Enable onboard key management in newly added ONTAP nodes
Suggest changes
PDFs
You can use the Onboard Key Manager to secure the keys that the cluster uses to access encrypted data. You must enable Onboard Key Manager on each cluster that accesses an encrypted volume or a self-encrypting disk.
|
For ONTAP 9.6 and later, you must run the For ONTAP 9.5 and earlier, you must run the If you add a node to a cluster with onboard key management, run this command to refresh missing keys. |
If you have a MetroCluster configuration, review these guidelines:
-
Beginning with ONTAP 9.6, you must run
security key-manager onboard enableon the local cluster first, then runsecurity key-manager onboard syncon the remote cluster, using the same passphrase on each.Learn more about
security key-manager onboard enableandsecurity key-manager onboard syncin the ONTAP command reference. -
In ONTAP 9.5, you must run
security key-manager setupon the local cluster andsecurity key-manager setup -sync-metrocluster-config yeson the remote cluster, using the same passphrase on each. -
Prior to ONTAP 9.5, you must run
security key-manager setupon the local cluster, wait approximately 20 seconds, and then runsecurity key-manager setupon the remote cluster, using the same passphrase on each.
By default, you are not required to enter the key manager passphrase when a node is rebooted. Beginning with ONTAP 9.4, you can use the -enable-cc-mode yes option to require that users enter the passphrase after a reboot.
For NVE, if you set -enable-cc-mode yes, volumes you create with the volume create and volume move start commands are automatically encrypted. For volume create, you need not specify -encrypt true. For volume move start, you need not specify -encrypt-destination true.
|
|
After a failed passphrase attempt, you must reboot the node again. |