Skip to main content

Assign a FIPS 140-2 authentication key to a FIPS drive with ONTAP

Contributors netapp-ahibbard netapp-dbagwell netapp-aaron-holt netapp-aherbin
PDFs

You can use the storage encryption disk modify command with the -fips-key-id option to assign a FIPS 140-2 authentication key to a FIPS drive. Cluster nodes use this key for drive operations other than data access, such as preventing denial-of-service attacks on the drive.

About this task

Your security setup may require you to use different keys for data authentication and FIPS 140-2 authentication. If that is not the case, you can use the same authentication key for FIPS compliance that you use for data access.

This procedure is not disruptive.

Before you begin

The drive firmware must support FIPS 140-2 compliance. The NetApp Interoperability Matrix Tool contains information about supported drive firmware versions.

Steps

  1. You must first ensure you have assigned a data authentication key. This can be done with using an external key manager or an onboard key manager. Verify the key is assigned with the command storage encryption disk show.

  2. Assign a FIPS 140-2 authentication key to SEDs:

    storage encryption disk modify -disk disk_id -fips-key-id fips_authentication_key_id

    You can use the security key-manager query command to view key IDs.

    cluster1::> storage encryption disk modify -disk 2.10.* -fips-key-id <id_value>

Info: Starting modify on 14 disks.
      View the status of the operation by using the
      storage encryption disk show-status command.

  3. Verify that the authentication key has been assigned:

    storage encryption disk show -fips

    Learn more about storage encryption disk show in the ONTAP command reference.

    cluster1::> storage encryption disk show -fips
Disk    Mode FIPS-Compliance Key ID
------  ---- ----------------------------------------------------------------
2.10.0  full <id_value>
2.10.1  full <id_value>
[...]