Skip to main content

Assign a FIPS 140-2 authentication key to a FIPS drive

Contributors netapp-ahibbard netapp-aherbin

You can use the storage encryption disk modify command with the -fips-key-id option to assign a FIPS 140-2 authentication key to a FIPS drive. Cluster nodes use this key for drive operations other than data access, such as preventing denial-of-service attacks on the drive.

About this task

Your security setup may require you to use different keys for data authentication and FIPS 140-2 authentication. If that is not the case, you can use the same authentication key for FIPS compliance that you use for data access.

This procedure is not disruptive.

Before you begin

The drive firmware must support FIPS 140-2 compliance. The NetApp Interoperability Matrix Tool contains information about supported drive firmware versions.

Steps
  1. You must first ensure you have assigned a data authentication key. This can be done with using an external key manager or an onboard key manager. Verify the key is assigned with the command storage encryption disk show.

  2. Assign a FIPS 140-2 authentication key to SEDs:

    storage encryption disk modify -disk disk_id -fips-key-id fips_authentication_key_id

    You can use the security key-manager query command to view key IDs.

    cluster1::> storage encryption disk modify -disk 2.10.* -fips-key-id 6A1E21D80000000001000000000000005A1FB4EE8F62FD6D8AE6754C9019F35A
    
    Info: Starting modify on 14 disks.
          View the status of the operation by using the
          storage encryption disk show-status command.
  3. Verify that the authentication key has been assigned:

    storage encryption disk show -fips

    For complete command syntax, see the man page.

    cluster1::> storage encryption disk show -fips
    Disk    Mode FIPS-Compliance Key ID
    ------  ---- ----------------------------------------------------------------
    2.10.0  full 6A1E21D80000000001000000000000005A1FB4EE8F62FD6D8AE6754C9019F35A
    2.10.1  full 6A1E21D80000000001000000000000005A1FB4EE8F62FD6D8AE6754C9019F35A
    [...]