Skip to main content

Migrate ONTAP data encryption keys between key managers on your ASA r2 system

Contributors netapp-aherbin
PDFs

You can manage your data encryption keys using either the ONTAP onboard key manager on your ASA r2 system or an external key manager (or both). External key managers can only be enabled at the storage VM level. At the ONTAP cluster level, you can enable either the onboard key manager or an external key manager.

If you enable your key manager at the…​ You can use…​

Cluster level only

Either the onboard key manager or an external key manager

SVM level only

An external key manager only

Both the cluster and SVM level

One of the following key manager combinations:

  • Option 1

    Cluster level: Onboard key manager

    SVM level: External key manager

  • Option 2

    Cluster level: External key manager

    SVM level: External key manager

Migrate keys between key managers at the ONTAP cluster level

Beginning with ONTAP 9.16.1 you can use the ONTAP command line interface (CLI) to migrate keys between key managers at the cluster level.

From onboard to external
Steps

  1. Set the privilege level to advanced:

    set -privilege advanced
    Cli
    Copy

  2. Create an inactive external key manager configuration:

    security key-manager external create-config
    Cli
    Copy

  3. Switch to the external key manager:

    security key-manager keystore enable -vserver <svm_name> -type KMIP
    Cli
    Copy

  4. Delete the onboard key manager configuration:

    security key-manager keystore delete-config -vserver <svm_name> -type OKM
    Cli
    Copy

  5. Set the privilege level to admin:

    set -privilege admin
    Cli
    Copy

Migrate keys between key managers across ONTAP cluster and storage VM levels

You can use the ONTAP command line interface (CLI) to migrate keys between the key manager at the cluster level and a key manager at the storage VM level.

Steps

  1. Set the privilege level to advanced:

    set -privilege advanced
    Cli
    Copy

  2. Migrate the keys:

    security key-manager key migrate -from-vserver <svm_name> -to-vserver <svm_name>
    Cli
    Copy

  3. Set the privilege level to admin:

    set -privilege admin
    Cli
    Copy