3. If you saw the message This command is not supported when onboard key management is enabled,
display the keys stored in the onboard key manager:
security key-manager key show -detail
a.
If the
Restored column displays yes, manually back up the onboard key management information:
▪
Go to advanced privilege mode and enter
y when prompted to continue: set -priv advanced
▪
Enter the command to display the OKM backup information:
security key-manager backup
show
▪ Copy the contents of the backup information to a separate file or your log file. You’ll need it in
disaster scenarios where you might need to manually recover OKM.
▪
Return to admin mode:
set -priv admin
▪ Shut down the impaired controller.
b.
If the
Restored column displays anything other than yes:
▪
Run the key-manager setup wizard:
security key-manager setup -node
target/impaired node name
Enter the customer’s OKM passphrase at the prompt. If the passphrase cannot be
provided, contact
mysupport.netapp.com
▪
Verify that the
Restored column shows yes for all authentication keys: security key-
manager key show -detail
▪
Go to advanced privilege mode and enter
y when prompted to continue: set -priv advanced
▪
Enter the command to back up the OKM information:
security key-manager backup show
Make sure that OKM information is saved in your log file. This information will be
needed in disaster scenarios where OKM might need to be manually recovered.
▪ Copy the contents of the backup information to a separate file or your log. You’ll need it in disaster
scenarios where you might need to manually recover OKM.
▪
Return to admin mode:
set -priv admin
▪ You can safely shut down the controller.
Option 2: Checking NVE or NSE on systems running ONTAP 9.6 and later
Before shutting down the impaired controller, you need to verify whether the system has either NetApp Volume
Encryption (NVE) or NetApp Storage Encryption (NSE) enabled. If so, you need to verify the configuration.
1.
Verify whether NVE is in use for any volumes in the cluster:
volume show -is-encrypted true
If any volumes are listed in the output, NVE is configured and you need to verify the NVE configuration. If
no volumes are listed, check whether NSE is configured and in use.
2.
Verify whether NSE is configured and in use:
storage encryption disk show
◦ If the command output lists the drive details with Mode & Key ID information, NSE is configured and
you need to verify the NSE configuration and in use.
◦ If no disks are shown, NSE is not configured.
5
To Next Page
Loading...
