Skip to main content
本繁體中文版使用機器翻譯,譯文僅供參考,若與英文版本牴觸,應以英文版本為準。

還原加密 - FAS8200

貢獻者
PDF

在替換開機媒體上還原加密。

您必須使用開機媒體取代程序開始時所擷取的設定、完成特定於已啟用內建金鑰管理程式( OKM )、 NetApp 儲存加密( NSE )或 NetApp 磁碟區加密( NVE )的系統的步驟。

根據系統上設定的金鑰管理程式、請從開機功能表中選取下列其中一個選項以還原。

選項 1 :還原 Onboard Key Manager 組態

從 ONTAP 開機功能表還原內建金鑰管理程式( OKM )組態。

開始之前
步驟

  1. 將主控台纜線連接至目標控制器。

  2. 從 ONTAP 開機功能表中、從開機功能表中選取適當的選項。

    版本ONTAP 選取此選項

    部分9.8或更新版本ONTAP

    選擇選項 10 。

    顯示開機功能表範例 
    Please choose one of the following:

(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 10

    更新版本ONTAP

    選取隱藏選項 recover_onboard_keymanager

    顯示開機功能表範例 
    Please choose one of the following:

(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
Selection (1-19)? recover_onboard_keymanager

  3. 確認您要繼續恢復程序。

    顯示範例提示

    This option must be used only in disaster recovery procedures. Are you sure? (y or n):

  4. 輸入叢集範圍的複雜密碼兩次。

    輸入複雜密碼時、主控台不會顯示任何輸入。

    顯示範例提示

    Enter the passphrase for onboard key management:

    Enter the passphrase again to confirm:

  5. 輸入備份資訊。

    1. 將整個內容從 BEGIN 備份線貼到終端備份線。

      顯示範例提示 
      Enter the backup data:

--------------------------BEGIN BACKUP--------------------------
0123456789012345678901234567890123456789012345678901234567890123
1234567890123456789012345678901234567890123456789012345678901234
2345678901234567890123456789012345678901234567890123456789012345
3456789012345678901234567890123456789012345678901234567890123456
4567890123456789012345678901234567890123456789012345678901234567
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0123456789012345678901234567890123456789012345678901234567890123
1234567890123456789012345678901234567890123456789012345678901234
2345678901234567890123456789012345678901234567890123456789012345
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

---------------------------END BACKUP---------------------------

    2. 在輸入結束時按兩次 ENTER 鍵。

      恢復程序即告完成。

      顯示範例提示 
      Trying to recover keymanager secrets....
Setting recovery material for the onboard key manager
Recovery secrets set successfully
Trying to delete any existing km_onboard.wkeydb file.

Successfully recovered keymanager secrets.

***********************************************************************************
* Select option "(1) Normal Boot." to complete recovery process.
*
* Run the "security key-manager onboard sync" command to synchronize the key database after the node reboots.
***********************************************************************************
    警告 如果顯示的輸出不是、請勿繼續 Successfully recovered keymanager secrets。執行疑難排解以修正錯誤。

  6. 從開機功能表中選取選項 1 、以繼續開機至 ONTAP 。

    顯示範例提示 
    ***********************************************************************************
* Select option "(1) Normal Boot." to complete the recovery process.
*
***********************************************************************************


(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 1

  7. 確認控制器的主控台顯示下列訊息。

    Waiting for giveback…​(Press Ctrl-C to abort wait)

  8. 從合作夥伴節點輸入下列命令、即可恢復合作夥伴控制器。

    storage failover giveback -fromnode local -only-cfo-aggregates true

  9. 只使用 CFO 集合體開機後、請執行下列命令。

    security key-manager onboard sync

  10. 輸入Onboard Key Manager的全叢集密碼。

    顯示範例提示 
    Enter the cluster-wide passphrase for the Onboard Key Manager:

All offline encrypted volumes will be brought online and the corresponding volume encryption keys (VEKs) will be restored automatically within 10 minutes. If any offline encrypted volumes are not brought online automatically, they can be brought online manually using the "volume online -vserver <vserver> -volume <volume_name>" command.
    註 如果同步成功、就會傳回叢集提示、而不會傳回其他訊息。如果同步失敗、則會在返回叢集提示之前顯示錯誤訊息。在修正錯誤並成功執行同步處理之前、請勿繼續。

  11. 輸入下列命令、確保所有金鑰都已同步。

    security key-manager key query -restored false

    There are no entries matching your query.

    註 在還原的參數中篩選 FALSE 時、不應出現任何結果。

  12. 輸入下列命令、從合作夥伴中移出節點。

    storage failover giveback -fromnode local

  13. 如果您停用了自動恢復功能、請輸入下列命令來還原。

    storage failover modify -node local -auto-giveback true

  14. 如果啟用 AutoSupport 、請輸入下列命令、以還原自動建立案例。

    system node autosupport invoke -node * -type all -message MAINT=END

選項 2 :還原外部金鑰管理程式組態

從 ONTAP 開機功能表還原外部金鑰管理程式組態。

開始之前

您需要下列資訊來還原外部金鑰管理程式( EKM )組態。

  • 從另一個叢集節點複本 /ccfcard/kmip/servers.cfg 檔案、或以下資訊:

    • KMIP 伺服器位址。

    • KMIP 連接埠。

  • 來自其他叢集節點或用戶端憑證的檔案複本 /cfcard/kmip/certs/client.crt

  • 來自其他叢集節點或用戶端金鑰的檔案複本 /cfcard/kmip/certs/client.key

  • 來自其他叢集節點或 KMIP 伺服器 CA 的檔案複本 /cfcard/kmip/certs/CA.pem

步驟

  1. 將主控台纜線連接至目標控制器。

  2. 從 ONTAP 開機功能表中選取選項 11 。

    顯示開機功能表範例 
    (1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 11

  3. 出現提示時、請確認您已收集必要資訊。

    顯示範例提示 
    Do you have a copy of the /cfcard/kmip/certs/client.crt file? {y/n}
Do you have a copy of the /cfcard/kmip/certs/client.key file? {y/n}
Do you have a copy of the /cfcard/kmip/certs/CA.pem file? {y/n}
Do you have a copy of the /cfcard/kmip/servers.cfg file? {y/n}

  4. 出現提示時、請輸入用戶端和伺服器資訊。

    顯示提示 
    Enter the client certificate (client.crt) file contents:
Enter the client key (client.key) file contents:
Enter the KMIP server CA(s) (CA.pem) file contents:
Enter the server configuration (servers.cfg) file contents:
    顯示範例 
    Enter the client certificate (client.crt) file contents:
-----BEGIN CERTIFICATE-----
MIIDvjCCAqagAwIBAgICN3gwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQwwCgYDVQQHEwNTVkwxDzANBgNVBAoTBk5l
MSUbQusvzAFs8G3P54GG32iIRvaCFnj2gQpCxciLJ0qB2foiBGx5XVQ/Mtk+rlap
Pk4ECW/wqSOUXDYtJs1+RB+w0+SHx8mzxpbz3mXF/X/1PC3YOzVNCq5eieek62si
Fp8=
-----END CERTIFICATE-----

Enter the client key (client.key) file contents:
-----BEGIN RSA PRIVATE KEY-----
<key_value>
-----END RSA PRIVATE KEY-----

Enter the KMIP server CA(s) (CA.pem) file contents:
-----BEGIN CERTIFICATE-----
MIIEizCCA3OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
7yaumMQETNrpMfP+nQMd34y4AmseWYGM6qG0z37BRnYU0Wf2qDL61cQ3/jkm7Y94
EQBKG1NY8dVyjphmYZv+
-----END CERTIFICATE-----

Enter the IP address for the KMIP server: 10.10.10.10
Enter the port for the KMIP server [5696]:

System is ready to utilize external key manager(s).
Trying to recover keys from key servers....
kmip_init: configuring ports
Running command '/sbin/ifconfig e0M'
..
..
kmip_init: cmd: ReleaseExtraBSDPort e0M

    輸入用戶端和伺服器資訊後、恢復程序即告完成。

    顯示範例 
    System is ready to utilize external key manager(s).
Trying to recover keys from key servers....
[Aug 29 21:06:28]: 0x808806100: 0: DEBUG: kmip2::main: [initOpenssl]:460: Performing initialization of OpenSSL
Successfully recovered keymanager secrets.

  5. 從開機功能表中選取選項 1 、以繼續開機至 ONTAP 。

    顯示範例提示 
    ***********************************************************************************
* Select option "(1) Normal Boot." to complete the recovery process.
*
***********************************************************************************


(1)  Normal Boot.
(2)  Boot without /etc/rc.
(3)  Change password.
(4)  Clean configuration and initialize all disks.
(5)  Maintenance mode boot.
(6)  Update flash from backup config.
(7)  Install new software first.
(8)  Reboot node.
(9)  Configure Advanced Drive Partitioning.
(10) Set Onboard Key Manager recovery secrets.
(11) Configure node for external key management.
Selection (1-11)? 1

  6. 如果您停用了自動恢復功能、請輸入下列命令來還原。

    storage failover modify -node local -auto-giveback true

  7. 如果啟用 AutoSupport 、請輸入下列命令、以還原自動建立案例。

    system node autosupport invoke -node * -type all -message MAINT=END