Skip to main content

Manage storage encryption using the Onboard Key Manager

Contributors netapp-pcarriga
PDFs

You can use the Onboard Key Manager (OKM) to manage encryption keys. If you have the OKM set up, you must record the passphrase and backup material before beginning the upgrade.

Steps

  1. Record the cluster-wide passphrase.

    This is the passphrase that was entered when the OKM was configured or updated using the CLI or REST API.

  2. Verify the passphrase and the key-manager operation:

    security key-manager onboard sync

    When prompted, enter the cluster-wide OKM passphrase that you recorded in the previous step.

  3. Verify that cc-mode is enabled by reviewing the output of the following command:

    security key-manager config show

  4. Back up the key-manager information:

    security key-manager onboard show-backup

Quiesce the SnapMirror relationships (optional)

Before continuing with the procedure, you must confirm that all the SnapMirror relationships are quiesced. When a SnapMirror relationship is quiesced, it remains quiesced across reboots and failovers.

Steps

  1. Verify the SnapMirror relationship status on the destination cluster:

    snapmirror show

    Note

    If the status is "Transferring", you must abort those transfers:
    snapmirror abort -destination-vserver vserver_name

    The abort fails if the SnapMirror relationship is not in the "Transferring" state.

  2. Quiesce all relationships between the cluster:

    snapmirror quiesce -destination-vserver *