Skip to main content
Install and maintain

Encryption restore - AFF A70, AFF A90

Contributors dougthomp
PDFs

You must complete steps specific to systems that have Onboard Key Manager (OKM), NetApp Storage Encryption (NSE) or NetApp Volume Encryption (NVE) enabled using settings you captured at the beginning of this procedure.

Note If NSE or NVE are enabled along with Onboard or external Key Manager you must restore settings you captured at the beginning of this procedure.
Steps

  1. Connect the console cable to the target controller.

Option 1: Systems with onboard key manager server configuration

Restore the onboard key manager configuration from the ONATP boot menu.

Before you begin

You need the following information while restoring the OKM configuration:

Steps

  1. From the ONTAP boot menu select option 10:

    Please choose one of the following:

(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? _10_

  2. Confirm the continuation of the process. This option must be used only in disaster recovery procedures. Are you sure? (y or n): y

  3. Enter the cluster-wide passphrase twice.

    Note While entering the passphrase the console will not show any input.

    Enter the passphrase for onboard key management:

    Enter the passphrase again to confirm:

  4. Enter the backup information. Paste the entire content from the BEGIN BACKUP line through the END BACKUP line.

    Press the enter key twice at the end of the input.

    Enter the backup data:

--------------------------BEGIN BACKUP--------------------------
0123456789012345678901234567890123456789012345678901234567890123
1234567890123456789012345678901234567890123456789012345678901234
2345678901234567890123456789012345678901234567890123456789012345
3456789012345678901234567890123456789012345678901234567890123456
4567890123456789012345678901234567890123456789012345678901234567
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0123456789012345678901234567890123456789012345678901234567890123
1234567890123456789012345678901234567890123456789012345678901234
2345678901234567890123456789012345678901234567890123456789012345
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

---------------------------END BACKUP---------------------------

  5. The recovery process will be completed.

    Trying to recover keymanager secrets....
Setting recovery material for the onboard key manager
Recovery secrets set successfully
Trying to delete any existing km_onboard.wkeydb file.

Successfully recovered keymanager secrets.

***********************************************************************************
* Select option "(1) Normal Boot." to complete recovery process.
*
* Run the "security key-manager onboard sync" command to synchronize the key database after the node reboots.
***********************************************************************************
    Warning Do not proceed if the displayed output is anything other than Successfully recovered keymanager secrets. Perform troubleshooting to correct the error.

  6. Select option 1 from the boot menu to continue booting into ONTAP.

    ***********************************************************************************
* Select option "(1) Normal Boot." to complete the recovery process.
*
***********************************************************************************


(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 1

  7. Confirm that the controller's console displays Waiting for giveback…​(Press Ctrl-C to abort wait)

  8. From the partner node, giveback the partner controller: storage failover giveback -fromnode local -only-cfo-aggregates true

  9. Once booted only with CFO aggregate run the security key-manager onboard sync​​​​​​​ command:

  10. Enter the cluster-wide passphrase for the Onboard Key Manager:

    Enter the cluster-wide passphrase for the Onboard Key Manager:

All offline encrypted volumes will be brought online and the corresponding volume encryption keys (VEKs) will be restored automatically within 10 minutes. If any offline encrypted volumes are not brought online automatically, they can be brought online manually using the "volume online -vserver <vserver> -volume <volume_name>" command.

  11. Ensure that all keys are synced: security key-manager key query -restored false

    There are no entries matching your query.

    Note No results should appear when filtering for false in the restored parameter.

  12. Giveback of the node from the partner: storage failover giveback -fromnode local

Option 2: Systems with external key manager server configuration

Restore the external key manager configuration from the ONATP boot menu.

Before you begin

You need the following information for restoring the external key manager (EKM) configuration:

  • You need a copy of the /cfcard/kmip/servers.cfg file from another cluster node, or, the following information:

  • The KMIP server address.

  • The KMIP port.

  • A copy of the /cfcard/kmip/certs/client.crt file from another cluster node, or, the client certificate.

  • A copy of the /cfcard/kmip/certs/client.key file from another cluster node, or, the client key.

  • A copy of the /cfcard/kmip/certs/CA.pem file from another cluster node, or, the KMIP server CA(s).

Steps

  1. Select Option 11 from the ONTAP boot menu.

    (1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 11

  2. When prompted confirm you have gathered the required information:

    1. Do you have a copy of the /cfcard/kmip/certs/client.crt file? {y/n} y

    2. Do you have a copy of the /cfcard/kmip/certs/client.key file? {y/n} y

    3. Do you have a copy of the /cfcard/kmip/certs/CA.pem file? {y/n} y

    4. Do you have a copy of the /cfcard/kmip/servers.cfg file? {y/n} y

      You may also these prompts instead:

    5. Do you have a copy of the /cfcard/kmip/servers.cfg file? {y/n} n

      1. Do you know the KMIP server address? {y/n} y

      2. Do you know the KMIP Port? {y/n} y

  3. Supply the information for each of these prompts:

    1. Enter the client certificate (client.crt) file contents:

    2. Enter the client key (client.key) file contents:

    3. Enter the KMIP server CA(s) (CA.pem) file contents:

    4. Enter the server configuration (servers.cfg) file contents:

      Example

Enter the client certificate (client.crt) file contents:
-----BEGIN CERTIFICATE-----
MIIDvjCCAqagAwIBAgICN3gwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQwwCgYDVQQHEwNTVkwxDzANBgNVBAoTBk5l
MSUbQusvzAFs8G3P54GG32iIRvaCFnj2gQpCxciLJ0qB2foiBGx5XVQ/Mtk+rlap
Pk4ECW/wqSOUXDYtJs1+RB+w0+SHx8mzxpbz3mXF/X/1PC3YOzVNCq5eieek62si
Fp8=
-----END CERTIFICATE-----

Enter the client key (client.key) file contents:
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAoU1eajEG6QC2h2Zih0jEaGVtQUexNeoCFwKPoMSePmjDNtrU
MSB1SlX3VgCuElHk57XPdq6xSbYlbkIb4bAgLztHEmUDOkGmXYAkblQ=
-----END RSA PRIVATE KEY-----

Enter the KMIP server CA(s) (CA.pem) file contents:
-----BEGIN CERTIFICATE-----
MIIEizCCA3OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
7yaumMQETNrpMfP+nQMd34y4AmseWYGM6qG0z37BRnYU0Wf2qDL61cQ3/jkm7Y94
EQBKG1NY8dVyjphmYZv+
-----END CERTIFICATE-----

Enter the IP address for the KMIP server: 10.10.10.10
Enter the port for the KMIP server [5696]:

System is ready to utilize external key manager(s).
Trying to recover keys from key servers....
kmip_init: configuring ports
Running command '/sbin/ifconfig e0M'
..
..
kmip_init: cmd: ReleaseExtraBSDPort e0M
​​​​​​

  4. The recovery process will complete:

    System is ready to utilize external key manager(s).
Trying to recover keys from key servers....
[Aug 29 21:06:28]: 0x808806100: 0: DEBUG: kmip2::main: [initOpenssl]:460: Performing initialization of OpenSSL
Successfully recovered keymanager secrets.

  5. Select option 1 from the boot menu to continue booting into ONTAP.

    ***********************************************************************************
* Select option "(1) Normal Boot." to complete the recovery process.
*
***********************************************************************************


(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 1

Complete the boot media replacement

Complete the boot media replacement process after the normal boot by gcompleting final checks and giving back storage.

  1. Check the console output:

    If the console displays…​ Then…​

    The login prompt

    Go to Step 6.

    Waiting for giveback…​

    1. Log into the partner controller.

    2. Confirm the target controller is ready for giveback with the storage failover show command.

  2. Move the console cable to the partner controller and give back the target controller storage using the storage failover giveback -fromnode local -only-cfo-aggregates true command.

    • If the command fails because of a failed disk, physically disengage the failed disk, but leave the disk in the slot until a replacement is received.

    • If the command fails because the partner is "not ready", wait 5 minutes for the HA subsystem to synchronize between the partners.

    • If the command fails because of an NDMP, SnapMirror, or SnapVault process, disable the process. See the appropriate Documentation Center for more information.

  3. Wait 3 minutes and check the failover status with the storage failover show command.

  4. At the clustershell prompt, enter the network interface show -is-home false command to list the logical interfaces that are not on their home controller and port.

    If any interfaces are listed as false, revert those interfaces back to their home port using the net int revert -vserver Cluster -lif _nodename command.

  5. Move the console cable to the target controller and run the version -v command to check the ONTAP versions.

  6. Use the storage encryption disk show to review the output.

  7. Use the security key-manager key query command to display the key IDs of the authentication keys that are stored on the key management servers.

    • If the Restored column = yes/true, you are done and can proceed to complete the replacement process.

    • If the Key Manager type = external and the Restored column = anything other than yes/true, use the security key-manager external restore command to restore the key IDs of the authentication keys.

      Note If the command fails, contact Customer Support.

    • If the Key Manager type = onboard and the Restored column = anything other than yes/true, use the security key-manager onboard sync command to synchronize the missing onboard keys on the repaired node.

      Use the security key-manager key query command to verify that the Restored column = yes/true for all authentication keys.

  8. Connect the console cable to the partner controller.

  9. Give back the controller using the storage failover giveback -fromnode local command.

  10. Restore automatic giveback if you disabled it by using the storage failover modify -node local -auto-giveback true command.

  11. If AutoSupport is enabled, restore/unsuppress automatic case creation by using the system node autosupport invoke -node * -type all -message MAINT=END command.