Skip to main content

Restore key-manager configuration on node2

Contributors netapp-pcarriga netapp-aoife netapp-martyh

If you are using NetApp Aggregate Encryption (NAE) or NetApp Volume Encryption (NVE) to encrypt volumes on the system that you are upgrading, the encryption configuration must be synchronized to the new nodes. If you do not resynchronize the key-manager, when you relocate the node2 aggregates from the upgraded node1 to the upgraded node2 by using ARL, failures might occur because node2 does not have the required encryption keys to bring encrypted volumes and aggregates online.

About this task

Synchronize the encryption configuration to the new nodes by performing the following steps:

Steps
  1. Run the following command from node2:

    security key-manager onboard sync

  2. Verify that the SVM-KEK key is restored to "true" on node2 before you relocate the data aggregates:

    ::> security key-manager key query -node node2 -fields restored -key-type SVM-KEK
    Example
    ::> security key-manager key query -node node2 -fields restored -key-type SVM-KEK
    
    node     vserver   key-server   key-id                                  restored
    -------- --------- -----------  --------------------------------------- --------
    node2    svm1      ""           00000000000000000200000000000a008a81976 true
                                    2190178f9350e071fbb90f00000000000000000