ONTAP 9.12.1 commands

50←PDF
  • ONTAP 9.12.1 commands(CA08871-263en.pdf)
  • security key-manager key query

    Display the key IDs.

    Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

    Description

    This command displays the IDs of the keys that are stored in the configured key managers. This command does not update the key tables on the node. Primary key servers, along with any associated secondary key servers, are displayed in the output.

    Parameters

    { [-fields <fieldname>,…​]

    If you specify the -fields <fieldname>, …​ parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.

    | [-instance ] }

    If you specify the -instance parameter, the command displays detailed information about all fields.

    [-node {<nodename>|local}] - Node

    Use this parameter to specify the name of the node that queries the specified key management servers. If this parameter is not specified, then all nodes query the specified key management servers.

    [-vserver <vserver name>] - Vserver Name

    Use this parameter to specify the Vserver for which to list the keys.

    [-key-server <Hostname and Port>] - Key Server

    This parameter specifies the host and port of the key management server that you want to query. This parameter is used only with external key managers.

    [-key-id <Hex String>] - Key Identifier

    If you specify this parameter, then the command displays only the key IDs that match the specified value.

    [-key-tag <text>] - Key Tag

    If you specify this parameter, then the command displays only the key IDs that match the specified value. The key-tag for Volume Encryption Keys (VEKs) is set to the UUID of the encrypted volume.

    [-key-type <Key Usage Type>] - Key Type

    If you specify this parameter, then the command displays only the key IDs that match the specified value.

    [-restored {true|false}] - Restored

    This parameter specifies whether the key corresponding to the displayed key ID is present in the specified node’s internal key table. If you specify 'true' for this parameter, then the command displays the key IDs of only those keys that are present in the system’s internal key table. If you specify 'false' for this parameter, then the command displays the key IDs of only those keys that are not present in the system’s internal key table.

    [-key-store <Key Store>] - Key Store

    Use this parameter to specify the key manager type from which to list the keys.

    [-key-user <vserver name>] - Key User

    If you specify this parameter, then the command displays only the key IDs that are used by the specified Vserver.

    [-key-manager <text>] - Key Manager

    This parameter specifies the identity of the key manager. For external key managers that will be the host and the port of the key server. In other cases that will be the name of a corresponding key manager.

    [-key-store-type <Key Store Type>] - Key Store Type

    If you specify this parameter, then the command displays only the key IDs that are used by the specified key manager type.

    [-crn <text>] - Cloud Resource Name

    This parameter specifies the Cloud Resource Name (CRN) of the key. If you specify this parameter, then the command displays only the key IDs that contains such CRN.

    [-policy <text>] - Key Store Policy

    This optional parameter specifies the policy name of the key manager. If you specify this parameter, then the command displays only the key IDs that are associated with the specified policy.

    [-encryption-algorithm <text>] - Encryption algorithm for the key

    This optional parameter specifies the encryption algorithm of the key. If you specify this parameter, then the command displays only the keys of the specified algorithm type.

    Examples

    The following example shows all of the keys on all configured key servers, and whether or not those keys have been restored for all nodes in the cluster:

    cluster-1::> security key-manager key query
    Node: node1
                Vserver: cluster-1
            Key Manager: onboard
       Key Manager Type: OKM
    
    Key Tag                               Key Type Encryption   Restored
    ------------------------------------  -------- ------------ --------
    node1                                 NSE-AK   AES-256      true
        Key ID: 000000000000000002000000000001000c11b3863f78c2273343d7ec5a67762e0000000000000000
    node1                                 NSE-AK   AES-256      true
        Key ID: 000000000000000002000000000001006f4e2513353a674305872a4c9f3bf7970000000000000000
    node1                                 NSE-AK   AES-256      true
        Key ID: 00000000000000000200000000000100e1f6b27094485d2d74408bca673b25eb0000000000000000
    node1                                 NSE-AK   AES-256      true
        Key ID: 00000000000000000200000000000100ea73be83ec42a7a2bd262f369cda83a40000000000000000
    Node: node1
                Vserver: datavs
            Key Manager: keyserver.datavs.com:5965
       Key Manager Type: KMIP
    
    Key Tag                               Key Type Encryption   Restored
    ------------------------------------  -------- ------------ --------
    eb9f8311-e8d8-487e-9663-7642d7788a75  VEK      XTS-AES-256  true
        Key ID: 0000000000000000020000000000004001cb18336f7c8223743d3e75c6a7726e0000000000000000
    9d09cbbf-0da9-4696-87a1-8e083d8261bb  VEK      XTS-AES-256  true
        Key ID: 0000000000000000020000000000004064f2e1533356a470385274a9c3ffb9770000000000000000
    40c3546e-600c-401c-b312-f01be52258dd  VEK      XTS-AES-256  true
        Key ID: 000000000000000002000000000000401e6f2b09744582d74d084cb6a372be5b0000000000000000
    9b195ecb-35ee-4d11-8f61-15a8de377ad7  VEK      XTS-AES-256  true
        Key ID: 00000000000000000200000000000040ea73be83ec42a7a2bd262f369cda83a40000000000000000
    Node: node2
                Vserver: cluster-1
            Key Manager: onboard
       Key Manager Type: OKM
    
    Key Tag                               Key Type Encryption   Restored
    ------------------------------------  -------- ------------ --------
    node1                                 NSE-AK   AES-256      true
        Key ID: 000000000000000002000000000001000c11b3863f78c2273343d7ec5a67762e0000000000000000
    node1                                 NSE-AK   AES-256      true
        Key ID: 000000000000000002000000000001006f4e2513353a674305872a4c9f3bf7970000000000000000
    node1                                 NSE-AK   AES-256      true
        Key ID: 00000000000000000200000000000100e1f6b27094485d2d74408bca673b25eb0000000000000000
    node1                                 NSE-AK   AES-256      true
        Key ID: 00000000000000000200000000000100ea73be83ec42a7a2bd262f369cda83a40000000000000000
    Node: node2
                Vserver: datavs
            Key Manager: keyserver.datavs.com:5965
       Key Manager Type: KMIP
    
    Key Tag                               Key Type Encryption   Restored
    ------------------------------------  -------- ------------ --------
    eb9f8311-e8d8-487e-9663-7642d7788a75  VEK      XTS-AES-256  true
        Key ID: 0000000000000000020000000000004001cb18336f7c8223743d3e75c6a7726e0000000000000000
    9d09cbbf-0da9-4696-87a1-8e083d8261bb  VEK      XTS-AES-256  true
        Key ID: 0000000000000000020000000000004064f2e1533356a470385274a9c3ffb9770000000000000000
    40c3546e-600c-401c-b312-f01be52258dd  VEK      XTS-AES-256  true
        Key ID: 000000000000000002000000000000401e6f2b09744582d74d084cb6a372be5b0000000000000000
    9b195ecb-35ee-4d11-8f61-15a8de377ad7  VEK      XTS-AES-256  true
        Key ID: 00000000000000000200000000000040ea73be83ec42a7a2bd262f369cda83a40000000000000000
    Top of Page