Migrate ONTAP data encryption keys between key managers

11/05/2024 Contributors

You can manage your data encryption keys using either the ONTAP onboard key manager or an external key manager (or both). External key managers can only be enabled at the storage VM level. At the ONTAP cluster level, you can enable either the onboard key manager or an external key manager.

If you enable your key manager at the…	You can use…
Cluster level only	Either the onboard key manager or an external key manager
SVM level only	An external key manager only
Both the cluster and SVM level	One of the following key manager combinations: Option 1 Cluster level: Onboard key manager SVM level: External key manager Option 2 Cluster level: External key manager SVM level: External key manager

If you enable your key manager at the…

You can use…

Cluster level only

Either the onboard key manager or an external key manager

SVM level only

An external key manager only

Both the cluster and SVM level

One of the following key manager combinations:

Option 1

Cluster level: Onboard key manager

SVM level: External key manager
Option 2

Cluster level: External key manager

SVM level: External key manager

Migrate keys between key managers at the ONTAP cluster level

Beginning in ONTAP 9.16.1 you can use the ONTAP command line interface (CLI) to migrate keys between key managers at the cluster level.

From onboard key manager to external key manager

Steps

Set the privilege level to advanced:
```
set -privilege advanced
```
Create an inactive external key manager configuration:
```
security key-manager external create-config
```

Switch to the external key manager:

security key-manager keystore enable -vserver <svm_name> -type KMIP

Delete the onboard key manager configuration:

security key-manager keystore delete-config -vserver <svm_name> -type OKM

Set the privilege level to admin:
```
set -privilege admin
```

From external key manager to onboard key manager

Steps

Set the privilege level to advanced:
```
set -privilege advanced
```
Create an inactive onboard key manager configuration:
```
security key-manager onboard create-config
```

Enable the onboard key manager configuration:

security key-manager keystore enable -vserver <svm_name> -type OKM

Delete the external key manger configuration

security key-manager keystore delete-config -vserver <svm_name> -type KMIP

Set the privilege level to admin:
```
set -privilege admin
```

Migrate keys between key managers across ONTAP cluster and storage VM levels

You can use the ONTAP command line interface (CLI) to migrate keys between the key manager at the cluster level and a key manager at the storage VM level.

Steps

Set the privilege level to advanced:
```
set -privilege advanced
```

Migrate the keys:

security key-manager key migrate -from-vserver <svm_name> -to-vserver <svm_name>

Set the privilege level to admin:
```
set -privilege admin
```

Migrate ONTAP data encryption keys between key managers

Creating your file...

Migrate keys between key managers at the ONTAP cluster level

Migrate keys between key managers across ONTAP cluster and storage VM levels