Manage keys with Azure Key Vault or Google Cloud KMS

Contributors netapp-ahibbard

Beginning in ONTAP 9.10.1, you can use Azure Key Vault (AKV) and Google Cloud Platform’s Key Management Service (Cloud KMS) to protect your ONTAP encryption keys in a Azure- or Google Cloud Platform-deployed application.

AKV and Cloud KMS can be used to protect NetApp Volume Encryption (NVE) keys only for data vservers.

Key management with AKV or Cloud KMS can be enabled with the CLI or the ONTAP REST API.

When using AKV or Cloud KMS, be aware that by default a data vserver LIF is used to communicate with the cloud key management endpoint. A node management network is used to communicate with the cloud provider’s authentication services (login.microsoftonline.com for Azure; oauth2.googleapis.com for Cloud KMS). If the cluster network is not configured correctly, the cluster will not properly utilize the key management service.

Prerequisites
  • The ONTAP cluster’s nodes must support NVE

  • Volume Encryption (VE) license installed

  • Multi-tenant Encryption Key Management (MTEKM) license installed

  • You must be a cluster or vserver administrator

Limitations
  • AKV and Cloud KMS are not available for NSE and NAE. External KMIPs can be used instead

  • AKV and Cloud KMS are not available for MetroCluster configurations.

  • AKV and Cloud KMS can only be configured on a data vserver

Enable external key management with the CLI

Enabling external key management depends on the specific key manager you use. If you are enabling AKV in a Cloud Volumes ONTAP, note that there is a separate procedure. Choose the tab of the key manager and environment that suits your needs:

Azure for ONTAP
Enable Azure Key Vault for ONTAP
  1. Before you begin, you need to obtain the appropriate authentication credentials from your Azure account, either a client secret or certificate.
    You must also ensure all nodes in the cluster are healthy. You can check this with the command cluster show.

  2. Set privileged level to advanced
    set -priv advanced

  3. Enable AKV on the SVM
    security key-manager external azure enable -client-id client_id -tenant-id tenant_id -name -key-id key_id -authentication-method {certificate|client-secret}
    When prompted, enter either the client certificate or client secret from your Azure account.

  4. Verify AKV is enabled correctly:
    security key-manager external azure show vserver vserver_name
    If the service reachability is not OK, establish the connectivity to the AKV key management service via data vserver LIF.

Azure for Cloud Volumes ONTAP
Enable Azure Key Vault for Cloud Volumes ONTAP
  1. Before you begin, you need to obtain the appropriate authentication credentials from your Azure account, either a client secret or certificate.
    You must also ensure all nodes in the cluster are healthy. You can check this with the command cluster show.

  2. Set privileged level to advanced
    set -priv advanced

  3. Enable AKV on the SVM
    security key-manager external azure enable -client-id client_id -tenant-id tenant_id -name -key-id key_id -authentication-method {certificate|client-secret}
    When prompted, enter either the client certificate or client secret from your Azure account.

  4. Set up DNS for the data SVM:
    dns create -domains domain_name -name-servers server_address -vserver vserver_name

  5. Go to the Azure portal for the subscription that contains your key vault. Select the Access policies menu. Provide the application the key permissions, secret permissions, and certificate permissions and then save.

    Azure access policies menu showing the permissions fields that must be provided
  6. Verify AKV is enabled correctly:
    security key-manager external azure show vserver vserver_name
    If the service reachability is not OK, establish the connectivity to the AKV key management service via data vserver LIF.

Google Cloud for ONTAP
Enable Cloud KMS with the CLI for ONTAP
  1. Before you begin, you need to obtain the private key for the Google Cloud KMS account key file in a JSON format. This can be found in your GCP account.
    You must also ensure all nodes in the cluster are healthy. You can check this with the command cluster show.

  2. Set privileged level to advanced
    set -priv advanced

  3. Enable Cloud KMS on the SVM
    security key-manager external gcp enable -vserver data_svm_name -project-id project_id-key-ring-name key_ring_name -key-ring-location key_ring_location -key-name key_name
    When prompted, enter the contents of the JSON file with the Service Account Private Key

  4. Verify that Cloud KMS is configured with the correct parameters:
    security key-manager external gcp show vserver vserver_name
    The status of kms_wrapped_key_status will be “UNKNOWN” if no encrypted volumes have been created.
    If the service reachability is not OK, establish the connectivity to the GCP key management service via data vserver LIF.

If one or more encrypted volumes is already configured for a data vserver and the corresponding NVE keys are managed by the admin vserver onboard key manager, those keys should be migrated to the external key management service. To do this with the CLI, run:
security key-manager key migrate -from-Vserver admin_vserver -to-Vserver data_vserver
New encrypted volumes cannot be created for the tenant’s data vserver until all NVE keys of the data vserver are successfully migrated.