Skip to main content

Enable onboard key management in ONTAP 9.6 and later (NVE)

Contributors netapp-aoife netapp-ahibbard netapp-thomi

You can use the Onboard Key Manager to secure the keys that the cluster uses to access encrypted data. You must enable the Onboard Key Manager on each cluster that accesses an encrypted volume or a self-encrypting disk.

About this task

You must run the security key-manager onboard sync command each time you add a node to the cluster.

If you have a MetroCluster configuration, you must run the security key-manager onboard enable command on the local cluster first, then run the security key-manager onboard sync command on the remote cluster, using the same passphrase on each. When you run the security key-manager onboard enable command from the local cluster and then synchronize on the remote cluster, you do not need to run the enable command again from the remote cluster.

By default, you are not required to enter the key manager passphrase when a node is rebooted. You can use the cc-mode-enabled=yes option to require that users enter the passphrase after a reboot.

For NVE, if you set cc-mode-enabled=yes, volumes you create with the volume create and volume move start commands are automatically encrypted. For volume create, you need not specify -encrypt true. For volume move start, you need not specify -encrypt-destination true.

When configuring ONTAP data at rest encryption, to meet the requirements for Commercial Solutions for Classified (CSfC) you must use NSE with NVE and ensure the Onboard Key Manager is enabled in Common Criteria mode. Refer to the CSfC Solution Brief for more information on CSfC.

Note

When the Onboard Key Manager is enabled in Common Criteria mode (cc-mode-enabled=yes), system behavior is changed in the following ways:

  • The system monitors for consecutive failed cluster passphrase attempts when operating in Common Criteria mode.

    If you fail to enter the correct cluster passphrase at boot, encrypted volumes are not mounted. To correct this, you must reboot the node and enter the correct cluster passphrase. Once booted, the system allows up to 5 consecutive attempts to correctly enter the cluster passphrase in a 24-hour period for any command that requires the cluster passphrase as a parameter. If the limit is reached (for example, you have failed to correctly enter the cluster passphrase 5 times in a row) then you must either wait for the 24-hour timeout period to elapse, or you must reboot the node, in order to reset the limit.

  • System image updates use the NetApp RSA-3072 code signing certificate together with SHA-384 code signed digests to check the image integrity instead of the usual NetApp RSA-2048 code signing certificate and SHA-256 code signed digests.

    The upgrade command verifies that the image contents have not been altered or corrupted by checking various digital signatures. The image update process proceeds to the next step if validation succeeds; otherwise, the image update fails. See the cluster image man page for information concerning system updates.

Note The Onboard Key Manager stores keys in volatile memory. Volatile memory contents are cleared when the system is rebooted or halted. Under normal operating conditions, volatile memory contents will be cleared within 30s when a system is halted.
Before you begin
  • You must be a cluster administrator to perform this task.

  • You must configure the MetroCluster environment before you configure the Onboard Key Manager.

Steps
  1. Start the key manager setup:

    security key-manager onboard enable -cc-mode-enabled yes|no

    Note

    Set cc-mode-enabled=yes to require that users enter the key manager passphrase after a reboot. For NVE, if you set cc-mode-enabled=yes, volumes you create with the volume create and volume move start commands are automatically encrypted. The - cc-mode-enabled option is not supported in MetroCluster configurations. The security key-manager onboard enable command replaces the security key-manager setup command.

    The following example starts the key manager setup command on cluster1 without requiring that the passphrase be entered after every reboot:

    cluster1::> security key-manager onboard enable
    
    Enter the cluster-wide passphrase for onboard key management in Vserver "cluster1"::    <32..256 ASCII characters long text>
    Reenter the cluster-wide passphrase:    <32..256 ASCII characters long text>
  2. At the passphrase prompt, enter a passphrase between 32 and 256 characters, or for “cc-mode”, a passphrase between 64 and 256 characters.

    Note

    If the specified “cc-mode” passphrase is less than 64 characters, there is a five-second delay before the key manager setup operation displays the passphrase prompt again.

  3. At the passphrase confirmation prompt, reenter the passphrase.

  4. Verify that the authentication keys have been created:

    security key-manager key query -key-type NSE-AK

    Note

    The security key-manager key query command replaces the security key-manager query key command. For complete command syntax, see the man page.

    The following example verifies that authentication keys have been created for cluster1:

    cluster1::> security key-manager key query -key-type NSE-AK
                   Node: node1
                Vserver: cluster1
            Key Manager: onboard
       Key Manager Type: OKM
     Key Manager Policy: -
    
     Key Tag                               Key Type Encryption   Restored
    
    ------------------------------------  -------- ------------ --------
    
    node1                                 NSE-AK   AES-256      true
    
        Key ID: 00000000000000000200000000000100056178fc6ace6d91472df8a9286daacc0000000000000000
    
    node1                                 NSE-AK   AES-256      true
    
        Key ID: 00000000000000000200000000000100df1689a148fdfbf9c2b198ef974d0baa0000000000000000
    
    2 entries were displayed.
  5. Optionally, convert plain text volumes to encrypted volumes.

    volume encryption conversion start

    The Onboard Key Manager must be fully configured before you convert the volumes. In a MetroCluster environment, the Onboard Key Manager must be configured on both sites.

After you finish

Copy the passphrase to a secure location outside the storage system for future use.

Whenever you configure the Onboard Key Manager passphrase, you should also back up the information manually to a secure location outside the storage system for use in case of a disaster. See Back up onboard key management information manually.