ONTAP 9 Manuals ( CA08871-402 )

Restore external key management encryption keys

You can manually restore external key management encryption keys and push them to a different node. You might want to do this if you are restarting a node that was down temporarily when you created the keys for the cluster.

About this task

You can use the security key-manager key query -node node_name command to verify if your key needs to be restored.

If you are using SE on a system with a Flash Cache module, you should also enable VE or AE. SE does not encrypt data that resides on the Flash Cache module.
Before you begin

You must be a cluster or SVM administrator to perform this task.

Steps
  1. If you are running ONTAP 9.8 or later and your root volume is encrypted, do the following:

    If you are running ONTAP 9.7, or if you are running ONTAP 9.8 or later and your root volume is not encrypted, skip this step.

    1. Set the bootargs:
      setenv kmip.init.ipaddr <ip-address>
      setenv kmip.init.netmask <netmask>
      setenv kmip.init.gateway <gateway>
      setenv kmip.init.interface e0M
      boot_ontap

    2. Boot the node to the boot menu and select option (11) Configure node for external key management.

    3. Follow prompts to enter management certificate.

      After all management certificate information is entered, the system returns to the boot menu.

    4. From the boot menu, select option (1) Normal Boot.

  2. Restore the key:

    For this ONTAP version…​

    Use this command…​

    ONTAP 9.7 and later

    security key-manager external restore -vserver SVM -node node -key-server host_name|IP_address:port -key-id key_id -key-tag key_tag

    node defaults to all nodes. For complete command syntax, see the man pages. This command is not supported when onboard key management is enabled.

Top of Page