Skip to main content
Install and maintain

Check encryption support for manual boot media recovery - AFF A70 and AFF A90

Contributors netapp-jsnyder dougthomp netapp-lisa netapp-martyh
PDFs

To ensure data security on your AFF A70 or AFF A90 storage system, you need to verify the encryption key support and status on your boot media. Check if your ONTAP version supports NetApp Volume Encryption (NVE), and before you shut down the controller check if the key manager is active.

If your system is running in ONTAP 9.17.1 and later, use the automatic boot recovery procedure.

Step 1: Check NVE support and download the correct ONTAP image

Determine whether your ONTAP version supports NetApp Volume Encryption (NVE) so you can download the correct ONTAP image for the boot media replacement.

Steps

  1. Check if your ONTAP version supports encryption:

    version -v

    If the output includes 1Ono-DARE, NVE is not supported on your cluster version.

  2. Download the appropriate ONTAP image based on NVE support:

    • If NVE is supported: Download the ONTAP image with NetApp Volume Encryption

    • If NVE is not supported: Download the ONTAP image without NetApp Volume Encryption

      Note Download the ONTAP image from the NetApp Support Site to your HTTP or FTP server or a local folder. You will need this image file during the boot media replacement procedure.

Step 2: Verify key manager status and back up configuration

Before shutting down the impaired controller, verify the key manager configuration and back up the necessary information.

Steps

  1. Determine which key manager is enabled on your system:

    ONTAP version Run this command

    ONTAP 9.14.1 or later

    security key-manager keystore show

    • If EKM is enabled, EKM is listed in the command output.

    • If OKM is enabled, OKM is listed in the command output.

    • If no key manager is enabled, No key manager keystores configured is listed in the command output.

    ONTAP 9.13.1 or earlier

    security key-manager show-key-store

    • If EKM is enabled, external is listed in the command output.

    • If OKM is enabled, onboard is listed in the command output.

    • If no key manager is enabled, No key managers configured is listed in the command output.

  2. Depending on whether a key manager is configured on your system, do one of the following:

    If no key manager is configured:

    You can safely shut down the impaired controller and proceed to the shutdown procedure.

    If a key manager is configured (EKM or OKM):

    1. Enter the following query command to display the status of the authentication keys in your key manager:

      security key-manager key query

    2. Review the output and check the value in the Restored column. This column indicates whether the authentication keys for your key manager (either EKM or OKM) have been successfully restored.

  3. Complete the appropriate procedure based on your key manager type:

    External Key Manager (EKM)

    Complete these steps based on the value in the Restored column.

    If all keys show true in the Restored column:

    You can safely shut down the impaired controller and proceed to the shutdown procedure.

    If any keys show a value other than true in the Restored column:

    1. Restore the external key management authentication keys to all nodes in the cluster:

      security key-manager external restore

      If the command fails, contact NetApp Support.

    2. Verify that all authentication keys are restored:

      security key-manager key query

      Confirm that the Restored column displays true for all authentication keys.

    3. If all keys are restored, you can safely shut down the impaired controller and proceed to the shutdown procedure.

    Onboard Key Manager (OKM)

    Complete these steps based on the value in the Restored column.

    If all keys show true in the Restored column:

    1. Back up the OKM information:

      1. Switch to advanced privilege mode:

        set -priv advanced

        Enter y when prompted to continue.

      2. Display the key management backup information:

        security key-manager onboard show-backup

      3. Copy the backup information to a separate file or your log file.

        You will need this backup information if you need to manually recover OKM during the replacement procedure.

      4. Return to admin mode:

        set -priv admin

    2. You can safely shut down the impaired controller and proceed to the shutdown procedure.

    If any keys show a value other than true in the Restored column:

    1. Synchronize the onboard key manager:

      security key-manager onboard sync

      Enter the 32-character alphanumeric onboard key management passphrase when prompted.

      Note This is the cluster-wide passphrase you created when you initially configured the Onboard Key Manager. If you do not have this passphrase, contact NetApp Support.

    2. Verify all authentication keys are restored:

      security key-manager key query

      Confirm that the Restored column displays true for all authentication keys and the Key Manager type shows onboard.

    3. Back up the OKM information:

      1. Switch to advanced privilege mode:

        set -priv advanced

        Enter y when prompted to continue.

      2. Display the key management backup information:

        security key-manager onboard show-backup

      3. Copy the backup information to a separate file or your log file.

        You will need this backup information if you need to manually recover OKM during the replacement procedure.

      4. Return to admin mode:

        set -priv admin

    4. You can safely shut down the impaired controller and proceed to the shutdown procedure.

What's next?

After checking the encryption key support and status on the boot media, you need to shut down the controller.