Release notes
Restore onboard key management encryption keys in ONTAP
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
The procedure you follow to restore your onboard key management encryption keys varies based on your version of ONTAP.
-
If you are using NSE with an external key management (KMIP) server, you must have deleted the external key manager database. For more information, see transition to onboard key management from external key management
-
You must be a cluster administrator to perform this task.
|
If you are using NSE on a system with a Flash Cache module, you should also enable NVE or NAE. NSE does not encrypt data that resides on the Flash Cache module. |
ONTAP 9.6 and later
|
If you are running ONTAP 9.8 or later and your root volume is encrypted, follow the procedure for ONTAP 9.8 or later with encrypted root volume. |
-
Verify that the key needs to be restored:
security key-manager key query -node node -
Restore the key:
security key-manager onboard syncLearn more about
security key-manager onboard syncin the ONTAP command reference.The following ONTAP 9.6 command synchronize the keys in the onboard key hierarchy:
cluster1::> security key-manager onboard sync Enter the cluster-wide passphrase for onboard key management in Vserver "cluster1":: <32..256 ASCII characters long text>
-
At the passphrase prompt, enter the onboard key management passphrase for the cluster.
ONTAP 9.8 or later with encrypted root volume
If you are running ONTAP 9.8 and later, and your root volume is encrypted, you must set an onboard key management recovery passphrase with the boot menu. This process is also necessary if you do a boot media replacement.
-
Boot the node to the boot menu and select option
(10) Set onboard key management recovery secrets. -
Enter
yto use this option. -
At the prompt, enter the onboard key management passphrase for the cluster.
-
At the prompt, enter the backup key data.
The node returns to the boot menu.
-
From the boot menu, select option
(1) Normal Boot.
ONTAP 9.5 and earlier
-
Verify that the key needs to be restored:
security key-manager key show -
If you are running ONTAP 9.8 and later, and your root volume is encrypted, complete these steps:
If you are running ONTAP 9.6 or 9.7, or if you are running ONTAP 9.8 or later and your root volume is not encrypted, skip this step.
-
Restore the key:
security key-manager setup -node nodeLearn more about
security key-manager setupin the ONTAP command reference. -
At the passphrase prompt, enter the onboard key management passphrase for the cluster.
