Skip to main content

Enable external key management in ONTAP 9.5 and earlier (HW-based)

Contributors netapp-aoife netapp-thomi netapp-ahibbard netapp-aherbin
PDFs

You can use one or more KMIP servers to secure the keys the cluster uses to access encrypted data. You can connect up to four KMIP servers to a node. A minimum of two servers is recommended for redundancy and disaster recovery.

About this task

ONTAP configures KMIP server connectivity for all nodes in the cluster.

Before you begin

  • The KMIP SSL client and server certificates must have been installed.

  • You must be a cluster administrator to perform this task.

  • You must configure the MetroCluster environment before you configure an external key manager.

  • In a MetroCluster environment, you must install the same KMIP SSL certificate on both clusters.

Steps

  1. Configure key manager connectivity for cluster nodes:

    security key-manager setup

    The key manager setup starts.

    Note In a MetroCluster environment, you must run this command on both clusters.

  2. Enter the appropriate response at each prompt.

  3. Add a KMIP server:

    security key-manager add -address key_management_server_ipaddress

    clusterl::> security key-manager add -address 20.1.1.1
    Note In a MetroCluster environment, you must run this command on both clusters.

  4. Add an additional KMIP server for redundancy:

    security key-manager add -address key_management_server_ipaddress

    clusterl::> security key-manager add -address 20.1.1.2
    Note In a MetroCluster environment, you must run this command on both clusters.

  5. Verify that all configured KMIP servers are connected:

    security key-manager show -status

    For complete command syntax, see the man page.

    cluster1::> security key-manager show -status

Node            Port      Registered Key Manager  Status
--------------  ----      ----------------------  ---------------
cluster1-01     5696      20.1.1.1                available
cluster1-01     5696      20.1.1.2                available
cluster1-02     5696      20.1.1.1                available
cluster1-02     5696      20.1.1.2                available

  6. Optionally, convert plain text volumes to encrypted volumes.

    volume encryption conversion start

    An external key manager must be fully configured before you convert the volumes. In a MetroCluster environment, an external key manager must be configured on both sites.