Enable onboard key management in ONTAP 9.5 and earlier
Suggest changes
PDFs
You can use the Onboard Key Manager to authenticate cluster nodes to a FIPS drive or SED. The Onboard Key Manager is a built-in tool that serves authentication keys to nodes from the same storage system as your data. The Onboard Key Manager is FIPS-140-2 level 1 compliant.
You can use the Onboard Key Manager to secure the keys that the cluster uses to access encrypted data. Enable Onboard Key Manager on each cluster that accesses encrypted volumes or self-encrypting disks.
You must run the security key-manager setup command each time you add a node to the cluster.
If you have a MetroCluster configuration, review these guidelines:
-
In ONTAP 9.5, you must run
security key-manager setupon the local cluster andsecurity key-manager setup -sync-metrocluster-config yeson the remote cluster, using the same passphrase on each. -
Prior to ONTAP 9.5, you must run
security key-manager setupon the local cluster, wait approximately 20 seconds, and then runsecurity key-manager setupon the remote cluster, using the same passphrase on each.
By default, you are not required to enter the key manager passphrase when a node is rebooted. Beginning with ONTAP 9.4, you can use the -enable-cc-mode yes option to require that users enter the passphrase after a reboot.
For NVE, if you set -enable-cc-mode yes, volumes you create with the volume create and volume move start commands are automatically encrypted. For volume create, you need not specify -encrypt true. For volume move start, you need not specify -encrypt-destination true.
|
After a failed passphrase attempt, you must reboot the node again. |
-
If you are using NSE with an external key management (KMIP) server, delete the external key manager database.
-
You must be a cluster administrator to perform this task.
-
Configure the MetroCluster environment before you configure the Onboard Key Manager.
-
Start the key manager setup:
security key-manager setup -enable-cc-mode yes|no
Beginning with ONTAP 9.4, you can use the -enable-cc-mode yesoption to require that users enter the key manager passphrase after a reboot. For NVE, if you set-enable-cc-mode yes, volumes you create with thevolume createandvolume move startcommands are automatically encrypted.The following example starts setting up the key manager on cluster1 without requiring that the passphrase be entered after every reboot:
cluster1::> security key-manager setup Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. ... Would you like to use onboard key-management? {yes, no} [yes]: Enter the cluster-wide passphrase: <32..256 ASCII characters long text> Reenter the cluster-wide passphrase: <32..256 ASCII characters long text> -
Enter
yesat the prompt to configure onboard key management. -
At the passphrase prompt, enter a passphrase between 32 and 256 characters, or for “cc-mode”, a passphrase between 64 and 256 characters.
If the specified “cc-mode” passphrase is less than 64 characters, there is a five-second delay before the key manager setup operation displays the passphrase prompt again. -
At the passphrase confirmation prompt, reenter the passphrase.
-
Verify that keys are configured for all nodes:
security key-manager show-key-storeLearn more about
security key-manager show-key-storein the ONTAP command reference.cluster1::> security key-manager show-key-store Node: node1 Key Store: onboard Key ID Used By ---------------------------------------------------------------- -------- <id_value> NSE-AK <id_value> NSE-AK Node: node2 Key Store: onboard Key ID Used By ---------------------------------------------------------------- -------- <id_value> NSE-AK <id_value> NSE-AK
ONTAP automatically backs up key management information to the replicated database (RDB) for the cluster.
After you configure the Onboard Key Manager passphrase, manually back up the information to a secure location outside the storage system. See Back up onboard key management information manually.