Transition to external key management from onboard key management in ONTAP

06/05/2025 Contributors

PDFs

If you want to switch to external key management from onboard key management, you must delete the onboard key management configuration before you can enable external key management.

Before you begin

For hardware-based encryption, you must reset the data keys of all FIPS drives or SEDs to the default value.

Returning a FIPS drive or SED to unprotected mode
For software-based encryption, you must unencrypt all volumes.

Unencrypting volume data
You must be a cluster administrator to perform this task.

Step

Delete the onboard key management configuration for a cluster:

For this ONTAP version…	Use this command…
ONTAP 9.6 and later	`security key-manager onboard disable -vserver SVM`
ONTAP 9.5 and earlier	`security key-manager delete-key-database`

For this ONTAP version…

Use this command…

ONTAP 9.6 and later

security key-manager onboard disable -vserver SVM

ONTAP 9.5 and earlier

security key-manager delete-key-database

Learn more about security key-manager onboard disable and security key-manager delete-key-database in the ONTAP command reference.

Transition to external key management from onboard key management in ONTAP

Creating your file...