Skip to main content

Restore onboard key management encryption keys in ONTAP

Contributors netapp-ahibbard netapp-barbe netapp-aherbin netapp-aaron-holt netapp-bhouser netapp-forry netapp-thomi

Occasionally, you may need to restore an onboard key management encryption key. Once you have verified that a key needs to be restored, you can set up the Onboard Key Manager to restore the key.The procedure you follow to restore your onboard key management encryption keys varies based on your version of ONTAP.

Before you begin
Note If you are using NSE on a system with a Flash Cache module, you should also enable NVE or NAE. NSE does not encrypt data that resides on the Flash Cache module.

ONTAP 9.6 and later

Important If you are running ONTAP 9.8 or later and your root volume is encrypted, follow the procedure for ONTAP 9.8 or later with encrypted root volume.
  1. Verify that the key needs to be restored:
    security key-manager key query -node node

    Learn more about security key-manager key query in the ONTAP command reference.

  2. Restore the key:
    security key-manager onboard sync

    Learn more about security key-manager onboard sync in the ONTAP command reference.

  3. At the passphrase prompt, enter the onboard key management passphrase for the cluster.

ONTAP 9.8 or later with encrypted root volume

If you are running ONTAP 9.8 and later, and your root volume is encrypted, you must set an onboard key management recovery passphrase with the boot menu. This process is also necessary if you do a boot media replacement.

  1. Boot the node to the boot menu and select option (10) Set onboard key management recovery secrets.

  2. Enter y to use this option.

  3. At the prompt, enter the onboard key management passphrase for the cluster.

  4. At the prompt, enter the backup key data.

    After you enter the backup key data, the node returns to the boot menu.

  5. From the boot menu, select option (1) Normal Boot.

ONTAP 9.5 and earlier

  1. Verify that the key needs to be restored:
    security key-manager key show

  2. Restore the key:
    security key-manager setup -node node

    Learn more about security key-manager setup in the ONTAP command reference.

  3. At the passphrase prompt, enter the onboard key management passphrase for the cluster.