Set up NetApp Volume Encryption on the new controller module

Contributors netapp-pcarriga netapp-aoife

If the replaced controller or the HA partner of the new controller uses NetApp Volume Encryption, you must configure the new controller module for NetApp Volume Encryption.

About this task

This procedure includes steps that are performed on the new controller module. You must enter the command on the correct node.

  1. Verify that the key management servers are still available, their status, and their authentication key information:

    For this ONTAP version… Use this command…​

    ONTAP 9.6 or 9.7

    security key-manager key query -node node

    ONTAP 9.5

    security key-manager key show

  2. Add the key management servers listed in the previous step to the key management server list in the new controller:

    1. Add the key management server:

      security key-manager -add key_management_server_ip_address

    2. Repeat the previous step for each listed key management server.

      You can link up to four key management servers.

    3. Verify the that the key management servers were added successfully:

      security key-manager show

  3. On the new controller module, run the key management setup wizard to set up and install the key management servers.

    You must install the same key management servers that are installed on the existing controller module.

    1. Launch the key management server setup wizard on the new node:

      security key-manager setup -node new_controller_name

    2. Complete the steps in the wizard to configure key management servers.

  4. Restore authentication keys from all linked key management servers to the new node.

    • Restore authentication for external key manager:

      security key-manager external restore

      This command needs the Onboard Key Manager (OKM) passphrase.

    • Restore authentication for OKM:

      For this ONTAP version… Use this command…​

      ONTAP 9.6 or 9.7

      security key-manager onboard sync

      ONTAP 9.5

      security key-manager setup -node node_name

After you finish

Check if any volumes were taken offline because authentication keys were not available or External Key Management servers could not be reached. Bring those volumes back online using the volume online command.