Remove an external key manager connection


You can disconnect a KMIP server from a node when you no longer need the server. For example, you might disconnect a KMIP server when you are transitioning to volume encryption.

What you’ll need

You must be a cluster or SVM administrator to perform this task.

About this task

When you disconnect a KMIP server from one node in an HA pair, the system automatically disconnects the server from all cluster nodes.


If you plan to continue using external key management after disconnecting a KMIP server, make sure another KMIP server is available to serve authentication keys.

  1. Disconnect a KMIP server from the current node:

    For this ONTAP version…​

    Use this command…​

    ONTAP 9.6 and later

    security key-manager external remove-servers -vserver SVM -key-servers host_name|IP_address:port,…​

    ONTAP 9.5 and earlier

    security key-manager delete -address key_management_server_ipaddress

    For complete command syntax, see the man pages.

    The following ONTAP 9.6 command disables the connections to two external key management servers for cluster1, the first named ks1, listening on the default port 5696, the second with the IP address, listening on port 24482:

    clusterl::> security key-manager external remove-servers -vserver cluster-1 -key-servers ks1,