Skip to main content

Change the onboard key management passphrase

Contributors netapp-ahibbard netapp-forry netapp-thomi netapp-aherbin
PDFs

It is a security best practice to change the onboard key management passphrase periodically. You should copy the new onboard key management passphrase to a secure location outside the storage system for future use.

Before you begin

  • You must be a cluster or SVM administrator to perform this task.

  • Advanced privileges are required for this task.

Steps

  1. Change to advanced privilege level:

    set -privilege advanced

  2. Change the onboard key management passphrase:

    For this ONTAP version…​

    Use this command…​

    ONTAP 9.6 and later

    security key-manager onboard update-passphrase

    ONTAP 9.5 and earlier

    security key-manager update-passphrase

    For complete command syntax, see the man pages.

    The following ONTAP 9.6 command lets you change the onboard key management passphrase for cluster1:

    clusterl::> security key-manager onboard update-passphrase
Warning: This command will reconfigure the cluster passphrase for onboard key management for Vserver "cluster1".
Do you want to continue? {y|n}: y
Enter current passphrase:
Enter new passphrase:

  3. Enter y at the prompt to change the onboard key management passphrase.

  4. Enter the current passphrase at the current passphrase prompt.

  5. At the new passphrase prompt, enter a passphrase between 32 and 256 characters, or for “cc-mode”, a passphrase between 64 and 256 characters.

    If the specified “cc-mode” passphrase is less than 64 characters, there is a five-second delay before the key manager setup operation displays the passphrase prompt again.

  6. At the passphrase confirmation prompt, reenter the passphrase.

After you finish

In a MetroCluster environment, you must update the passphrase on the partner cluster:

  • In ONTAP 9.5 and earlier, you must run security key-manager update-passphrase with the same passphrase on the partner cluster.

  • In ONTAP 9.6 and later, you are prompted to run security key-manager onboard sync with the same passphrase on the partner cluster.

You should copy the onboard key management passphrase to a secure location outside the storage system for future use.

You should back up key management information manually whenever you change the onboard key management passphrase.

Backing up onboard key management information manually