Change the ONTAP onboard key management passphrase
Suggest changes
PDFs
NetApp recommends that you change the onboard key management passphrase regularly. You must store the new passphrase in a secure location outside the storage system.
-
You must be a cluster or SVM administrator to perform this task.
-
Advanced privileges are required for this task.
-
In a MetroCluster environment, after you update the passphrase on the local cluster, synchronize the passphrase update on the partner cluster.
-
Change to advanced privilege level:
set -privilege advanced -
Change the onboard key management passphrase. The command you use depends on the ONTAP version you are running.
ONTAP 9.6 and latersecurity key-manager onboard update-passphraseONTAP 9.5 and earliersecurity key-manager update-passphrase -
Enter a passphrase between 32 and 256 characters, or for “cc-mode”, a passphrase between 64 and 256 characters.
If the specified “cc-mode” passphrase is less than 64 characters, there is a five-second delay before the key manager setup operation displays the passphrase prompt again.
-
At the passphrase confirmation prompt, reenter the passphrase.
-
If you are in a MetroCluster configuration, synchronize the updated passphrase on the partner cluster.
-
Synchronize the passphrase on the partner cluster by choosing the correct command for your ONTAP version:
ONTAP 9.6 and latersecurity key-manager onboard syncONTAP 9.5 and earlier-
In ONTAP 9.5, run:
security key-manager setup -sync-metrocluster-config -
In ONTAP 9.4 and earlier, after you've updated the passphrase on the local cluster, wait 20 seconds, and then run the following command on the partner cluster:
security key-manager setup
-
-
Enter the new passphrase when prompted.
The same passphrase must be used on both clusters.
-
Copy the onboard key management passphrase to a secure location outside the storage system for future use.
Back up key management information manually whenever you change the onboard key management passphrase.