security key-manager query
- PDF of this doc site
Collection of separate PDF docs
Creating your file...
(DEPRECATED)-Displays the key IDs stored in a key management server.
Availability: This command is available to cluster administrators at the admin privilege level.
Description
This command is deprecated and may be removed in a future release. Use security key-manager key query instead. |
This command displays the IDs of the keys that are stored on the key management servers. This command does not update the key tables on the node. To refresh the key tables on the nodes with the key management server key tables, run the security key-manager restore command. This command is not supported when onboard key management is enabled.
Parameters
- {
[-fields <fieldname>,…]
-
If you specify the
-fields <fieldname>, …
parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify. - |
[-instance ]
} -
If you specify the
-instance
parameter, the command displays detailed information about all fields. [-node {<nodename>|local}]
- Node-
This parameter specifies the name of the node that queries the specified key management servers. If this parameter is not specified, then all nodes will query the specified key management servers.
[-address <IP Address>]
- IP Address-
This parameter specifies the IP address of the key management server that you want to query.
[-key-id <key id>]
- Key ID-
If you specify this parameter, then the command displays only the key IDs that match the specified value.
[-key-tag <text>]
- Key Tag-
If you specify this parameter, then the command displays only the key IDs that match the specified value. The key-tag for Volume Encryption Keys (VEKs) is set to the UUID of the encrypted volume.
[-key-type <Key Usage Type>]
- Key Type-
If you specify this parameter, then the command displays only the key IDs that match the specified value.
[-count <integer>]
- (DEPRECATED)-Key Server's Total Key Count-
The value
count
is deprecated and may be removed in a future release of Data ONTAP. This parameter specifies the total number of keys stored in the key management servers. If you specify this parameter, then the command displays only the key IDs retrieved from the key management servers whose total key count matches the specified count number. [-restored {yes|no}]
- Key/Key ID Pair Present in Node's Key Table?-
This parameter specifies whether the key corresponding to the displayed key ID is present in the specified node's internal key table. If you specify 'yes' for this parameter, then the command displays the key IDs of only those keys that are present in the system's internal key table. If you specify 'no' for this parameter, then the command displays the key IDs of only those keys that are not present in the system's internal key table.
[-key-manager-server-status {available|not-responding|unknown}]
- Command Error Code-
This parameter specifies the connectivity status of the key management server. If you specify this parameter, then the command displays only the key IDs retrieved from the key management servers with specified status.
Examples
The following example shows all the keys on all configured key servers, and whether those keys have been restored for all nodes in the cluster:
cluster-1::> security key-manager query Node: node1 Key Manager: 10.0.0.10 Server Status: available Key Tag Key Type Restored ------------------------------------ -------- -------- node1 NSE-AK yes Key ID: 000000000000000002000000000001001d71f3b2468d7e16a6e6972d3e6645200000000000000000 301a4e57-9efb-11e7-b2bc-0050569c227f VEK yes Key ID: 000000000000000002000000000005004d03aca5b72cd20b2f83eae1531c605e0000000000000000 Node: node2 Key Manager: 10.0.0.10 Server Status: available Key Tag Key Type Restored ------------------------------------ -------- -------- node1 NSE-AK yes Key ID: 000000000000000002000000000001001d71f3b2468d7e16a6e6972d3e6645200000000000000000 301a4e57-9efb-11e7-b2bc-0050569c227f VEK no Key ID: 000000000000000002000000000005004d03aca5b72cd20b2f83eae1531c605e0000000000000000 If any listed keys have "no" in the "Restored" column, run "security key-manager restore" to restore those keys.
The following example shows all keys stored on the key server with address "10.0.0.10" from node "node1" with key-tag "node1":
cluster-1::> security key-manager query -address 10.0.0.10 -node node1 -key-tag node1 Node: node1 Key Manager: 10.0.0.10 Server Status: available Key Tag Key Type Restored ------------------------------------ -------- -------- node1 NSE-AK yes Key ID: 000000000000000002000000000001001d71f3b2468d7e16a6e6972d3e6645200000000000000000 If any listed keys have "no" in the "Restored" column, run "security key-manager restore" to restore those keys.
The following example shows the Volume Encryption Key (VEK) with key-tag (i.e., volume UUID) "301a4e57-9efb-11e7-b2bc-0050569c227f" on nodes where that key has not been restored:
cluster-1::*> security key-manager query -key-type VEK -key-tag 301a4e57-9efb-11e7-b2bc-0050569c227f -restored no Node: node2 Key Manager: 10.0.0.10 Server Status: available Key Tag Key Type Restored ------------------------------------ -------- -------- 301a4e57-9efb-11e7-b2bc-0050569c227f VEK no Key ID: 000000000000000002000000000005004d03aca5b72cd20b2f83eae1531c605e0000000000000000 If any listed keys have "no" in the "Restored" column, run "security key-manager restore" to restore those keys.