Return a FIPS drive or SED to service using ONTAP when authentication keys are lost
The system treats a FIPS drive or SED as broken if you lose the authentication keys for it permanently and cannot retrieve them from the KMIP server. Although you cannot access or recover the data on the disk, you can take steps to make the SED's unused space available again for data.
You must be a cluster administrator to perform this task.
You should use this process only if you are certain that the authentication keys for the FIPS drive or SED are permanently lost and that you cannot recover them.
If the disks are partitioned, they must first be unpartitioned before you can start this process.
The command to unpartition a disk is only available at the diag level and should be performed only under NetApp Support supervision. It is highly recommended that you contact NetApp Support before you proceed. You can also refer to the Knowledge Base article How to unpartition a spare drive in ONTAP. |
-
Return a FIPS drive or SED to service:
If the SEDS are…
Use these steps…
Not in FIPS-compliance mode, or in FIPS-compliance mode and the FIPS key is available
-
Set the privilege level to advanced:
set -privilege advanced
-
Reset the FIPS key to the default manufacture secure ID 0x0:
storage encryption disk modify -fips-key-id 0x0 -disk disk_id
-
Verify the operation succeeded:
storage encryption disk show-status
If the operation failed, use the PSID process in this topic. -
Sanitize the broken disk:
storage encryption disk sanitize -disk disk_id
Verify the operation succeeded with the commandstorage encryption disk show-status
before proceeding to the next step. -
Unfail the sanitized disk:
storage disk unfail -spare true -disk disk_id
-
Check whether the disk has an owner:
storage disk show -disk disk_id
If the disk does not have an owner, assign one.
storage disk assign -owner node -disk disk_id
-
Enter the nodeshell for the node that owns the disks you want to sanitize:
system node run -node node_name
Run the
disk sanitize release
command.
-
-
Exit the nodeshell. Unfail the disk again:
storage disk unfail -spare true -disk disk_id
-
Verify that the disk is now a spare and ready to be reused in an aggregate:
storage disk show -disk disk_id
In FIPS-compliance mode, the FIPS key is not available, and the SEDs have a PSID printed on the label
-
Obtain the PSID of the disk from the disk label.
-
Set the privilege level to advanced:
set -privilege advanced
-
Reset the disk to its factory-configured settings:
storage encryption disk revert-to-original-state -disk disk_id -psid disk_physical_secure_id
Verify the operation succeeded with the commandstorage encryption disk show-status
before proceeding to the next step. -
If you are running ONTAP 9.8P5 or earlier, skip to the next step. If you are running ONTAP 9.8P6 or later, unfail the sanitized disk.
storage disk unfail -disk disk_id
-
Check whether the disk has an owner:
storage disk show -disk disk_id
If the disk does not have an owner, assign one.
storage disk assign -owner node -disk disk_id
-
Enter the nodeshell for the node that owns the disks you want to sanitize:
system node run -node node_name
Run the
disk sanitize release
command.
-
-
Exit the nodeshell.. Unfail the disk again:
storage disk unfail -spare true -disk disk_id
-
Verify that the disk is now a spare and ready to be reused in an aggregate:
storage disk show -disk disk_id
-
Learn more about the commands described in this procedure in the ONTAP command reference.