Check onboard encryption keys - AFF C30 and AFF C60
Before shutting down the impaired controller, check if your version of ONTAP supports NetApp Volume Encryption (NVE) and if your key management system is properly configured.
Step 1: Check if your version of ONTAP supports NetApp Volume Encryption
Check whether your ONTAP version supports NetApp Volume Encryption (NVE). This information is crucial for downloading the correct ONTAP image.
-
Determine if your ONTAP version supports encryption by running the following command:
version -v
If the output includes
1Ono-DARE
, NVE is not supported on your cluster version. -
Depending on whether NVE is supported on your system, take one of the following actions:
-
If NVE is supported, download the ONTAP image with NetApp Volume Encryption.
-
If NVE is not supported, download the ONTAP image without NetApp Volume Encryption.
-
Step 2: Determine if it is safe to shut down the controller
To safely shut down a controller, first identify whether the External Key Manager (EKM) or the Onboard Key Manager (OKM) is active. Then, verify the key manager in use, display the appropriate key information, and take action based on the status of the authentication keys.
-
Determine which key manager is enabled on your system:
ONTAP version Run this command ONTAP 9.14.1 or later
security key-manager keystore show
-
If EKM is enabled,
EKM
is listed in the command output. -
If OKM is enabled,
OKM
is listed in the command output. -
If no key manager is enabled,
No key manager keystores configured
is listed in the command output.
ONTAP 9.13.1 or earlier
security key-manager show-key-store
-
If EKM is enabled,
external
is listed in the command output. -
If OKM is enabled,
onboard
is listed in the command output. -
If no key manager is enabled,
No key managers configured
is listed in the command output.
-
-
Depending on whether a key manger is configured on your system, select one of the following options.
No key manager configuredYou can safely shut down the impaired controller. Go to shutdown the impaired controller.
External or Onboard key manager configured-
Enter the following query command to display the status of the authentication keys in your key manager.
security key-manager key query
-
Check the output for the value in the
Restored
column for your key manager.This column indicates whether the authentication keys for your key manager (either EKM or OKM) have been successfully restored.
-
-
Depending on whether your system is using the External Key Manager or Onboard Key Manager, select one of the following options.
External Key ManagerDepending on the output value displayed in the
Restored
column, follow the appropriate steps.Output value in Restored
columnFollow these steps… true
You can safely shut down the impaired controller. Go to shutdown the impaired controller.
Anything other than
true
-
Restore the external key management authentication keys to all nodes in the cluster using the following command:
security key-manager external restore
If the command fails, contact NetApp Support.
-
Verify that the
Restored
column displaystrue
for all authentication keys by entering thesecurity key-manager key query
command.If all the authentication keys are
true
, you can safely shut down the impaired controller. Go to shutdown the impaired controller.
Onboard Key ManagerDepending on the output value displayed in the
Restored
column, follow the appropriate steps.Output value in Restored
columnFollow these steps… true
Manually back up the OKM information.
-
Go to the advanced mode by entering
set -priv advanced
and then enterY
when prompted. -
Enter the following command to display the key management information:
security key-manager onboard show-backup
-
Copy the contents of the backup information to a separate file or your log file.
You'll need it in disaster scenarios where you might need to manually recover OKM.
-
You can safely shut down the impaired controller. Go to shutdown the impaired controller.
Anything other than
true
-
Enter the onboard security key-manager sync command:
security key-manager onboard sync
-
Enter the 32 character, alphanumeric onboard key management passphrase when prompted.
If the passphrase cannot be provided, contact NetApp Support.
-
Verify the
Restored
column displaystrue
for all authentication keys:security key-manager key query
-
Verify that the
Key Manager
type displaysonboard
, and then manually back up the OKM information. -
Enter the command to display the key management backup information:
security key-manager onboard show-backup
-
Copy the contents of the backup information to a separate file or your log file.
You'll need it in disaster scenarios where you might need to manually recover OKM.
-
You can safely shut down the impaired controller. Go to shutdown the impaired controller.
-