Set up NetApp Volume or Aggregate Encryption on the new controller module
If the replaced controller or high availability (HA) partner of the new controller uses NetApp Volume Encryption (NVE) or NetApp Aggregate Encryption (NAE), you must configure the new controller module for NVE or NAE.
This procedure includes steps that are performed on the new controller module. You must enter the command on the correct node.
Configure NVE or NAE on controllers running ONTAP 9.6 or 9.7
-
Verify that the key management servers are still available, their status, and their authentication key information:
security key-manager key query -node node
-
Add the key management servers listed in the previous step to the key management server list in the new controller:
-
Add the key management server:
security key-manager -add key_management_server_ip_address
-
Repeat the previous step for each listed key management server.
You can link up to four key management servers.
-
Verify the that the key management servers were added successfully:
security key-manager show
-
-
On the new controller module, run the key management setup wizard to set up and install the key management servers.
You must install the same key management servers that are installed on the existing controller module.
-
Launch the key management server setup wizard on the new node:
security key-manager setup -node new_controller_name
-
Complete the steps in the wizard to configure key management servers.
-
-
Restore authentication keys from all linked key management servers to the new node.
-
Restore authentication for external key manager:
security key-manager external restore
This command needs the Onboard Key Manager (OKM) passphrase.
For more information, see the Knowledge Base article How to restore external key manager server configuration from the ONTAP boot menu.
-
Restore authentication for the OKM:
security key-manager onboard sync
-
Configure NVE or NAE on controllers running ONTAP 9.5
-
Verify that the key management servers are still available, their status, and their authentication key information:
security key-manager key show
-
Add the key management servers listed in the previous step to the key management server list in the new controller:
-
Add the key management server:
security key-manager -add key_management_server_ip_address
-
Repeat the previous step for each listed key management server.
You can link up to four key management servers.
-
Verify the that the key management servers were added successfully:
security key-manager show
-
-
On the new controller module, run the key management setup wizard to set up and install the key management servers.
You must install the same key management servers that are installed on the existing controller module.
-
Launch the key management server setup wizard on the new node:
security key-manager setup -node new_controller_name
-
Complete the steps in the wizard to configure key management servers.
-
-
Restore authentication keys from all linked key management servers to the new node.
-
Restore authentication for external key manager:
security key-manager external restore
This command needs the Onboard Key Manager (OKM) passphrase.
For more information, see the Knowledge Base article How to restore external key manager server configuration from the ONTAP boot menu.
-
Restore authentication for OKM:
security key-manager setup -node node_name
-
Check if any volumes were taken offline because authentication keys were not available or External Key Management servers could not be reached. Bring those volumes back online using the volume online
command.