Skip to main content
简体中文版经机器翻译而成,仅供参考。如与英语版出现任何冲突,应以英语版为准。

恢复加密- AFF A1K

贡献者

恢复替代启动介质上的加密。

您必须使用在启动介质更换过程开始时捕获的设置完成特定于已启用板载密钥管理器(OKM)、NetApp存储加密(NSE)或NetApp卷加密(NVE)的系统的步骤。

根据系统上配置的密钥管理器、选择以下选项之一、从启动菜单中将其还原。

选项1:还原板载密钥管理器配置

从ONTAP启动菜单还原板载密钥管理器(OKM)配置。

开始之前
步骤
  1. 将控制台缆线连接到目标控制器。

  2. 从ONTAP启动菜单中、从启动菜单中选择适当的选项。

    ONTAP 版本 选择此选项

    ONTAP 9.8 或更高版本

    选择选项10。

    显示启动菜单示例
    Please choose one of the following:
    
    (1)  Normal Boot.
    (2)  Boot without /etc/rc.
    (3)  Change password.
    (4)  Clean configuration and initialize all disks.
    (5)  Maintenance mode boot.
    (6)  Update flash from backup config.
    (7)  Install new software first.
    (8)  Reboot node.
    (9)  Configure Advanced Drive Partitioning.
    (10) Set Onboard Key Manager recovery secrets.
    (11) Configure node for external key management.
    Selection (1-11)? 10

    ONTAP 9 7及更早版本

    选择隐藏选项 recover_onboard_keymanager

    显示启动菜单示例
    Please choose one of the following:
    
    (1)  Normal Boot.
    (2)  Boot without /etc/rc.
    (3)  Change password.
    (4)  Clean configuration and initialize all disks.
    (5)  Maintenance mode boot.
    (6)  Update flash from backup config.
    (7)  Install new software first.
    (8)  Reboot node.
    (9)  Configure Advanced Drive Partitioning.
    Selection (1-19)? recover_onboard_keymanager
  3. 确认您要继续恢复过程。

    显示示例提示符

    This option must be used only in disaster recovery procedures. Are you sure? (y or n):

  4. 输入集群范围的密码短语两次。

    输入密码短语时、控制台不会显示任何输入。

    显示示例提示符

    Enter the passphrase for onboard key management:

    Enter the passphrase again to confirm:

  5. 输入备份信息。

    1. 将整个内容从开始备份行粘贴到结束备份行。

      显示示例提示符
      Enter the backup data:
      
      --------------------------BEGIN BACKUP--------------------------
      0123456789012345678901234567890123456789012345678901234567890123
      1234567890123456789012345678901234567890123456789012345678901234
      2345678901234567890123456789012345678901234567890123456789012345
      3456789012345678901234567890123456789012345678901234567890123456
      4567890123456789012345678901234567890123456789012345678901234567
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      0123456789012345678901234567890123456789012345678901234567890123
      1234567890123456789012345678901234567890123456789012345678901234
      2345678901234567890123456789012345678901234567890123456789012345
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      
      ---------------------------END BACKUP---------------------------
    2. 在输入末尾按两次回车键。

      恢复过程完成。

      显示示例提示符
      Trying to recover keymanager secrets....
      Setting recovery material for the onboard key manager
      Recovery secrets set successfully
      Trying to delete any existing km_onboard.wkeydb file.
      
      Successfully recovered keymanager secrets.
      
      ***********************************************************************************
      * Select option "(1) Normal Boot." to complete recovery process.
      *
      * Run the "security key-manager onboard sync" command to synchronize the key database after the node reboots.
      ***********************************************************************************
    警告 如果显示的输出不是,请勿继续 Successfully recovered keymanager secrets。执行故障排除以更正错误。
  6. 从启动菜单中选择选项1以继续启动至ONTAP。

    显示示例提示符
    ***********************************************************************************
    * Select option "(1) Normal Boot." to complete the recovery process.
    *
    ***********************************************************************************
    
    
    (1)  Normal Boot.
    (2)  Boot without /etc/rc.
    (3)  Change password.
    (4)  Clean configuration and initialize all disks.
    (5)  Maintenance mode boot.
    (6)  Update flash from backup config.
    (7)  Install new software first.
    (8)  Reboot node.
    (9)  Configure Advanced Drive Partitioning.
    (10) Set Onboard Key Manager recovery secrets.
    (11) Configure node for external key management.
    Selection (1-11)? 1
  7. 确认控制器的控制台显示以下消息。

    Waiting for giveback…​(Press Ctrl-C to abort wait)

  8. 在配对节点上、输入以下命令以对配对控制器进行回指。

    storage failover giveback -fromnode local -only-cfo-aggregates true(英文)

  9. 在仅使用CFO聚合启动后、运行以下命令。

    security key-manager onboard sync

  10. 输入板载密钥管理器的集群范围密码短语。

    显示示例提示符
    Enter the cluster-wide passphrase for the Onboard Key Manager:
    
    All offline encrypted volumes will be brought online and the corresponding volume encryption keys (VEKs) will be restored automatically within 10 minutes. If any offline encrypted volumes are not brought online automatically, they can be brought online manually using the "volume online -vserver <vserver> -volume <volume_name>" command.
    备注 如果同步成功、则会返回集群提示符、而不会显示任何其他消息。如果同步失败、则会在返回集群提示符之前显示一条错误消息。更正错误并成功运行同步之前、请勿继续。
  11. 输入以下命令、确保所有密钥均已同步。

    security key-manager key query -restored false(英文)

    There are no entries matching your query.

    备注 在reved参数中筛选false时、不应显示任何结果。
  12. 输入以下命令、从配对节点进行节点回给。

    storage failover giveback -fromnode local

  13. 如果已禁用自动交还、请输入以下命令来还原自动交还。

    storage failover modify -node local -auto-giveback true

  14. 如果启用了AutoSupport、请输入以下命令来恢复自动创建案例。

    system node autosupport invoke -node * -type all -message MAINT=END

选项2:还原外部密钥管理器配置

从ONTAP启动菜单还原外部密钥管理器配置。

开始之前

要还原外部密钥管理器(External Key Manager、EKM)配置、您需要以下信息。

  • 另一个集群节点上的/cfcard/kmip/servers.cfg文件的副本或以下信息:

    • KMIP服务器地址。

    • KMIP端口。

  • 另一个集群节点或客户端证书中的文件副本 /cfcard/kmip/certs/client.crt

  • 从其他集群节点或客户端密钥获取的文件副本 /cfcard/kmip/certs/client.key

  • 另一个集群节点或KMIP服务器CA中的文件副本 /cfcard/kmip/certs/CA.pem

步骤
  1. 将控制台缆线连接到目标控制器。

  2. 从ONTAP启动菜单中选择选项11。

    显示启动菜单示例
    (1)  Normal Boot.
    (2)  Boot without /etc/rc.
    (3)  Change password.
    (4)  Clean configuration and initialize all disks.
    (5)  Maintenance mode boot.
    (6)  Update flash from backup config.
    (7)  Install new software first.
    (8)  Reboot node.
    (9)  Configure Advanced Drive Partitioning.
    (10) Set Onboard Key Manager recovery secrets.
    (11) Configure node for external key management.
    Selection (1-11)? 11
  3. 出现提示时、确认您已收集所需信息。

    显示示例提示符
    Do you have a copy of the /cfcard/kmip/certs/client.crt file? {y/n}
    Do you have a copy of the /cfcard/kmip/certs/client.key file? {y/n}
    Do you have a copy of the /cfcard/kmip/certs/CA.pem file? {y/n}
    Do you have a copy of the /cfcard/kmip/servers.cfg file? {y/n}
  4. 出现提示时、输入客户端和服务器信息。

    显示提示符
    Enter the client certificate (client.crt) file contents:
    Enter the client key (client.key) file contents:
    Enter the KMIP server CA(s) (CA.pem) file contents:
    Enter the server configuration (servers.cfg) file contents:
    显示示例
    Enter the client certificate (client.crt) file contents:
    -----BEGIN CERTIFICATE-----
    MIIDvjCCAqagAwIBAgICN3gwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAlVT
    MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQwwCgYDVQQHEwNTVkwxDzANBgNVBAoTBk5l
    MSUbQusvzAFs8G3P54GG32iIRvaCFnj2gQpCxciLJ0qB2foiBGx5XVQ/Mtk+rlap
    Pk4ECW/wqSOUXDYtJs1+RB+w0+SHx8mzxpbz3mXF/X/1PC3YOzVNCq5eieek62si
    Fp8=
    -----END CERTIFICATE-----
    
    Enter the client key (client.key) file contents:
    -----BEGIN RSA PRIVATE KEY-----
    <key_value>
    -----END RSA PRIVATE KEY-----
    
    Enter the KMIP server CA(s) (CA.pem) file contents:
    -----BEGIN CERTIFICATE-----
    MIIEizCCA3OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
    7yaumMQETNrpMfP+nQMd34y4AmseWYGM6qG0z37BRnYU0Wf2qDL61cQ3/jkm7Y94
    EQBKG1NY8dVyjphmYZv+
    -----END CERTIFICATE-----
    
    Enter the IP address for the KMIP server: 10.10.10.10
    Enter the port for the KMIP server [5696]:
    
    System is ready to utilize external key manager(s).
    Trying to recover keys from key servers....
    kmip_init: configuring ports
    Running command '/sbin/ifconfig e0M'
    ..
    ..
    kmip_init: cmd: ReleaseExtraBSDPort e0M

    输入客户端和服务器信息后、恢复过程将完成。

    显示示例
    System is ready to utilize external key manager(s).
    Trying to recover keys from key servers....
    [Aug 29 21:06:28]: 0x808806100: 0: DEBUG: kmip2::main: [initOpenssl]:460: Performing initialization of OpenSSL
    Successfully recovered keymanager secrets.
  5. 从启动菜单中选择选项1以继续启动至ONTAP。

    显示示例提示符
    ***********************************************************************************
    * Select option "(1) Normal Boot." to complete the recovery process.
    *
    ***********************************************************************************
    
    
    (1)  Normal Boot.
    (2)  Boot without /etc/rc.
    (3)  Change password.
    (4)  Clean configuration and initialize all disks.
    (5)  Maintenance mode boot.
    (6)  Update flash from backup config.
    (7)  Install new software first.
    (8)  Reboot node.
    (9)  Configure Advanced Drive Partitioning.
    (10) Set Onboard Key Manager recovery secrets.
    (11) Configure node for external key management.
    Selection (1-11)? 1
  6. 如果已禁用自动交还、请输入以下命令来还原自动交还。

    storage failover modify -node local -auto-giveback true

  7. 如果启用了AutoSupport、请输入以下命令来恢复自动创建案例。

    system node autosupport invoke -node * -type all -message MAINT=END