ONTAP 9.13.1 commands

storage encryption disk modify

Modify self-encrypting disk parameters

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The storage encryption disk modify command changes the data protection parameters of self-encrypting disks (SEDs) and FIPS-certified SEDS (FIPS SEDs); it also modifies the FIPS-compliance AK (FIPS AK) of FIPS SEDs. The current data AK and FIPS AK of the device are required to effect changes to the respective AKs and FIPS compliance. The current and new AKs must be available from the key servers or onboard key management.

The command releases the cluster shell after launching the operation. Monitor the output of the storage encryption disk show-status command for command completion.

To properly protect data at rest on a FIPS SED and place it into compliance with its FIPS certification requirements, set both the Data and FIPS AKs to a value other than the device’s default key; depending on the device type, the default may be manufacture secure ID (MSID), indicated by a key ID with the special value 0x0 , or a null key represented by a blank key ID. Verify the key IDs by using the storage encryption disk show and storage encryption disk show -fips commands.

Parameters

-disk <disk path name> - Disk Name

This parameter specifies the name of the SED or FIPS SED that you want to modify.

{ [-data-key-id <text>] - Key ID of the New Data Authentication Key

This parameter specifies the key ID associated with the data AK that you want the SED to use for future authentications. When the provided key ID is the MSID, data at rest on the SED is not protected from unauthorized access. Setting this parameter to a non-MSID value automatically engages the power-on-lock protections of the device, so that when the device is power-cycled, the system must authenticate with the device using the AK to reenable I/O operations. You cannot specify the null default key; use MSID instead.

| [-fips-key-id <text>] - Key ID of the New Authentication Key for FIPS Compliance }

This parameter specifies the key ID associated with the FIPS AK that you want the FIPS SED to apply to SED credentials other than the one that protects the data. When the value is not the MSID, these credentials are changed to the indicated AK, and other security-related items are set to conform to the FIPS certification requirements ("FIPS compliance mode") of the device. You may set the -fips-key-id to any one of the key IDs known to the system. The FIPS key ID may, but does not have to, be the same as the data key ID parameter. Setting -fips-key-id to the MSID key ID value disables FIPS compliance mode and restores the FIPS-related authorites and other components as required (other than data) to their default settings. A nonMSID FIPS-compliance key may be applied only to a FIPS SED.

Examples

The following command changes both the AK and the power-cycle protection to values that protect the data at rest on the disk. Note that the -data-key-id and -fips-key-id parameters require one of the key IDs that appear in the output of the security key-manager query command.

cluster1::> storage encryption disk modify -data-key-id 6A1E21D8000000000100000000000000F5A1EB48EF26FD6A8E76549C019F2350 -disk 2.10.*

Info: Starting modify on 14 disks.
      View the status of the operation by using the
      storage encryption disk show-status command.

The following command changes the FIPS AK and sets the device into FIPS-compliance mode. Note that the -fips-key-id parameter requires one of the key IDs that appear in the output of the security key-manager query command.

cluster1::> storage encryption disk modify -fips-key-id 6A1E21D80000000001000000000000005A1FB4EE8F62FD6D8AE6754C9019F35A 2.10.*

Info: Starting modify on 14 disks.
      View the status of the operation by using the
      storage encryption disk show-status command.
Top of Page