore the external key management authentication keys to all nodes in the cluster: security key-manager external restore

      If the command fails, contact NetApp Support.

    2. Verify that the Restored column equals yes for all authentication keys: security key-manager key query

    3. Shut down the impaired controller.

  4. If the Key Manager type displays onboard and the Restored column displays anything other than yes:

    1. Enter the onboard security key-manager sync command: security key-manager onboard sync

      Note Enter the customer's 32 character, alphanumeric onboard key management passphrase at the prompt. If the passphrase cannot be provided, contact NetApp Support. mysupport.netapp.com
    2. Verify the Restored column shows yes for all authentication keys: security key-manager key query

    3. Verify that the Key Manager type shows onboard, and then manually back up the OKM information.

    4. Go to advanced privilege mode and enter y when prompted to continue: set -priv advanced

    5. Enter the command to display the key management backup information: security key-manager onboard show-backup

    6. Copy the contents of the backup information to a separate file or your log file. You'll need it in disaster scenarios where you might need to manually recover OKM.

    7. Return to admin mode: set -priv admin

    8. You can safely shut down the controller.

Verify NSE configuration

  1. Display the key IDs of the authentication keys that are stored on the key management servers: security key-manager key query -key-type NSE-AK

    Note After the ONTAP 9.6 release, you may have additional key manager types. The types are KMIP, AKV, and GCP. The process for confirming these types is the same as confirming external or onboard key manager types.
    • If the Key Manager type displays external and the Restored column displays yes, it's safe to shut down the impaired controller.

    • If the Key Manager type displays onboard and the Restored column displays yes, you need to complete some additional steps.

    • If the Key Manager type displays external and the Restored column displays anything other than yes, you need to complete some additional steps.

    • If the Key Manager type displays external and the Restored column displays anything other than yes, you need to complete some additional steps.

  2. If the Key Manager type displays onboard and the Restored column displays yes, manually back up the OKM information:

    1. Go to advanced privilege mode and enter y when prompted to continue: set -priv advanced

    2. Enter the command to display the key management information: security key-manager onboard show-backup

    3. Copy the contents of the backup information to a separate file or your log file. You'll need it in disaster scenarios where you might need to manually recover OKM.

    4. Return to admin mode: set -priv admin

    5. You can safely shut down the controller.

  3. If the Key Manager type displays external and the Restored column displays anything other than yes:

    1. Restore the external key management authentication keys to all nodes in the cluster: security key-manager external restore

      If the command fails, contact NetApp Support.

    2. Verify that the Restored column equals yes for all authentication keys: security key-manager key query

    3. You can safely shut down the controller.

  4. If the Key Manager type displays onboard and the Restored column displays anything other than yes:

    1. Enter the onboard security key-manager sync command: security key-manager onboard sync

      Enter the customer's 32 character, alphanumeric onboard key management passphrase at the prompt. If the passphrase cannot be provided, contact NetApp Support.

    2. Verify the Restored column shows yes for all authentication keys: security key-manager key query

    3. Verify that the Key Manager type shows onboard, and then manually back up the OKM information.

    4. Go to advanced privilege mode and enter y when prompted to continue: set -priv advanced

    5. Enter the command to display the key management backup information: security key-manager onboard show-backup

    6. Copy the contents of the backup information to a separate file or your log file. You'll need it in disaster scenarios where you might need to manually recover OKM.

    7. Return to admin mode: set -priv admin

    8. You can safely shut down the controller.