Skip to main content
SANtricity 11.9

Unlock drives when using external key management

Contributors netapp-jolieg

If you configured external key management and then later move secure-enabled drives from one storage array to another, you must re-assign the security key to the new storage array to gain access to the encrypted data on the drives.

Before you begin
  • On the source array (the array where you are removing the drives), you have exported volume groups and removed the drives. On the target array, you have re-installed the drives.

    Note The Export/Import function is not supported in the System Manager user interface; you must use the Command Line Interface (CLI) to export/import a volume group to a different storage array.

    Detailed instructions for migrating a volume group are provided in the NetApp Knowledge Base. Be sure to follow the appropriate instructions for newer arrays managed by System Manager or for legacy systems.

  • The Drive Security feature must be enabled. Otherwise, a Cannot Create Security Key dialog box opens during this task. If necessary, contact your storage vendor for instructions on enabling the Drive Security feature.

  • You must know the key management server's IP address and port number.

  • You have a signed client certificate file for the storage array's controllers, and you have copied that file to the host where you are accessing System Manager. A client certificate validates the storage array's controllers, so the key management server can trust their Key Management Interoperability Protocol (KMIP) requests.

  • You must retrieve a certificate file from the key management server, and then copy that file to the host where you are accessing System Manager. A key management server certificate validates the key management server, so the storage array can trust its IP address. You can use a root, intermediate, or server certificate for the key management server.

Note

For more information about the server certificate, consult the documentation for your key management server.

About this task

When you use external key management, the security key is stored externally on a server designed to safe-guard security keys. A security key is a string of characters that is shared by the controller and drives for read/write access. When the drives are physically removed from the array and installed in another, they cannot operate until you provide the correct security key.

Note

You can create either an internal key from the controller's persistent memory or an external key from a key management server. This topic describes unlocking data when external key management is used. If you used internal key management, see Unlock drives when using internal key management. If you are performing a controller upgrade and are swapping all controllers for the latest hardware, you must follow different steps as described in the E-Series and SANtricity documentation center, in Unlock drives.

Once you reinstall secure-enabled drives in another array, that array discovers the drives and displays a "Needs Attention" condition along with a status of "Security Key Needed." To unlock drive data, you import the security key file and enter the pass phrase for the key. (This pass phrase is not the same as the storage array's Administrator password.) During this process, you configure the storage array to use an external key management server and then the secure key will be accessible. You are required to provide contact information of the server for the storage array to connect and retrieve the security key.

If other secure-enabled drives are installed in the new storage array, they might use a different security key than the one you are importing. During the import process, the old security key is used only to unlock the data for the drives you are installing. When the unlock process is successful, the newly installed drives are re-keyed to the target storage array's security key.

Steps
  1. Select Settings  System.

  2. Under Security key management, select Create External Key.

  3. Complete the wizard with the prerequisite connection information and certificates.

  4. Click Test Communication to ensure access to the external key management server.

  5. Select Unlock Secure Drives.

    The Unlock Secure Drives dialog box opens. Any drives that require a security key are shown in the table.

  6. Optional: hover the mouse over a drive number to see the location of the drive (shelf number and bay number).

  7. Click Browse, and then select the security key file that corresponds to the drive you want to unlock.

    The key file you selected appears in the dialog box.

  8. Enter the pass phrase associated with this key file.

    The characters you enter are masked.

  9. Click Unlock.

    If the unlock operation is successful, the dialog box displays: "The associated secure drives have been unlocked."

Results

When all drives are locked and then unlocked, each controller in the storage array will reboot. However, if there are already some unlocked drives in the target storage array, then the controllers will not reboot.

After you finish

On the destination array (the array with the newly installed drives), you can now import volume groups.

Note The Export/Import function is not supported in the System Manager user interface; you must use the Command Line Interface (CLI) to export/import a volume group to a different storage array.

Detailed instructions for migrating a volume group are provided in the NetApp Knowledge Base.