Check onboard encryption keys - FAS70 and FAS90
- PDF of this doc site
Collection of separate PDF docs
Creating your file...
Prior to shutting down the impaired controller and checking the status of the onboard encryption keys, you must check the status of the impaired controller, disable automatic giveback, and check the version of ONTAP that is running.
If you have a cluster with more than two nodes, it must be in quorum. If the cluster is not in quorum or a healthy controller shows false for eligibility and health, you must correct the issue before shutting down the impaired controller; see Synchronize a node with the cluster.
Check NVE or NSE
Before shutting down the impaired controller, you need to verify whether the system has security key manager enabled or encrypted disks.
Verify security key-manager configuration
-
Determine if Key Manager is active with the security key-manager keystore show command. For more information, see the security key-manager keystore show MAN page
You may have additional key manager types. The types are KMIP
,AKV
, andGCP
. The process for confirming these types is the same as confirmingexternal
oronboard
key manager types.-
If no output is displayed, go to shutdown the impaired controller to shutdown the impaired node.
-
If the command displays output, the system has
security key-manager
active and you need to display theKey Manager
type and status.
-
-
Display the information for the active
Key Manager
using the security key-manager key query command.-
If the
Key Manager
type displaysexternal
and theRestored
column displaystrue
, it's safe to shut down the impaired controller. -
If the
Key Manager
type displaysonboard
and theRestored
column displaystrue
, you need to complete some additional steps. -
If the
Key Manager
type displaysexternal
and theRestored
column displays anything other thantrue
, you need to complete some additional steps. -
If the
Key Manager
type displaysonboard
and theRestored
column displays anything other thantrue
, you need to complete some additional steps.
-
-
If the
Key Manager
type displaysonboard
and theRestored
column displaystrue
, manually back up the OKM information:-
Enter
y
when prompted to continue:set -priv advanced
-
Enter the command to display the key management information: security key-manager onboard show-backup
-
Copy the contents of the backup information to a separate file or your log file. You'll need it in disaster scenarios where you might need to manually recover OKM.
-
You can safely shut down the impaired controller.
-
-
If the
Key Manager
type displaysonboard
and theRestored
column displays anything other thantrue
:-
Enter the onboard security key-manager sync command: security key-manager onboard sync
Enter the 32 character, alphanumeric onboard key management passphrase at the prompt. If the passphrase cannot be provided, contact NetApp Support. mysupport.netapp.com -
Verify the
Restored
column displaystrue
for all authentication keys:security key-manager key query
-
Verify that the
Key Manager
type displaysonboard
, and then manually back up the OKM information. -
Enter the command to display the key management backup information: security key-manager onboard show-backup
-
Copy the contents of the backup information to a separate file or your log file. You'll need it in disaster scenarios where you might need to manually recover OKM.
-
You can safely shut down the controller.
-
-
If the
Key Manager
type displaysexternal
and theRestored
column displays anything other thantrue
:-
Restore the external key management authentication keys to all nodes in the cluster:
security key-manager external restore
If the command fails, contact NetApp Support at mysupport.netapp.com.
-
Verify that the
Restored
column displaystrue
for all authentication keys: security key-manager key query -
You can safely shut down the impaired controller.
-