Skip to main content

Manage external key managers with System Manager

Contributors netapp-thomi netapp-aherbin netapp-ahibbard
PDFs

Beginning with ONTAP 9.7, you can store and manage authentication and encryption keys with the Onboard Key Manager. Beginning with ONTAP 9.13.1, you can also use external key managers to store and manage these keys.

The Onboard Key Manager stores and manages keys in a secure database that is internal to the cluster. Its scope is the cluster. An external key manager stores and manages keys outside the cluster. Its scope can be the cluster or the storage VM. One or more external key managers can be used. The following conditions apply:

  • If the Onboard Key Manager is enabled, an external key manager cannot be enabled at the cluster level, but it can be enabled at the storage VM level.

  • If an external key manager is enabled at the cluster level, the Onboard Key Manager cannot be enabled.

When using external key managers, you can register up to four primary key servers per storage VM and cluster. Each primary key server can be clustered with up to three secondary key servers.

Configure an external key manager

To add an external key manager for a storage VM, you should add an optional gateway when you configure the network interface for the storage VM. If the storage VM was created without the network route, you will have to create the route explicitly for the external key manager. See Create a LIF (network interface).

Steps

You can configure an external key manager starting from different locations in System Manager.

  1. To configure an external key manager, perform one of the following starting steps.

    Workflow

    Navigation

    Starting step

    Configure Key Manager

    Cluster > Settings

    Scroll to the Security section. Under Encryption, select Actions icon. Select External Key Manager.

    Add local tier

    Storage > Tiers

    Select + Add Local Tier. Check the check box labeled "Configure Key Manager". Select External Key Manager.

    Prepare storage

    Dashboard

    In the Capacity section, select Prepare Storage. Then, select "Configure Key Manager". Select External Key Manager.

    Configure encryption (key manager at storage VM scope only)

    Storage > Storage VMs

    Select the storage VM. Select the Settings tab. In the Encryption section under Security, select Actions icon.

  2. To add a primary key server, select Add icon, and complete the IP Address or Host Name and Port fields.

  3. Existing installed certificates are listed in the KMIP Server CA Certificates and KMIP Client Certificate fields. You can perform any of the following actions:

    • Select Dropdown icon to select installed certificates that you want to map to the key manager. (Multiple service CA certificates can be selected, but only one client certificate can be selected.)

    • Select Add New Certificate to add a certificate that has not already been installed and map it to the external key manager.

    • Select Close icon next to the certificate name to delete installed certificates that you do not want to map to the external key manager.

  4. To add a secondary key server, select Add in the Secondary Key Servers column, and provide its details.

  5. Select Save to complete the configuration.

Edit an existing external key manager

If you have already configured an external key manager, you can modify its settings.

Steps

  1. To edit the configuration of an external key manager, perform one of the following starting steps.

    Scope

    Navigation

    Starting step

    Cluster scope external key manager

    Cluster > Settings

    Scroll to the Security section. Under Encryption, select Menu options icon, then select Edit External Key Manager.

    Storage VM scope external key manager

    Storage > Storage VMs

    Select the storage VM. Select the Settings tab. In the Encryption section under Security, select Menu options icon, then select Edit External Key Manager.

  2. Existing key servers are listed in the Key Servers table. You can perform the following operations:

    • Add a new key server by selecting Add icon.

    • Delete a key server by selecting Menu options icon at the end of the table cell that contains the name of the key server. The secondary key servers associated with that primary key server are also removed from the configuration.

Delete an external key manager

An external key manager can be deleted if the volumes are unencrypted.

Steps

  1. To delete an external key manager, perform one of the following steps.

    Scope

    Navigation

    Starting step

    Cluster scope external key manager

    Cluster > Settings

    Scroll to the Security section. Under Encryption, select select Menu options icon, then select Delete External Key Manager.

    Storage VM scope external key manager

    Storage > Storage VMs

    Select the storage VM. Select the Settings tab. In the Encryption section under Security, select Menu options icon, then select Delete External Key Manager.