Enable onboard key management in newly added nodes

Contributors

You can use the Onboard Key Manager to secure the keys that the cluster uses to access encrypted data. You must enable Onboard Key Manager on each cluster that accesses an encrypted volume or a self-encrypting disk.

Note

For ONTAP 9.5 and earlier, you must run the security key-manager setup command each time you add a node to the cluster.

For ONTAP 9.6 and later, you must run the security key-manager sync command each time you add a node to the cluster.

If you add a node to a cluster that has onboard key management configured, you will run this command to refresh the missing keys.

If you have a MetroCluster configuration, review these guidelines:

  • Beginning with ONTAP 9.6, you must run security key-manager onboard enable on the local cluster first, then run security key-manager onboard sync on the remote cluster, using the same passphrase on each.

  • In ONTAP 9.5, you must run security key-manager setup on the local cluster and security key-manager setup -sync-metrocluster-config yes on the remote cluster, using the same passphrase on each.

  • Prior to ONTAP 9.5, you must run security key-manager setup on the local cluster, wait approximately 20 seconds, and then run security key-manager setup on the remote cluster, using the same passphrase on each.

By default, you are not required to enter the key manager passphrase when a node is rebooted. Beginning with ONTAP 9.4, you can use the -enable-cc-mode yes option to require that users enter the passphrase after a reboot.

For NVE, if you set -enable-cc-mode yes, volumes you create with the volume create and volume move start commands are automatically encrypted. For volume create, you need not specify -encrypt true. For volume move start, you need not specify -encrypt-destination true.

Note

After a failed passphrase attempt, you must reboot the node again.