Transition from external key management to ONTAP onboard key management

07/18/2025 Contributors

PDFs

If you want to switch to onboard key management from external key management, you must delete the external key management configuration before you can enable onboard key management.

Before you begin

For hardware-based encryption, you must reset the data keys of all FIPS drives or SEDs to the default value.

Returning a FIPS drive or SED to unprotected mode
You must have deleted all external key manager connections.

Deleting an external key manager connection
You must be a cluster administrator to perform this task.

Steps

The steps to transition your key management depend on the version of ONTAP you are using.

ONTAP 9.6 and later

Change to the advanced privilege level:

set -privilege advanced
Use the command:

security key-manager external disable -vserver admin_SVM

In a MetroCluster environment, you must repeat the command on both clusters for the admin SVM.

ONTAP 9.5 and earlier

Use the command: security key-manager delete-kmip-config

Learn more about security key-manager delete-kmip-config in the ONTAP command reference.

Related information

security key-manager external

Transition from external key management to ONTAP onboard key management

Creating your file...