简体中文版经机器翻译而成，仅供参考。如与英语版出现任何冲突，应以英语版为准。

还原加密—FAS2600

11/18/2025 贡献者

PDF

恢复替代启动介质上的加密。

根据您的密钥管理器类型，完成相应的步骤以恢复系统加密。如果您不确定您的系统使用哪个密钥管理器，请检查您在启动介质更换过程开始时捕获的设置。

板载密钥管理器（ OKM ）

从ONTAP启动菜单还原板载密钥管理器(OKM)配置。

开始之前

请确保您已准备好以下信息：

在输入集群范围的密码短语时 "启用车载密钥管理"
"板载密钥管理器的备份信息"
使用以下方式验证您是否拥有正确的密码短语和备份数据： "如何验证板载密钥管理备份和集群范围的密码短语"程序

步骤

关于受损控制器：

将游戏机连接线连接到故障控制器上。

从ONTAP启动菜单中，选择相应的选项：

ONTAP 版本选择此选项

ONTAP 版本	选择此选项
ONTAP 9.8 或更高版本	选择选项10。显示启动菜单示例 Please choose one of the following: (1) Normal Boot. (2) Boot without /etc/rc. (3) Change password. (4) Clean configuration and initialize all disks. (5) Maintenance mode boot. (6) Update flash from backup config. (7) Install new software first. (8) Reboot node. (9) Configure Advanced Drive Partitioning. (10) Set Onboard Key Manager recovery secrets. (11) Configure node for external key management. Selection (1-11)? 10
ONTAP 9 7及更早版本	选择隐藏选项 `recover_onboard_keymanager` 显示启动菜单示例 Please choose one of the following: (1) Normal Boot. (2) Boot without /etc/rc. (3) Change password. (4) Clean configuration and initialize all disks. (5) Maintenance mode boot. (6) Update flash from backup config. (7) Install new software first. (8) Reboot node. (9) Configure Advanced Drive Partitioning. Selection (1-19)? recover_onboard_keymanager

ONTAP 9.8 或更高版本

选择选项10。

显示启动菜单示例

Please choose one of the following:

(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 10

ONTAP 9 7及更早版本

选择隐藏选项 recover_onboard_keymanager

显示启动菜单示例

Please choose one of the following:

(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
Selection (1-19)? recover_onboard_keymanager

出现提示时，请确认您是否要继续恢复过程：

显示示例提示符

This option must be used only in disaster recovery procedures. Are you sure? (y or n):
输入集群范围的密码短语两次。

输入密码时，控制台不显示任何输入内容。

显示示例提示符

Enter the passphrase for onboard key management:

Enter the passphrase again to confirm:

请输入备份信息：

粘贴从 BEGIN BACKUP 行到 END BACKUP 行的所有内容，包括破折号。

显示示例提示符

Enter the backup data:

--------------------------BEGIN BACKUP--------------------------
0123456789012345678901234567890123456789012345678901234567890123
1234567890123456789012345678901234567890123456789012345678901234
2345678901234567890123456789012345678901234567890123456789012345
3456789012345678901234567890123456789012345678901234567890123456
4567890123456789012345678901234567890123456789012345678901234567
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0123456789012345678901234567890123456789012345678901234567890123
1234567890123456789012345678901234567890123456789012345678901234
2345678901234567890123456789012345678901234567890123456789012345
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

---------------------------END BACKUP---------------------------

输入内容结束后，按两次回车键。

恢复过程完成，并显示以下消息：

Successfully recovered keymanager secrets.

显示示例提示符

Trying to recover keymanager secrets....
Setting recovery material for the onboard key manager
Recovery secrets set successfully
Trying to delete any existing km_onboard.wkeydb file.

Successfully recovered keymanager secrets.

***********************************************************************************
* Select option "(1) Normal Boot." to complete recovery process.
*
* Run the "security key-manager onboard sync" command to synchronize the key database after the node reboots.
***********************************************************************************

如果显示的输出结果不是以下内容，请勿继续操作： Successfully recovered keymanager secrets 。进行故障排除以纠正错误。

选择选项 `1`从启动菜单继续启动进入ONTAP。

显示示例提示符

***********************************************************************************
* Select option "(1) Normal Boot." to complete the recovery process.
*
***********************************************************************************


(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 1

确认控制器控制台显示以下信息：

Waiting for giveback…(Press Ctrl-C to abort wait)

关于合作伙伴控制器：
归还受损控制器：

storage failover giveback -fromnode local -only-cfo-aggregates true

关于受损控制器：
仅使用 CFO 聚合启动后，同步密钥管理器：

security key-manager onboard sync

出现提示时，输入集群范围内的板载密钥管理器密码短语。

显示示例提示符

Enter the cluster-wide passphrase for the Onboard Key Manager:

All offline encrypted volumes will be brought online and the corresponding volume encryption keys (VEKs) will be restored automatically within 10 minutes. If any offline encrypted volumes are not brought online automatically, they can be brought online manually using the "volume online -vserver <vserver> -volume <volume_name>" command.

如果同步成功，则返回集群提示符，不包含其他消息。如果同步失败，则会在返回集群提示符之前显示错误消息。请勿继续操作，直到错误得到纠正且同步成功为止。

确认所有密钥均已同步：

security key-manager key query -restored false

该命令不应返回任何结果。如果出现任何结果，请重复同步命令，直到没有结果返回为止。

关于合作伙伴控制器：
归还受损控制器：

storage failover giveback -fromnode local
如果禁用了自动交还、则还原它：

storage failover modify -node local -auto-giveback true
如果启用了AutoSupport、则还原自动创建案例：

system node autosupport invoke -node * -type all -message MAINT=END

外部密钥管理器（ EKM ）

从ONTAP启动菜单还原外部密钥管理器配置。

开始之前

从另一个集群节点或备份中收集以下文件：

`/cfcard/kmip/servers.cfg`文件或 KMIP 服务器地址和端口
`/cfcard/kmip/certs/client.crt`文件（客户端证书）
`/cfcard/kmip/certs/client.key`文件（客户端密钥）
`/cfcard/kmip/certs/CA.pem`文件（KMIP 服务器 CA 证书）

步骤

关于受损控制器：

将游戏机连接线连接到故障控制器上。

选择选项 `11`从ONTAP启动菜单。

显示启动菜单示例

(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 11

出现提示时，请确认您已收集到所需信息：

显示示例提示符

Do you have a copy of the /cfcard/kmip/certs/client.crt file? {y/n}
Do you have a copy of the /cfcard/kmip/certs/client.key file? {y/n}
Do you have a copy of the /cfcard/kmip/certs/CA.pem file? {y/n}
Do you have a copy of the /cfcard/kmip/servers.cfg file? {y/n}

出现提示时，请输入客户端和服务器信息：

输入客户端证书（client.crt）文件的内容，包括 BEGIN 行和 END 行。
输入客户端密钥（client.key）文件的内容，包括 BEGIN 和 END 行。
输入 KMIP 服务器 CA(s) (CA.pem) 文件内容，包括 BEGIN 和 END 行。
请输入KMIP服务器IP地址。

输入 KMIP 服务器端口（按 Enter 键使用默认端口 5696）。

显示示例

Enter the client certificate (client.crt) file contents:
-----BEGIN CERTIFICATE-----
<certificate_value>
-----END CERTIFICATE-----

Enter the client key (client.key) file contents:
-----BEGIN RSA PRIVATE KEY-----
<key_value>
-----END RSA PRIVATE KEY-----

Enter the KMIP server CA(s) (CA.pem) file contents:
-----BEGIN CERTIFICATE-----
<certificate_value>
-----END CERTIFICATE-----

Enter the IP address for the KMIP server: 10.10.10.10
Enter the port for the KMIP server [5696]:

System is ready to utilize external key manager(s).
Trying to recover keys from key servers....
kmip_init: configuring ports
Running command '/sbin/ifconfig e0M'
..
..
kmip_init: cmd: ReleaseExtraBSDPort e0M

恢复过程完成，并显示以下消息：

Successfully recovered keymanager secrets.

显示示例

System is ready to utilize external key manager(s).
Trying to recover keys from key servers....
Performing initialization of OpenSSL
Successfully recovered keymanager secrets.

选择选项 `1`从启动菜单继续启动进入ONTAP。

显示示例提示符

***************************************************************************
* Select option "(1) Normal Boot." to complete the recovery process.
*
***************************************************************************

(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 1

如果禁用了自动交还、则还原它：

storage failover modify -node local -auto-giveback true
如果启用了AutoSupport、则还原自动创建案例：

system node autosupport invoke -node * -type all -message MAINT=END

还原加密—FAS2600

Creating your file...