Skip to main content

Restore external key management encryption keys

Contributors netapp-ahibbard netapp-thomi

You can manually restore external key management encryption keys and push them to a different node. You might want to do this if you are restarting a node that was down temporarily when you created the keys for the cluster.

About this task

In ONTAP 9.6 and later, you can use the security key-manager key query -node node_name command to verify if your key needs to be restored.

In ONTAP 9.5 and earlier, you can use the security key-manager key show command to verify if your key needs to be restored.

Note If you are using NSE on a system with a Flash Cache module, you should also enable NVE or NAE. NSE does not encrypt data that resides on the Flash Cache module.
Before you begin

You must be a cluster or SVM administrator to perform this task.

Steps
  1. If you are running ONTAP 9.8 or later and your root volume is encrypted, do the following:

    If you are running ONTAP 9.7 or earlier, or if you are running ONTAP 9.8 or later and your root volume is not encrypted, skip this step.

    1. Set the bootargs:
      setenv kmip.init.ipaddr <ip-address>
      setenv kmip.init.netmask <netmask>
      setenv kmip.init.gateway <gateway>
      setenv kmip.init.interface e0M
      boot_ontap

    2. Boot the node to the boot menu and select option (11) Configure node for external key management.

    3. Follow prompts to enter management certificate.

      After all management certificate information is entered, the system returns to the boot menu.

    4. From the boot menu, select option (1) Normal Boot.

  2. Restore the key:

    For this ONTAP version…​

    Use this command…​

    ONTAP 9.6 and later

    security key-manager external restore -vserver SVM -node node -key-server host_name|IP_address:port -key-id key_id -key-tag key_tag

    ONTAP 9.5 and earlier

    security key-manager restore -node node -address IP_address -key-id key_id -key-tag key_tag

    Note

    node defaults to all nodes. For complete command syntax, see the man pages. This command is not supported when onboard key management is enabled.

    The following ONTAP 9.6 command restores external key management authentication keys to all nodes in cluster1:

    clusterl::> security key-manager external restore