Enable onboard key management in ONTAP 9.6 and later
You can use the Onboard Key Manager to authenticate cluster nodes to a FIPS drive or SED. The Onboard Key Manager is a built-in tool that serves authentication keys to nodes from the same storage system as your data. The Onboard Key Manager is FIPS-140-2 level 1 compliant.
You can use the Onboard Key Manager to secure the keys that the cluster uses to access encrypted data. You must enable Onboard Key Manager on each cluster that accesses an encrypted volume or a self-encrypting disk.
If you are using NSE with an external key management (KMIP) server, you must have deleted the external key manager database.
You must be a cluster administrator to perform this task.
You must configure the MetroCluster environment before the Onboard key manager is configured.
You must run the
security key-manager onboard enable command each time you add a node to the cluster. In MetroCluster configurations, you must run
security key-manager onboard enable on the local cluster first, then run
security key-manager onboard sync on the remote cluster, using the same passphrase on each.
By default, you are not required to enter the key manager passphrase when a node is rebooted. Except in MetroCluster, you can use the
cc-mode-enabled=yes option to require that users enter the passphrase after a reboot.
When the Onboard Key Manager is enabled in Common Criteria mode (
The Onboard Key Manager stores keys in volatile memory. Volatile memory contents are cleared when the system is rebooted or halted. Under normal operating conditions, volatile memory contents will be cleared within 30s when a system is halted.
Start the key manager setup command:
security key-manager onboard enable -cc-mode-enabled yes|no
cc-mode-enabled=yesto require that users enter the key manager passphrase after a reboot. The
- cc-mode-enabledoption is not supported in MetroCluster configurations. The
security key-manager onboard enablecommand replaces the
security key-manager setupcommand.
The following example starts the key manager setup command on cluster1 without requiring that the passphrase be entered after every reboot:
cluster1::> security key-manager onboard enable Enter the cluster-wide passphrase for onboard key management in Vserver "cluster1":: <32..256 ASCII characters long text> Reenter the cluster-wide passphrase: <32..256 ASCII characters long text>
At the passphrase prompt, enter a passphrase between 32 and 256 characters, or for “cc-mode”, a passphrase between 64 and 256 characters.
If the specified “cc-mode” passphrase is less than 64 characters, there is a five-second delay before the key manager setup operation displays the passphrase prompt again.
At the passphrase confirmation prompt, reenter the passphrase.
Verify that the authentication keys have been created:
security key-manager key query -node node
security key-manager key querycommand replaces the
security key-manager query keycommand. For complete command syntax, see the man page.
The following example verifies that authentication keys have been created for
cluster1::> security key-manager key query Vserver: cluster1 Key Manager: onboard Node: node1 Key Tag Key Type Restored ------------------------------------ -------- -------- node1 NSE-AK yes Key ID: 000000000000000002000000000001000c11b3863f78c2273343d7ec5a67762e0000000000000000 node1 NSE-AK yes Key ID: 000000000000000002000000000001006f4e2513353a674305872a4c9f3bf7970000000000000000 Vserver: cluster1 Key Manager: onboard Node: node2 Key Tag Key Type Restored ------------------------------------ -------- -------- node1 NSE-AK yes Key ID: 000000000000000002000000000001000c11b3863f78c2273343d7ec5a67762e0000000000000000 node2 NSE-AK yes Key ID: 000000000000000002000000000001006f4e2513353a674305872a4c9f3bf7970000000000000000
Copy the passphrase to a secure location outside the storage system for future use.
All key management information is automatically backed up to the replicated database (RDB) for the cluster. You should also back up the information manually for use in case of a disaster.