Skip to main content

Return a FIPS drive or SED to unprotected mode

Contributors netapp-ahibbard netapp-aherbin

A FIPS drive or SED is protected from unauthorized access only if the authentication key ID for the node is set to a value other than the default. You can return a FIPS drive or SED to unprotected mode by using the storage encryption disk modify command to set the key ID to the default.

If an HA pair is using encrypting SAS or NVMe drives (SED, NSE, FIPS), you must follow this process for all drives within the HA pair prior to initializing the system (boot options 4 or 9). Failure to do this may result in future data loss if the drives are repurposed.

Before you begin

You must be a cluster administrator to perform this task.

Steps
  1. Set the privilege level to advanced:

    set -privilege advanced

  2. If a FIPS drive is running in FIPS-compliance mode, set the FIPS authentication key ID for the node back to the default MSID 0x0:

    storage encryption disk modify -disk disk_id -fips-key-id 0x0

    You can use the security key-manager query command to view key IDs.

    cluster1::> storage encryption disk modify -disk 2.10.11 -fips-key-id 0x0
    
    Info: Starting modify on 14 disks.
          View the status of the operation by using the
          storage encryption disk show-status command.

    Confirm the operation succeeded with the command:

    storage encryption disk show-status

    Repeat the show-status command until the numbers in “Disks Begun” and “Disks Done” are the same.

    cluster1:: storage encryption disk show-status
    
                FIPS    Latest   Start               Execution   Disks   Disks Disks
    Node        Support Request  Timestamp           Time (sec)  Begun   Done  Successful
    -------     ------- -------- ------------------  ---------- ------ ------  ----------
    cluster1    true    modify   1/18/2022 15:29:38    3           14     5         5
    1 entry was displayed.
  3. Set the data authentication key ID for the node back to the default MSID 0x0:

    storage encryption disk modify -disk disk_id -data-key-id 0x0

    The value of -data-key-id should be set to 0x0 whether you are returning a SAS or NVMe drive to unprotected mode.

    You can use the security key-manager query command to view key IDs.

    cluster1::> storage encryption disk modify -disk 2.10.11 -data-key-id 0x0
    
    Info: Starting modify on 14 disks.
          View the status of the operation by using the
          storage encryption disk show-status command.

    Confirm the operation succeeded with the command:

    storage encryption disk show-status

    Repeat the show-status command until the numbers are the same. The operation is complete when the numbers in “disks begun” and “disks done” are the same.

Maintenance mode

Beginning with ONTAP 9.7, you can rekey a FIPS drive from maintenance mode. You should only use maintenance mode if you cannot use the ONTAP CLI instructions in the earlier section.

Steps
  1. Set the FIPS authentication key ID for the node back to the default MSID 0x0:

    disk encrypt rekey_fips 0x0 disklist

  2. Set the data authentication key ID for the node back to the default MSID 0x0:

    disk encrypt rekey 0x0 disklist

  3. Confirm the FIPS authentication key was successfully rekeyed:

    disk encrypt show_fips

  4. Confirm data authentication key was successfully rekeyed with:

    disk encrypt show

    Your output will likely display either the default MSID 0x0 key ID or the 64-character value held by the key server. The Locked? field refers to data-locking.

Disk       FIPS Key ID                 Locked?
---------- --------------------------- -------
0a.01.0    0x0                          Yes