Pre-shutdown checks for onboard encryption keys
Prior to shutting down the impaired node and checking the status of the onboard encryption keys, you must
check the status of the impaired node, disable automatic giveback, and check what version of ONTAP the
system is running.
• If you have a cluster with more than two nodes, it must be in quorum. If the cluster is not in quorum or a
healthy node shows false for eligibility and health, you must correct the issue before shutting down the
impaired node.
ONTAP 9 System Administration Reference
Step 1. Check the status of the impaired node:
• If the impaired node is at the login prompt, log in as admin.
• If the impaired node is at the LOADER prompt and is part of HA configuration, log in as
admin on
the healthy node.
• If the impaired node is in a standalone configuration and at LOADER prompt, contact Lenovo
Support.
https://datacentersupport.lenovo.com/
Step 2. If AutoSupport is enabled, suppress automatic log creation by invoking an AutoSupport message:
system node autosupport invoke -node * -type all -message MAINT=number_of_hours_downh
The following AutoSupport message suppresses automatic log creation for two hours: cluster1:*>
system node autosupport invoke -node * -type all -message MAINT=2h
Step 3. If the impaired node is part of an HA configuration, disable automatic giveback from the healthy
node: storage failover modify -node local -auto-giveback falsestorage failover modify -node local -auto-
giveback-after-panic false
Step 4. Check the version of ONTAP the system is running using the version -v command:
• If <lno-DARE> is displayed, the system does not support Lenovo Volume Encryption (LVE), go to
“Shutting down the impaired controller” on page 50.
• If <l0> is displayed and the system is running ONTAP 9.6 or later, go to
“Checking LVE or LSE on
systems running ONTAP 9.6 and later” on page 48
.
Checking LVE or LSE on systems running ONTAP 9.6 and later
Before shutting down the impaired node, you need to check whether the system has either Lenovo Volume
Encryption (LVE) or Lenovo Storage Encryption (LSE) enabled. If so, you need to verify the configuration.
Step 1. Check whether LVE is configured for any volumes in the cluster:
volume show -is-encrypted true
If any volumes are listed in the output, LVE is configured and you need to verify the LVE
configuration. If no volumes are listed, check whether LSE is configured.
Step 2. Check whether LSE is configured: storage encryption disk show
• If the command output list the drive details with Mode & Key ID information, LSE is configured
and you need to verify the LSE configuration.
• If no disks are shown, LSE is not configured.
• If LVE and LSE are not configured, it's safe to shut down the impaired node.
Verifying LVE configuration
Step 1. Display the key IDs of the authentication keys that are stored on the key management servers:
security key-manager query
48 ThinkSystem DG5000 Hardware Installation and Maintenance Guide
To Next Page