Skip to main content
Install and maintain

Check encryption key support and status - AFF A300

Contributors netapp-jsnyder dougthomp netapp-martyh thrisun
PDFs

To ensure data security on your storage system, you need to verify the encryption key support and status on your boot media. Check if your ONTAP version supports NetApp Volume Encryption (NVE), and before you shut down the controller check if the key manager is active.

Step 1: Check if your version of ONTAP supports NetApp Volume Encryption

Check whether your ONTAP version supports NetApp Volume Encryption (NVE). This information is crucial for downloading the correct ONTAP image.

  1. Determine if your ONTAP version supports encryption by running the following command:

    version -v

    If the output includes 1Ono-DARE, NVE is not supported on your cluster version.

  2. Depending on whether NVE is supported on your system, take one of the following actions:

    • If NVE is supported, download the ONTAP image with NetApp Volume Encryption.

    • If NVE is not supported, download the ONTAP image without NetApp Volume Encryption.

Step 2: Determine if it is safe to shut down the controller

To safely shut down a controller, first identify whether the External Key Manager (EKM) or the Onboard Key Manager (OKM) is active. Then, verify the key manager in use, display the appropriate key information, and take action based on the status of the authentication keys.

  1. Determine which key manager is enabled on your system:

    ONTAP version Run this command

    ONTAP 9.14.1 or later

    security key-manager keystore show

    • If EKM is enabled, EKM is listed in the command output.

    • If OKM is enabled, OKM is listed in the command output.

    • If no key manager is enabled, No key manager keystores configured is listed in the command output.

    ONTAP 9.13.1 or earlier

    security key-manager show-key-store

    • If EKM is enabled, external is listed in the command output.

    • If OKM is enabled, onboard is listed in the command output.

    • If no key manager is enabled, No key managers configured is listed in the command output.

  2. Depending on whether a key manger is configured on your system, select one of the following options.

    No key manager configured

    You can safely shut down the impaired controller. Go to shutdown the impaired controller.

  1. Depending on whether your system is using the External Key Manager or Onboard Key Manager, select one of the following options.

    External Key Manager

    Depending on the output value displayed in the Restored column, follow the appropriate steps.

    Output value in Restored column Follow these steps…​

    true

    You can safely shut down the impaired controller. Go to shutdown the impaired controller.

    Anything other than true

    1. Restore the external key management authentication keys to all nodes in the cluster using the following command:

      security key-manager external restore

      If the command fails, contact NetApp Support.

    2. Verify that the Restored column displays true for all authentication keys by entering the security key-manager key query command.

      If all the authentication keys are true, you can safely shut down the impaired controller. Go to shutdown the impaired controller.