Release notes
Manage external key managers with System Manager
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Data protection with the CLI
-
-
Collection of separate PDF docs
Creating your file...
Beginning with ONTAP 9.7, you can store and manage authentication and encryption keys with the Onboard Key Manager. Beginning with ONTAP 9.13.1, you can also use external key managers to store and manage these keys.
The Onboard Key Manager stores and manages keys in a secure database that is internal to the cluster. Its scope is the cluster. An external key manager stores and manages keys outside the cluster. Its scope can be the cluster or the storage VM. One or more external key managers can be used. The following conditions apply:
-
If the Onboard Key Manager is enabled, an external key manager cannot be enabled at the cluster level, but it can be enabled at the storage VM level.
-
If an external key manager is enabled at the cluster level, the Onboard Key Manager cannot be enabled.
When using external key managers, you can register up to four primary key servers per storage VM and cluster. Each primary key server can be clustered with up to three secondary key servers.
Configure an external key manager
To add an external key manager for a storage VM, you should add an optional gateway when you configure the network interface for the storage VM. If the storage VM was created without the network route, you will have to create the route explicitly for the external key manager. See Create a LIF (network interface).
You can configure an external key manager starting from different locations in System Manager.
-
To configure an external key manager, perform one of the following starting steps.
Workflow
Navigation
Starting step
Configure Key Manager
Cluster > Settings
Scroll to the Security section. Under Encryption, select
. Select External Key Manager.Add local tier
Storage > Tiers
Select + Add Local Tier. Check the check box labeled "Configure Key Manager". Select External Key Manager.
Prepare storage
Dashboard
In the Capacity section, select Prepare Storage. Then, select "Configure Key Manager". Select External Key Manager.
Configure encryption (key manager at storage VM scope only)
Storage > Storage VMs
Select the storage VM. Select the Settings tab. In the Encryption section under Security, select
. -
To add a primary key server, select
, and complete the IP Address or Host Name and Port fields. -
Existing installed certificates are listed in the KMIP Server CA Certificates and KMIP Client Certificate fields. You can perform any of the following actions:
-
Select
to select installed certificates that you want to map to the key manager. (Multiple service CA certificates can be selected, but only one client certificate can be selected.) -
Select Add New Certificate to add a certificate that has not already been installed and map it to the external key manager.
-
Select
next to the certificate name to delete installed certificates that you do not want to map to the external key manager.
-
-
To add a secondary key server, select Add in the Secondary Key Servers column, and provide its details.
-
Select Save to complete the configuration.
Edit an existing external key manager
If you have already configured an external key manager, you can modify its settings.
-
To edit the configuration of an external key manager, perform one of the following starting steps.
Scope
Navigation
Starting step
Cluster scope external key manager
Cluster > Settings
Scroll to the Security section. Under Encryption, select
, then select Edit External Key Manager.Storage VM scope external key manager
Storage > Storage VMs
Select the storage VM. Select the Settings tab. In the Encryption section under Security, select
, then select Edit External Key Manager. -
Existing key servers are listed in the Key Servers table. You can perform the following operations:
-
Add a new key server by selecting
. -
Delete a key server by selecting
at the end of the table cell that contains the name of the key server. The secondary key servers associated with that primary key server are also removed from the configuration.
-
Delete an external key manager
An external key manager can be deleted if the volumes are unencrypted.
-
To delete an external key manager, perform one of the following steps.
Scope
Navigation
Starting step
Cluster scope external key manager
Cluster > Settings
Scroll to the Security section. Under Encryption, select select
, then select Delete External Key Manager.Storage VM scope external key manager
Storage > Storage VMs
Select the storage VM. Select the Settings tab. In the Encryption section under Security, select
, then select Delete External Key Manager.
Migrate keys among key managers
When multiple key managers are enabled on a cluster, keys must be migrated from one key manager to another. This process is completed automatically with System Manager.
-
If the Onboard Key Manager or an external key manager is enabled at a cluster level, and some volumes are encrypted, then when you configure an external key manager at the storage VM level, the keys must be migrated from the Onboard Key Manager or external key manager at the cluster level to the external key manager at the storage VM level. This process is completed automatically by System Manager.
-
If volumes were created without encryption on a storage VM, then keys do not need to be migrated.