Enable onboard key management for NVE in ONTAP 9.5 and earlier
Suggest changes
PDFs
You can use the Onboard Key Manager to secure the keys that the cluster uses to access encrypted data. You must enable Onboard Key Manager on each cluster that accesses an encrypted volume or a self-encrypting disk.
You must run the security key-manager setup command each time you add a node to the cluster.
If you have a MetroCluster configuration, review these guidelines:
-
In ONTAP 9.5, you must run
security key-manager setupon the local cluster andsecurity key-manager setup -sync-metrocluster-config yeson the remote cluster, using the same passphrase on each. -
Prior to ONTAP 9.5, you must run
security key-manager setupon the local cluster, wait approximately 20 seconds, and then runsecurity key-manager setupon the remote cluster, using the same passphrase on each.
By default, you are not required to enter the key manager passphrase when a node is rebooted. Beginning with ONTAP 9.4, you can use the -enable-cc-mode yes option to require that users enter the passphrase after a reboot.
For NVE, if you set -enable-cc-mode yes, volumes you create with the volume create and volume move start commands are automatically encrypted. For volume create, you need not specify -encrypt true. For volume move start, you need not specify -encrypt-destination true.
|
After a failed passphrase attempt, you must reboot the node again. |
-
If you use NSE or NVE with an external key management (KMIP) server, delete the external key manager database.
-
You must be a cluster administrator to perform this task.
-
Configure the MetroCluster environment before configuring the Onboard Key Manager.
-
Start the key manager setup:
security key-manager setup -enable-cc-mode yes|no
Beginning with ONTAP 9.4, you can use the
-enable-cc-mode yesoption to require that users enter the key manager passphrase after a reboot. For NVE, if you set-enable-cc-mode yes, volumes you create with thevolume createandvolume move startcommands are automatically encrypted.The following example starts setting up the key manager on cluster1 without requiring that the passphrase be entered after every reboot:
cluster1::> security key-manager setup Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. ... Would you like to use onboard key-management? {yes, no} [yes]: Enter the cluster-wide passphrase: <32..256 ASCII characters long text> Reenter the cluster-wide passphrase: <32..256 ASCII characters long text> -
Enter
yesat the prompt to configure onboard key management. -
At the passphrase prompt, enter a passphrase between 32 and 256 characters, or for “cc-mode”, a passphrase between 64 and 256 characters.
If the specified “cc-mode” passphrase is less than 64 characters, there is a five-second delay before the key manager setup operation displays the passphrase prompt again.
-
At the passphrase confirmation prompt, reenter the passphrase.
-
Verify that keys are configured for all nodes:
security key-manager show-key-storecluster1::> security key-manager show-key-store Node: node1 Key Store: onboard Key ID Used By ---------------------------------------------------------------- -------- <id_value> NSE-AK <id_value> NSE-AK Node: node2 Key Store: onboard Key ID Used By ---------------------------------------------------------------- -------- <id_value> NSE-AK <id_value> NSE-AK
Learn more about
security key-manager show-key-storein the ONTAP command reference. -
Optionally, convert plain text volumes to encrypted volumes.
volume encryption conversion startConfigure the Onboard Key Manager before converting volumes. In MetroCluster environments, configure it on both sites.
Copy the passphrase to a secure location outside the storage system for future use.
When you configure the Onboard Key Manager passphrase, back up the information to a secure location outside the storage system in case of a disaster. See Back up onboard key management information manually.