Skip to main content
Install and maintain

Check onboard encryption keys - AFF C30 and AFF C60

Contributors netapp-jsnyder

Before shutting down the impaired controller, check if your version of ONTAP supports NetApp Volume Encryption (NVE) and if your key management system is properly configured.

Step 1: Check if your version of ONTAP supports NetApp Volume Encryption

Check whether your ONTAP version supports NetApp Volume Encryption (NVE). This information is crucial for downloading the correct ONTAP image.

  1. Determine if your ONTAP version supports encryption by running the following command:

    version -v

    If the output includes 1Ono-DARE, NVE is not supported on your cluster version.

  2. Depending on whether NVE is supported on your system, take one of the following actions:

    • If NVE is supported, download the ONTAP image with NetApp Volume Encryption.

    • If NVE is not supported, download the ONTAP image without NetApp Volume Encryption.

Step 2: Determine if it is safe to shut down the controller

To safely shut down a controller, first identify whether the External Key Manager (EKM) or the Onboard Key Manager (OKM) is active. Then, verify the key manager in use, display the appropriate key information, and take action based on the status of the authentication keys.

  1. Determine which key manager is enabled on your system:

    ONTAP version Run this command

    ONTAP 9.14.1 or later

    security key-manager keystore show

    • If EKM is enabled, EKM is listed in the command output.

    • If OKM is enabled, OKM is listed in the command output.

    • If no key manager is enabled, No key manager keystores configured is listed in the command output.

    ONTAP 9.13.1 or earlier

    security key-manager show-key-store

    • If EKM is enabled, external is listed in the command output.

    • If OKM is enabled, onboard is listed in the command output.

    • If no key manager is enabled, No key managers configured is listed in the command output.

  2. Depending on whether a key manger is configured on your system, select one of the following options.

    No key manager configured

    You can safely shut down the impaired controller. Go to shutdown the impaired controller.

    External or Onboard key manager configured
    1. Enter the following query command to display the status of the authentication keys in your key manager.

      security key-manager key query

    2. Check the output for the value in the Restored column for your key manager.

      This column indicates whether the authentication keys for your key manager (either EKM or OKM) have been successfully restored.

  1. Depending on whether your system is using the External Key Manager or Onboard Key Manager, select one of the following options.

    External Key Manager

    Depending on the output value displayed in the Restored column, follow the appropriate steps.

    Output value in Restored column Follow these steps…​

    true

    You can safely shut down the impaired controller. Go to shutdown the impaired controller.

    Anything other than true

    1. Restore the external key management authentication keys to all nodes in the cluster using the following command:

      security key-manager external restore

      If the command fails, contact NetApp Support.

    2. Verify that the Restored column displays true for all authentication keys by entering the security key-manager key query command.

      If all the authentication keys are true, you can safely shut down the impaired controller. Go to shutdown the impaired controller.

    Onboard Key Manager

    Depending on the output value displayed in the Restored column, follow the appropriate steps.

    Output value in Restored column Follow these steps…​

    true

    Manually back up the OKM information.

    1. Go to the advanced mode by entering set -priv advanced and then enter Y when prompted.

    2. Enter the following command to display the key management information:

      security key-manager onboard show-backup

    3. Copy the contents of the backup information to a separate file or your log file.

      You'll need it in disaster scenarios where you might need to manually recover OKM.

    4. You can safely shut down the impaired controller. Go to shutdown the impaired controller.

    Anything other than true

    1. Enter the onboard security key-manager sync command:

      security key-manager onboard sync

    2. Enter the 32 character, alphanumeric onboard key management passphrase when prompted.

      If the passphrase cannot be provided, contact NetApp Support.

    3. Verify the Restored column displays true for all authentication keys:

      security key-manager key query

    4. Verify that the Key Manager type displays onboard, and then manually back up the OKM information.

    5. Enter the command to display the key management backup information:

      security key-manager onboard show-backup

    6. Copy the contents of the backup information to a separate file or your log file.

      You'll need it in disaster scenarios where you might need to manually recover OKM.

    7. You can safely shut down the impaired controller. Go to shutdown the impaired controller.