Get an IP address of an external key management server for storage encryption

Contributors netapp-aoife netapp-pcarriga

After upgrading, you must immediately configure Storage Encryption and establish a cluster-wide authentication key to replace the previous node-level authentication keys.

Steps
  1. Install the necessary client and server secure sockets layer (SSL) certificates required to communicate with key management servers:

    security certificate install

  2. Configure Storage Encryption on all nodes by using the following command on each node:

    security key-manager external enable

  3. Add the IP address for each key management server:

    security key-manager external add-servers -key-servers key_management_server_ip_address

  4. Verify that the same key management servers are configured and available on all nodes in the cluster:

    security key-manager external show-status

  5. Create a new cluster-wide authentication key:

    security key-manager key create

  6. Make a note of the new authentication key ID.

  7. Rekey all self-encrypting drives with the new authentication key:

    storage encryption disk modify -disk * -data-key-id authentication_key_id

Manage authentication using KMIP servers

With ONTAP 9.8 or later, you can use Key Management Interoperability Protocol (KMIP) servers to manage authentication keys.

Steps
  1. Add a new controller:

    security key-manager external enable

  2. Add the key manager:

    security key-manager external add-servers -key-servers key_management_server_ip_address

  3. Verify that the key management servers are configured and available to all nodes in the cluster:

    security key-manager external show-status

  4. Restore the authentication keys from all linked key management servers to the new node:

    security key-manager external restore -node new_controller_name

  5. Rekey all self-encrypting disks with the new authentication key:

    storage encryption disk modify -disk * [-data-key-id nonMSID AK]

  6. If you use the Federal Information Processing Standard (FIPS), rekey all self-encrypting disks with the new authentication key:

    storage encryption disk modify -disk * [-fips-key-id nonMSID AK]

Manage storage encryption using Onboard Key Manager

You can use the OKM to manage encryption keys. If you plan to use OKM, you must record the passphrase and backup material before beginning the upgrade.

Steps
  1. Save the passphrase to a secure location.

  2. Create a backup for recovery purposes. Run the following command and save the output:

    security key-manager onboard show-backup

Quiesce the SnapMirror relationships (optional)

Before continuing with the procedure, you must confirm that all the SnapMirror relationships are quiesced. When a SnapMirror relationship is quiesced, it remains quiesced across reboots and failovers.

Steps
  1. Verify the SnapMirror relationship status on the destination cluster:

    snapmirror show

    Note

    If the status is "Transferring", you must abort those transfers:
    snapmirror abort -destination-vserver vserver_name

    The abort fails if the SnapMirror relationship is not in the "Transferring" state.

  2. Quiesce all relationships between the cluster:

    snapmirror quiesce -destination-vserver vserver_name