Skip to main content
Install and maintain

Restore encryption - FAS500f

Contributors netapp-jsnyder

Restore encryption on the replacement boot media.

You must complete steps specific to systems that have Onboard Key Manager (OKM), NetApp Storage Encryption (NSE) or NetApp Volume Encryption (NVE) enabled using the settings that you captured at the beginning of the boot media replace procedure.

Depending on which a key manger is configured on your system, select one of the following options to restore it from the boot menu.

Option 1: Restore the Onboard Key Manager configuration

Restore the Onboard Key Manager (OKM) configuration from the ONTAP boot menu.

Before you begin
Steps
  1. Connect the console cable to the target controller.

  2. From the ONTAP boot menu select the appropriate option from the boot menu.

    ONTAP version Select this option

    ONTAP 9.8 or later

    Select option 10.

    Show example boot menu
    Please choose one of the following:
    
    (1)  Normal Boot.
    (2)  Boot without /etc/rc.
    (3)  Change password.
    (4)  Clean configuration and initialize all disks.
    (5)  Maintenance mode boot.
    (6)  Update flash from backup config.
    (7)  Install new software first.
    (8)  Reboot node.
    (9)  Configure Advanced Drive Partitioning.
    (10) Set Onboard Key Manager recovery secrets.
    (11) Configure node for external key management.
    Selection (1-11)? 10

    ONTAP 9.7 and earlier

    Select the hidden option recover_onboard_keymanager

    Show example boot menu
    Please choose one of the following:
    
    (1)  Normal Boot.
    (2)  Boot without /etc/rc.
    (3)  Change password.
    (4)  Clean configuration and initialize all disks.
    (5)  Maintenance mode boot.
    (6)  Update flash from backup config.
    (7)  Install new software first.
    (8)  Reboot node.
    (9)  Configure Advanced Drive Partitioning.
    Selection (1-19)? recover_onboard_keymanager
  3. Confirm that you want to continue the recovery process.

    Show example prompt

    This option must be used only in disaster recovery procedures. Are you sure? (y or n):

  4. Enter the cluster-wide passphrase twice.

    While entering the passphrase the console will not show any input.

    Show example prompt

    Enter the passphrase for onboard key management:

    Enter the passphrase again to confirm:

  5. Enter the backup information.

    1. Paste the entire content from the BEGIN BACKUP line through the END BACKUP line.

      Show example prompt
      Enter the backup data:
      
      --------------------------BEGIN BACKUP--------------------------
      0123456789012345678901234567890123456789012345678901234567890123
      1234567890123456789012345678901234567890123456789012345678901234
      2345678901234567890123456789012345678901234567890123456789012345
      3456789012345678901234567890123456789012345678901234567890123456
      4567890123456789012345678901234567890123456789012345678901234567
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      0123456789012345678901234567890123456789012345678901234567890123
      1234567890123456789012345678901234567890123456789012345678901234
      2345678901234567890123456789012345678901234567890123456789012345
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      
      ---------------------------END BACKUP---------------------------
    2. Press the enter key twice at the end of the input.

      The recovery process completes.

      Show example prompt
      Trying to recover keymanager secrets....
      Setting recovery material for the onboard key manager
      Recovery secrets set successfully
      Trying to delete any existing km_onboard.wkeydb file.
      
      Successfully recovered keymanager secrets.
      
      ***********************************************************************************
      * Select option "(1) Normal Boot." to complete recovery process.
      *
      * Run the "security key-manager onboard sync" command to synchronize the key database after the node reboots.
      ***********************************************************************************
    Warning Do not proceed if the displayed output is anything other than Successfully recovered keymanager secrets. Perform troubleshooting to correct the error.
  6. Select option 1 from the boot menu to continue booting into ONTAP.

    Show example prompt
    ***********************************************************************************
    * Select option "(1) Normal Boot." to complete the recovery process.
    *
    ***********************************************************************************
    
    
    (1)  Normal Boot.
    (2)  Boot without /etc/rc.
    (3)  Change password.
    (4)  Clean configuration and initialize all disks.
    (5)  Maintenance mode boot.
    (6)  Update flash from backup config.
    (7)  Install new software first.
    (8)  Reboot node.
    (9)  Configure Advanced Drive Partitioning.
    (10) Set Onboard Key Manager recovery secrets.
    (11) Configure node for external key management.
    Selection (1-11)? 1
  7. Confirm that the controller's console displays the following message.

    Waiting for giveback…​(Press Ctrl-C to abort wait)

  8. From the partner node, giveback the partner controller by entering the following command.

    storage failover giveback -fromnode local -only-cfo-aggregates true.

  9. After booting with only the CFO aggregate, run the following command.

    security key-manager onboard sync

  10. Enter the cluster-wide passphrase for the Onboard Key Manager.

    Show example prompt
    Enter the cluster-wide passphrase for the Onboard Key Manager:
    
    All offline encrypted volumes will be brought online and the corresponding volume encryption keys (VEKs) will be restored automatically within 10 minutes. If any offline encrypted volumes are not brought online automatically, they can be brought online manually using the "volume online -vserver <vserver> -volume <volume_name>" command.
    Note If the sync is successful the cluster prompt is returned with no additional messages. If the sync fails an error message appears before returning to the cluster prompt. Do not continue until the the error is corrected and the sync runs successfully.
  11. Ensure that all keys are synced by entering the following command.

    security key-manager key query -restored false.

    There are no entries matching your query.

    Note No results should appear when filtering for false in the restored parameter.
  12. Giveback the node from the partner by entering the following command.

    storage failover giveback -fromnode local

  13. Restore automatic giveback, if you disabled it, by entering the following command.

    storage failover modify -node local -auto-giveback true

  14. If AutoSupport is enabled, restore automatic case creation by entering the following command.

    system node autosupport invoke -node * -type all -message MAINT=END

Option 2: Restore the External Key Manager configuration

Restore the External Key Manager configuration from the ONTAP boot menu.

Before you begin

You need the following information for restoring the External Key Manager (EKM) configuration.

  • A copy of the /cfcard/kmip/servers.cfg file from another cluster node or the following information:

    • The KMIP server address.

    • The KMIP port.

  • A copy of the /cfcard/kmip/certs/client.crt file from another cluster node or the client certificate.

  • A copy of the /cfcard/kmip/certs/client.key file from another cluster node or the client key.

  • A copy of the /cfcard/kmip/certs/CA.pem file from another cluster node or the KMIP server CA(s).

Steps
  1. Connect the console cable to the target controller.

  2. Select option 11 from the ONTAP boot menu.

    Show example boot menu
    (1)  Normal Boot.
    (2)  Boot without /etc/rc.
    (3)  Change password.
    (4)  Clean configuration and initialize all disks.
    (5)  Maintenance mode boot.
    (6)  Update flash from backup config.
    (7)  Install new software first.
    (8)  Reboot node.
    (9)  Configure Advanced Drive Partitioning.
    (10) Set Onboard Key Manager recovery secrets.
    (11) Configure node for external key management.
    Selection (1-11)? 11
  3. When prompted, confirm you have gathered the required information.

    Show example prompt
    Do you have a copy of the /cfcard/kmip/certs/client.crt file? {y/n}
    Do you have a copy of the /cfcard/kmip/certs/client.key file? {y/n}
    Do you have a copy of the /cfcard/kmip/certs/CA.pem file? {y/n}
    Do you have a copy of the /cfcard/kmip/servers.cfg file? {y/n}
  4. When prompted, enter the client and server information.

    Show prompt
    Enter the client certificate (client.crt) file contents:
    Enter the client key (client.key) file contents:
    Enter the KMIP server CA(s) (CA.pem) file contents:
    Enter the server configuration (servers.cfg) file contents:
    Show example
    Enter the client certificate (client.crt) file contents:
    -----BEGIN CERTIFICATE-----
    MIIDvjCCAqagAwIBAgICN3gwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAlVT
    MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQwwCgYDVQQHEwNTVkwxDzANBgNVBAoTBk5l
    MSUbQusvzAFs8G3P54GG32iIRvaCFnj2gQpCxciLJ0qB2foiBGx5XVQ/Mtk+rlap
    Pk4ECW/wqSOUXDYtJs1+RB+w0+SHx8mzxpbz3mXF/X/1PC3YOzVNCq5eieek62si
    Fp8=
    -----END CERTIFICATE-----
    
    Enter the client key (client.key) file contents:
    -----BEGIN RSA PRIVATE KEY-----
    <key_value>
    -----END RSA PRIVATE KEY-----
    
    Enter the KMIP server CA(s) (CA.pem) file contents:
    -----BEGIN CERTIFICATE-----
    MIIEizCCA3OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
    7yaumMQETNrpMfP+nQMd34y4AmseWYGM6qG0z37BRnYU0Wf2qDL61cQ3/jkm7Y94
    EQBKG1NY8dVyjphmYZv+
    -----END CERTIFICATE-----
    
    Enter the IP address for the KMIP server: 10.10.10.10
    Enter the port for the KMIP server [5696]:
    
    System is ready to utilize external key manager(s).
    Trying to recover keys from key servers....
    kmip_init: configuring ports
    Running command '/sbin/ifconfig e0M'
    ..
    ..
    kmip_init: cmd: ReleaseExtraBSDPort e0M

    After you enter the client and server information, the recovery process completes.

    Show example
    System is ready to utilize external key manager(s).
    Trying to recover keys from key servers....
    [Aug 29 21:06:28]: 0x808806100: 0: DEBUG: kmip2::main: [initOpenssl]:460: Performing initialization of OpenSSL
    Successfully recovered keymanager secrets.
  5. Select option 1 from the boot menu to continue booting into ONTAP.

    Show example prompt
    ***********************************************************************************
    * Select option "(1) Normal Boot." to complete the recovery process.
    *
    ***********************************************************************************
    
    
    (1)  Normal Boot.
    (2)  Boot without /etc/rc.
    (3)  Change password.
    (4)  Clean configuration and initialize all disks.
    (5)  Maintenance mode boot.
    (6)  Update flash from backup config.
    (7)  Install new software first.
    (8)  Reboot node.
    (9)  Configure Advanced Drive Partitioning.
    (10) Set Onboard Key Manager recovery secrets.
    (11) Configure node for external key management.
    Selection (1-11)? 1
  6. Restore automatic giveback, if you disabled it, by entering the following command.

    storage failover modify -node local -auto-giveback true

  7. If AutoSupport is enabled, restore automatic case creation by entering the following command.

    system node autosupport invoke -node * -type all -message MAINT=END