Skip to main content

Enable external key management in ONTAP 9.5 and earlier

Contributors netapp-thomi netapp-ahibbard

You can use one or more KMIP servers to secure the keys the cluster uses to access encrypted data. You can connect up to four KMIP servers to a node. A minimum of two servers is recommended for redundancy and disaster recovery.

About this task

ONTAP configures KMIP server connectivity for all nodes in the cluster.

Before you begin
  • The KMIP SSL client and server certificates must have been installed.

  • You must be a cluster administrator to perform this task.

  • You must configure the MetroCluster environment before you configure an external key manager.

  • In a MetroCluster environment, you must install the KMIP SSL certificate on both clusters.

Steps
  1. Configure key manager connectivity for cluster nodes:

    security key-manager setup

    The key manager setup starts.

    Note In a MetroCluster environment, you must run this command on both clusters.
  2. Enter the appropriate response at each prompt.

  3. Add a KMIP server:

    security key-manager add -address key_management_server_ipaddress

    clusterl::> security key-manager add -address 20.1.1.1
    Note In a MetroCluster environment, you must run this command on both clusters.
  4. Add an additional KMIP server for redundancy:

    security key-manager add -address key_management_server_ipaddress

    clusterl::> security key-manager add -address 20.1.1.2
    Note In a MetroCluster environment, you must run this command on both clusters.
  5. Verify that all configured KMIP servers are connected:

    security key-manager show -status

    For complete command syntax, see the man page.

    cluster1::> security key-manager show -status
    
    Node            Port      Registered Key Manager  Status
    --------------  ----      ----------------------  ---------------
    cluster1-01     5696      20.1.1.1                available
    cluster1-01     5696      20.1.1.2                available
    cluster1-02     5696      20.1.1.1                available
    cluster1-02     5696      20.1.1.2                available
  6. Optionally, convert plain text volumes to encrypted volumes.

    volume encryption conversion start

    An external key manager must be fully configured before you convert the volumes. In a MetroCluster environment, an external key manager must be configured on both sites.