Assign a FIPS 140-2 authentication key to a FIPS drive

Contributors

You can use the storage encryption disk modify command with the -fips-key-id option to assign a FIPS 140-2 authentication key to a FIPS drive. Cluster nodes use this key for drive operations other than data access, such as preventing denial-of-service attacks on the drive.

What you’ll need

The drive firmware must support FIPS 140-2 compliance. The NetApp Interoperability Matrix Tool contains information about supported drive firmware versions.

About this task

Your security setup may require you to use different keys for data authentication and FIPS 140-2 authentication. If that is not the case, you can use the same authentication key for FIPS compliance that you use for data access.

Steps
  1. Assign a FIPS 140-2 authentication key to SEDs:

    storage encryption disk modify -disk disk_id -fips-key-id fips_authentication_key_id

    You can use the security key-manager query command to view key IDs.

    cluster1::> storage encryption disk modify -disk 2.10.* -fips-key-id 6A1E21D80000000001000000000000005A1FB4EE8F62FD6D8AE6754C9019F35A
    
    Info: Starting modify on 14 disks.
          View the status of the operation by using the
          storage encryption disk show-status command.
  2. Verify that the authentication key has been assigned:

    storage encryption disk show -fips

    For complete command syntax, see the man page.

    cluster1::> storage encryption disk show -fips
    Disk    Mode FIPS-Compliance Key ID
    ------  ---- ----------------------------------------------------------------
    2.10.0  full 6A1E21D80000000001000000000000005A1FB4EE8F62FD6D8AE6754C9019F35A
    2.10.1  full 6A1E21D80000000001000000000000005A1FB4EE8F62FD6D8AE6754C9019F35A
    [...]