Skip to main content
本繁體中文版使用機器翻譯,譯文僅供參考,若與英文版本牴觸,應以英文版本為準。

手動啟動復原後復原加密金鑰 - AFF A20、 AFF A30 和AFF A50

貢獻者 netapp-jsnyder netapp-lisa
PDF

在AFF A20、 AFF A30 或AFF A50 儲存系統中的替換啟動媒體上恢復加密,以確保持續的資料保護。替換過程包括驗證金鑰可用性、重新套用加密設定以及確認對資料的安全存取。

根據您的金鑰管理員類型,完成相應的步驟以恢復系統加密。如果您不確定您的系統使用哪個金鑰管理器,請檢查您在啟動媒體更換程序開始時所擷取的設定。

內建金鑰管理程式(OKM)

從 ONTAP 開機功能表還原內建金鑰管理程式( OKM )組態。

開始之前

請確保您已準備好以下資訊:

步驟

關於受損控制者:

  1. 將遊戲機連接線連接到故障控制器。

  2. 從ONTAP啟動選單中,選擇對應的選項:

    版本ONTAP 選取此選項

    部分9.8或更新版本ONTAP

    選擇選項 10 。

    顯示開機功能表範例 
    Please choose one of the following:

(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 10

    更新版本ONTAP

    選取隱藏選項 recover_onboard_keymanager

    顯示開機功能表範例 
    Please choose one of the following:

(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
Selection (1-19)? recover_onboard_keymanager

  3. 出現提示時,請確認您是否要繼續恢復過程:

    顯示範例提示

    This option must be used only in disaster recovery procedures. Are you sure? (y or n):

  4. 輸入叢集範圍的複雜密碼兩次。

    輸入密碼時,控制台不顯示任何輸入內容。

    顯示範例提示

    Enter the passphrase for onboard key management:

    Enter the passphrase again to confirm:

  5. 請輸入備份資訊:

    1. 貼上從 BEGIN BACKUP 行到 END BACKUP 行的所有內容,包括破折號。

      顯示範例提示 
      Enter the backup data:

--------------------------BEGIN BACKUP--------------------------
0123456789012345678901234567890123456789012345678901234567890123
1234567890123456789012345678901234567890123456789012345678901234
2345678901234567890123456789012345678901234567890123456789012345
3456789012345678901234567890123456789012345678901234567890123456
4567890123456789012345678901234567890123456789012345678901234567
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0123456789012345678901234567890123456789012345678901234567890123
1234567890123456789012345678901234567890123456789012345678901234
2345678901234567890123456789012345678901234567890123456789012345
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

---------------------------END BACKUP---------------------------

    2. 輸入內容結束後,按兩次回車鍵。

      恢復過程完成,並顯示以下訊息:

      Successfully recovered keymanager secrets.

    顯示範例提示 
    Trying to recover keymanager secrets....
Setting recovery material for the onboard key manager
Recovery secrets set successfully
Trying to delete any existing km_onboard.wkeydb file.

Successfully recovered keymanager secrets.

***********************************************************************************
* Select option "(1) Normal Boot." to complete recovery process.
*
* Run the "security key-manager onboard sync" command to synchronize the key database after the node reboots.
***********************************************************************************

    +

    警告 如果顯示的輸出結果不是以下內容,請勿繼續操作: Successfully recovered keymanager secrets 。進行故障排除以修正錯誤。

  6. 選擇選項 `1`從啟動選單繼續啟動進入ONTAP。

    顯示範例提示 
    ***********************************************************************************
* Select option "(1) Normal Boot." to complete the recovery process.
*
***********************************************************************************


(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 1

  7. 確認控制器控制台顯示以下資訊:

    Waiting for giveback…​(Press Ctrl-C to abort wait)

    關於合作夥伴控制器:

  8. 歸還受損控制器:

    storage failover giveback -fromnode local -only-cfo-aggregates true

    關於受損控制者:

  9. 僅使用 CFO 聚合啟動後,同步金鑰管理員:

    security key-manager onboard sync

  10. 出現提示時,輸入叢集範圍內的板載密鑰管理器密碼短語。

    顯示範例提示 
    Enter the cluster-wide passphrase for the Onboard Key Manager:

All offline encrypted volumes will be brought online and the corresponding volume encryption keys (VEKs) will be restored automatically within 10 minutes. If any offline encrypted volumes are not brought online automatically, they can be brought online manually using the "volume online -vserver <vserver> -volume <volume_name>" command.
    註 如果同步成功,則傳回群集提示符,不包含其他訊息。如果同步失敗,則會在傳回群集提示符之前顯示錯誤訊息。請勿繼續操作,直到錯誤修正且同步成功為止。

  11. 確認所有金鑰均已同步:

    security key-manager key query -restored false

    該命令不應傳回任何結果。如果出現任何結果,請重複同步命令,直到沒有結果返回為止。

    關於合作夥伴控制器:

  12. 歸還受損控制器:

    storage failover giveback -fromnode local

  13. 如果停用自動恢復功能,請還原:

    storage failover modify -node local -auto-giveback true

  14. 如果啟用 AutoSupport 、請還原自動建立案例:

    system node autosupport invoke -node * -type all -message MAINT=END

外部金鑰管理程式(EKM)

從 ONTAP 開機功能表還原外部金鑰管理程式組態。

開始之前

從另一個叢集節點或備份中收集以下檔案:

  • `/cfcard/kmip/servers.cfg`檔案或 KMIP 伺服器位址和連接埠

  • `/cfcard/kmip/certs/client.crt`文件(客戶端證書)

  • `/cfcard/kmip/certs/client.key`文件(客戶端密鑰)

  • `/cfcard/kmip/certs/CA.pem`檔案(KMIP 伺服器 CA 憑證)

步驟

關於受損控制者:

  1. 將遊戲機連接線連接到故障控制器。

  2. 選擇選項 `11`從ONTAP啟動選單。

    顯示開機功能表範例 
    (1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 11

  3. 出現提示時,請確認您已收集到所需資訊:

    顯示範例提示 
    Do you have a copy of the /cfcard/kmip/certs/client.crt file? {y/n}
Do you have a copy of the /cfcard/kmip/certs/client.key file? {y/n}
Do you have a copy of the /cfcard/kmip/certs/CA.pem file? {y/n}
Do you have a copy of the /cfcard/kmip/servers.cfg file? {y/n}

  4. 出現提示時,請輸入客戶端和伺服器資訊:

    1. 輸入客戶端憑證(client.crt)檔案的內容,包括 BEGIN 行和 END 行。

    2. 輸入客戶端金鑰(client.key)檔案的內容,包括 BEGIN 和 END 行。

    3. 輸入 KMIP 伺服器 CA(s) (CA.pem) 檔案內容,包括 BEGIN 和 END 行。

    4. 請輸入KMIP伺服器IP位址。

    5. 輸入 KMIP 伺服器連接埠(按 Enter 鍵使用預設連接埠 5696)。

      顯示範例 
      Enter the client certificate (client.crt) file contents:
-----BEGIN CERTIFICATE-----
<certificate_value>
-----END CERTIFICATE-----

Enter the client key (client.key) file contents:
-----BEGIN RSA PRIVATE KEY-----
<key_value>
-----END RSA PRIVATE KEY-----

Enter the KMIP server CA(s) (CA.pem) file contents:
-----BEGIN CERTIFICATE-----
<certificate_value>
-----END CERTIFICATE-----

Enter the IP address for the KMIP server: 10.10.10.10
Enter the port for the KMIP server [5696]:

System is ready to utilize external key manager(s).
Trying to recover keys from key servers....
kmip_init: configuring ports
Running command '/sbin/ifconfig e0M'
..
..
kmip_init: cmd: ReleaseExtraBSDPort e0M

      恢復過程完成,並顯示以下訊息:

      Successfully recovered keymanager secrets.

    顯示範例 
    System is ready to utilize external key manager(s).
Trying to recover keys from key servers....
Performing initialization of OpenSSL
Successfully recovered keymanager secrets.

  5. 選擇選項 `1`從啟動選單繼續啟動進入ONTAP。

    顯示範例提示 
    ***************************************************************************
* Select option "(1) Normal Boot." to complete the recovery process.
*
***************************************************************************

(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 1

  6. 如果停用自動恢復功能,請還原:

    storage failover modify -node local -auto-giveback true

  7. 如果啟用 AutoSupport 、請還原自動建立案例:

    system node autosupport invoke -node * -type all -message MAINT=END

接下來呢?

在開機媒體上還原加密後"將故障零件退回 NetApp",您需要。