Restore onboard key management encryption keys

Contributors

Occasionally, you may need to restore an onboard key management encryption key. After you have verified that a key needs to be restored, you can set up the Onboard Key Manager to restore the key.

  • You must be a cluster administrator to perform this task.

About this task

In ONTAP 9.6 and later, you can use the security key-manager key query -node node command to verify if your key needs to be restore.

In ONTAP 9.5 and earlier, you can use the security key-manager key show command to verify if your key needs to be restored.

Steps
  1. If you are running ONTAP 9.8 and later, and your root volume is encrypted, do the following:

    If you are running ONTAP 9.7 or earlier, or if you are running ONTAP 9.8 or later and your root volume is not encrypted, skip this step.

    1. Boot the node to the boot menu and select option (10) Set onboard key management recovery secrets.

    2. Enter y to use this option.

    3. At the prompt, enter the onboard key management passphrase for the cluster.

    4. At the prompt, enter the backup key data.

      The node returns to the boot menu.

    5. From the boot menu, select option (1) Normal Boot.

  2. Restore the key:

    For this ONTAP version…​

    Use this command…​

    ONTAP 9.6 and later

    security key-manager onboard sync

    ONTAP 9.5 and earlier

    security key-manager setup -node node

    For complete command syntax, see the man pages.

    The following ONTAP 9.6 command synchronize the keys in the onboard key hierarchy:

    cluster1::> security key-manager onboard sync
    
    Enter the cluster-wide passphrase for onboard key management in Vserver "cluster1"::    <32..256 ASCII characters long text>
  3. At the passphrase prompt, enter the onboard key management passphrase for the cluster.