Release notes
Check encryption key support and status - ASA C400
Suggest changes
-
PDF of this doc site
Collection of separate PDF docs
Creating your file...
To ensure data security on your storage system, you need to verify the encryption key support and status on your boot media. Check if your ONTAP version supports NetApp Volume Encryption (NVE), and before you shut down the controller check if the key manager is active.
Step 1: Check if your version of ONTAP supports NetApp Volume Encryption
Check whether your ONTAP version supports NetApp Volume Encryption (NVE). This information is crucial for downloading the correct ONTAP image.
-
Determine if your ONTAP version supports encryption by running the following command:
version -vIf the output includes
1Ono-DARE, NVE is not supported on your cluster version. -
Depending on whether NVE is supported on your system, take one of the following actions:
-
If NVE is supported, download the ONTAP image with NetApp Volume Encryption.
-
If NVE is not supported, download the ONTAP image without NetApp Volume Encryption.
-
Step 2: Determine if it is safe to shut down the controller
To safely shut down a controller, first identify whether the External Key Manager (EKM) or the Onboard Key Manager (OKM) is active. Then, verify the key manager in use, display the appropriate key information, and take action based on the status of the authentication keys.
-
Determine which key manager is enabled on your system:
ONTAP version Run this command ONTAP 9.14.1 or later
security key-manager keystore show-
If EKM is enabled,
EKMis listed in the command output. -
If OKM is enabled,
OKMis listed in the command output. -
If no key manager is enabled,
No key manager keystores configuredis listed in the command output.
ONTAP 9.13.1 or earlier
security key-manager show-key-store-
If EKM is enabled,
externalis listed in the command output. -
If OKM is enabled,
onboardis listed in the command output. -
If no key manager is enabled,
No key managers configuredis listed in the command output.
-
-
Depending on whether a key manger is configured on your system, select one of the following options.
No key manager configuredExternal or Onboard key manager configuredNo key manager configuredNo key manager configuredExternal or Onboard key manager configuredYou can safely shut down the impaired controller. Go to shutdown the impaired controller.
-
Enter the following query command to display the status of the authentication keys in your key manager.
security key-manager key query -
Check the output for the value in the
Restoredcolumn for your key manager.This column indicates whether the authentication keys for your key manager (either EKM or OKM) have been successfully restored.
-
-
Depending on whether your system is using the External Key Manager or Onboard Key Manager, select one of the following options.
External Key ManagerOnboard Key ManagerExternal Key ManagerExternal Key ManagerOnboard Key ManagerDepending on the output value displayed in the
Restoredcolumn, follow the appropriate steps.Output value in RestoredcolumnFollow these steps… trueYou can safely shut down the impaired controller. Go to shutdown the impaired controller.
Anything other than
true-
Restore the external key management authentication keys to all nodes in the cluster using the following command:
security key-manager external restoreIf the command fails, contact NetApp Support.
-
Verify that the
Restoredcolumn displaystruefor all authentication keys by entering thesecurity key-manager key querycommand.If all the authentication keys are
true, you can safely shut down the impaired controller. Go to shutdown the impaired controller.
Depending on the output value displayed in the
Restoredcolumn, follow the appropriate steps.Output value in RestoredcolumnFollow these steps… trueManually back up the OKM information.
-
Go to the advanced mode by entering
set -priv advancedand then enterYwhen prompted. -
Enter the following command to display the key management information:
security key-manager onboard show-backup -
Copy the contents of the backup information to a separate file or your log file.
You'll need it in disaster scenarios where you might need to manually recover OKM.
-
You can safely shut down the impaired controller. Go to shutdown the impaired controller.
Anything other than
true-
Enter the onboard security key-manager sync command:
security key-manager onboard sync -
Enter the 32 character, alphanumeric onboard key management passphrase when prompted.
If the passphrase cannot be provided, contact NetApp Support.
-
Verify the
Restoredcolumn displaystruefor all authentication keys:security key-manager key query -
Verify that the
Key Managertype displaysonboard, and then manually back up the OKM information. -
Enter the command to display the key management backup information:
security key-manager onboard show-backup -
Copy the contents of the backup information to a separate file or your log file.
You'll need it in disaster scenarios where you might need to manually recover OKM.
-
You can safely shut down the impaired controller. Go to shutdown the impaired controller.
-
