Enable onboard key management in ONTAP 9.5 and earlier (NVE)
You can use the Onboard Key Manager to secure the keys that the cluster uses to access encrypted data. You must enable Onboard Key Manager on each cluster that accesses an encrypted volume or a self-encrypting disk.
You must run the security key-manager setup
command each time you add a node to the cluster.
If you have a MetroCluster configuration, review these guidelines:
-
In ONTAP 9.5, you must run
security key-manager setup
on the local cluster andsecurity key-manager setup -sync-metrocluster-config yes
on the remote cluster, using the same passphrase on each. -
Prior to ONTAP 9.5, you must run
security key-manager setup
on the local cluster, wait approximately 20 seconds, and then runsecurity key-manager setup
on the remote cluster, using the same passphrase on each.
By default, you are not required to enter the key manager passphrase when a node is rebooted. Beginning with ONTAP 9.4, you can use the -enable-cc-mode yes
option to require that users enter the passphrase after a reboot.
For NVE, if you set -enable-cc-mode yes
, volumes you create with the volume create
and volume move start
commands are automatically encrypted. For volume create
, you need not specify -encrypt true
. For volume move start
, you need not specify -encrypt-destination true
.
After a failed passphrase attempt, you must reboot the node again. |
-
If you are using NSE or NVE with an external key management (KMIP) server, you must have deleted the external key manager database.
-
You must be a cluster administrator to perform this task.
-
You must configure the MetroCluster environment before you configure the Onboard Key Manager.
-
Start the key manager setup:
security key-manager setup -enable-cc-mode yes|no
Beginning with ONTAP 9.4, you can use the
-enable-cc-mode yes
option to require that users enter the key manager passphrase after a reboot. For NVE, if you set-enable-cc-mode yes
, volumes you create with thevolume create
andvolume move start
commands are automatically encrypted.The following example starts setting up the key manager on cluster1 without requiring that the passphrase be entered after every reboot:
cluster1::> security key-manager setup Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. ... Would you like to use onboard key-management? {yes, no} [yes]: Enter the cluster-wide passphrase: <32..256 ASCII characters long text> Reenter the cluster-wide passphrase: <32..256 ASCII characters long text>
-
Enter
yes
at the prompt to configure onboard key management. -
At the passphrase prompt, enter a passphrase between 32 and 256 characters, or for “cc-mode”, a passphrase between 64 and 256 characters.
If the specified “cc-mode” passphrase is less than 64 characters, there is a five-second delay before the key manager setup operation displays the passphrase prompt again.
-
At the passphrase confirmation prompt, reenter the passphrase.
-
Verify that keys are configured for all nodes:
security key-manager key show
For the complete command syntax, see the man page.
cluster1::> security key-manager key show Node: node1 Key Store: onboard Key ID Used By ---------------------------------------------------------------- -------- 0000000000000000020000000000010059851742AF2703FC91369B7DB47C4722 NSE-AK 000000000000000002000000000001008C07CC0AF1EF49E0105300EFC83004BF NSE-AK Node: node2 Key Store: onboard Key ID Used By ---------------------------------------------------------------- -------- 0000000000000000020000000000010059851742AF2703FC91369B7DB47C4722 NSE-AK 000000000000000002000000000001008C07CC0AF1EF49E0105300EFC83004BF NSE-AK
-
Optionally, convert plain text volumes to encrypted volumes.
volume encryption conversion start
The Onboard Key Manager must be fully configured before you convert the volumes. In a MetroCluster environment, the Onboard Key Manager must be configured on both sites.
Copy the passphrase to a secure location outside the storage system for future use.
Whenever you configure the Onboard Key Manager passphrase, you should also back up the information manually to a secure location outside the storage system for use in case of a disaster. See Back up onboard key management information manually.