Enable onboard key management in newly added nodes
You can use the Onboard Key Manager to secure the keys that the cluster uses to access encrypted data. You must enable Onboard Key Manager on each cluster that accesses an encrypted volume or a self-encrypting disk.
For ONTAP 9.5 and earlier, you must run the
For ONTAP 9.6 and later, you must run the
If you add a node to a cluster that has onboard key management configured, you will run this command to refresh the missing keys.
If you have a MetroCluster configuration, review these guidelines:
Beginning with ONTAP 9.6, you must run
security key-manager onboard enableon the local cluster first, then run
security key-manager onboard syncon the remote cluster, using the same passphrase on each.
In ONTAP 9.5, you must run
security key-manager setupon the local cluster and
security key-manager setup -sync-metrocluster-config yeson the remote cluster, using the same passphrase on each.
Prior to ONTAP 9.5, you must run
security key-manager setupon the local cluster, wait approximately 20 seconds, and then run
security key-manager setupon the remote cluster, using the same passphrase on each.
By default, you are not required to enter the key manager passphrase when a node is rebooted. Beginning with ONTAP 9.4, you can use the
-enable-cc-mode yes option to require that users enter the passphrase after a reboot.
For NVE, if you set
-enable-cc-mode yes, volumes you create with the
volume create and
volume move start commands are automatically encrypted. For
volume create, you need not specify
-encrypt true. For
volume move start, you need not specify
After a failed passphrase attempt, you must reboot the node again.