Get an IP address of an external key management server for storage encryption

Contributors Download PDF of this page

After upgrading, you must immediately configure Storage Encryption and establish a cluster-wide authentication key to replace the previous node-level authentication keys.

Steps
  1. Install the necessary client and server secure sockets layer (SSL) certificates required to communicate with key management servers:

    security certificate install

  2. Configure Storage Encryption on all nodes by using the following command on each node:

    security key-manager setup

  3. Add the IP address for each key management server:

    security key-manager add

  4. Verify that the same key management servers are configured and available on all nodes in the cluster:

    security key-manager show -status

  5. Create a new cluster-wide authentication key:

    security key-manager create-key

  6. Make a note of the new authentication key ID.

  7. Rekey all self-encrypting drives with the new authentication key:

    storage encryption disk modify -disk * -data-key-id <authentication_key_id>

Manage authentication using KMIP servers

With ONTAP 9.5 to 9.7, you can use Key Management Interoperability Protocol (KMIP) servers to manage authentication keys.

Steps
  1. Add a new controller:

    security key-manager setup -node <new_controller_name>

  2. Add the key manager:

    security key-manager -add <key_management_server_ip_address>

  3. Verify that the key management servers are configured and available to all nodes in the cluster:

    security key-manager show -status

  4. Restore the authentication keys from all linked key management servers to the new node:

    security key-manager restore -node <new_controller_name>

  5. Rekey all self-encrypting disks with the new authentication key:

    storage encryption disk modify -disk * [-data-key-id nonMSID AK]

  6. If you use the Federal Information Processing Standard (FIPS), rekey all self-encrypting disks with the new authentication key:

    storage encryption disk* modify -disk * [-fips-key-id nonMSID AK]

Manage storage encryption using Onboard Key Manager

You can use the OKM to manage encryption keys. If you plan to use OKM, you must record the passphrase and backup material before beginning the upgrade.

Steps
  1. Save the passphrase to a secure location.

  2. Create a backup for recovery purposes. Run the following command and save the output:

    key-manager onboard show-backup

Quiesce the SnapMrror relationships (optional)

Before you proceed with the procedure, you must confirm that all the SnapMirror relationships are quiesced. When a SnapMirror relationship is quiesced, it remains quiesced across reboots and failovers.

Steps
  1. Verify the SnapMirror relationship status on the destination cluster:

    snapmirror show

    Note If the status is "Transferring", you must abort those transfers by using the following command: snapmirror abort -destination-vserver <vserver name>

    The abort fails if the SnapMirror relationship is not in the "Transferring" state.

  2. Quiesce all relationships between the cluster:

    snapmirror quiesce -destination-vserver <Vserver name>