Change the onboard key management passphrase

Contributors

It is a security best practice to change the onboard key management passphrase periodically. You should copy the new onboard key management passphrase to a secure location outside the storage system for future use.

What you’ll need
  • You must be a cluster or SVM administrator to perform this task.

  • Advanced privileges are required for this task.

Steps
  1. Change to advanced privilege level:

    set -privilege advanced

  2. Change the onboard key management passphrase:

    For this ONTAP version…​

    Use this command…​

    ONTAP 9.6 and later

    security key-manager onboard update-passphrase

    ONTAP 9.5 and earlier

    security key-manager update-passphrase

For complete command syntax, see the man pages.

+ The following ONTAP 9.6 command lets you change the onboard key management passphrase for cluster1:

+

clusterl::> security key-manager onboard update-passphrase
Warning: This command will reconfigure the cluster passphrase for onboard key management for Vserver "cluster1".
Do you want to continue? {y|n}: y
Enter current passphrase:
Enter new passphrase:
  1. Enter y at the prompt to change the onboard key management passphrase.

  2. Enter the current passphrase at the current passphrase prompt.

  3. At the new passphrase prompt, enter a passphrase between 32 and 256 characters, or for “cc-mode”, a passphrase between 64 and 256 characters.

    Note

    If the specified “cc-mode” passphrase is less than 64 characters, there is a five-second delay before the key manager setup operation displays the passphrase prompt again.

  4. At the passphrase confirmation prompt, reenter the passphrase.

After you finish

In a MetroCluster environment, you must update the passphrase on the partner cluster:

  • In ONTAP 9.5 and earlier, you must run security key-manager update-passphrase with the same passphrase on the partner cluster.

  • In ONTAP 9.6 and later, you are prompted to run security key-manager onboard sync with the same passphrase on the partner cluster.

You should copy the onboard key management passphrase to a secure location outside the storage system for future use.

You should back up key management information manually whenever you change the onboard key management passphrase.