Skip to main content

Coming soon...New Support-Specific categorization of Knowledge Articles in the NetApp Knowledge Base site to improve navigation, searchability and your self-service journey.

NetApp Knowledge Base

Error: command failed: The key server at "x.x.x.x" contains volume encryption keys that are currently in use and not available

  1. Last updated
  2. Save as PDF
Views:
209
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9
  • External Key Manager (EKM)
  • NetApp Volume Encryption (NVE)

Issue

  • While attempting to migrate external key manager servers to new servers you cannot delete the last key server.
Cluster-01::*> security key-manager external remove-servers -vserver cluster-1 -key-servers 10.28.XX.XX
 
Error: command failed: The key server at "10.28.XX.XX" contains volume encryption keys that are currently in use
and not available from any other configured key server.
  • The certificates and keys have been copied to the new KMIP servers, but the cluster does not pull the keys from those servers. 
  • In the following example 10.28.XX.XX is the last of the old key servers. The new key servers show as available but are not present in the key query:
Cluster-01::> security key-manager key query
Node: Cluster-01-01
Vserver: Cluster-01
Key Manager: 10.28.XX.XX:5696
Key Manager Type: KMIP
 
Key Tag Key Type Restored
------------------------------------ -------- --------
2170bf6c-998b-11eb-b2a8-d039ea061535 VEK true
Key ID: 00000000000000000200000000000500d3a552b209a7265eb531e4cf5adb21c50000000000000000
38bc9422-998b-11eb-b2a8-d039ea061535 VEK true
Key ID: 00000000000000000200000000000500e32ca6a0c308f850c51120b47334869f0000000000000000
27696c31-998b-11eb-b2a8-d039ea061535 VEK true
Key ID: 00000000000000000200000000000500fefbd8470e63a8877d53509b9cd708e40000000000000000
 
Node: Cluster-01-02
Vserver: Cluster-01
Key Manager: 10.28.XX.XX:5696
Key Manager Type: KMIP
 
Key Tag Key Type Restored
------------------------------------ -------- --------
2170bf6c-998b-11eb-b2a8-d039ea061535 VEK true
Key ID: 00000000000000000200000000000500d3a552b209a7265eb531e4cf5adb21c50000000000000000
38bc9422-998b-11eb-b2a8-d039ea061535 VEK true
Key ID: 00000000000000000200000000000500e32ca6a0c308f850c51120b47334869f0000000000000000
27696c31-998b-11eb-b2a8-d039ea061535 VEK true
Key ID: 00000000000000000200000000000500fefbd8470e63a8877d53509b9cd708e40000000000000000
6 entries were displayed.
  • Key servers are available:
Cluster-01::*> key-manager show -status
security key-manager show)
 
Node Port Registered Key Manager Status
---------------------- ------ --------------------------- ---------------
Cluster-01-01 5696 10.28.XX.XX available                    
Cluster-01-01 5696 10.36.XX.XX available
Cluster-01-02 5696 10.28.XX.XX available
Cluster-01-02 5696 10.36.XX.XX available

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

Scan to view the article on your device