How to configure OKM for NVE & Where to Get Encryption Key

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 385

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: core

Last Updated:

Applies to

ONTAP 9
NetApp Volume Encryption (NVE)
On Board Key Manager (OKM)

Answer

The Onboard Key Manager is a built-in tool that serves authentication keys to nodes from the same storage system as your data. When using OKM you do not need an external key manager to generate encryption keys – the keys are generated automatically – all you need to do is run “security key-manager onboard enable”

Step 1:

Run security key-manager onboard enable command

cluster2::> security key-manager onboard enable



Enter the cluster-wide passphrase for the Onboard Key Manager:



Re-enter the cluster-wide passphrase:

After configuring the Onboard Key Manager, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. To view the data, use the "security key-manager onboard show-back up" command.



The onboard passphrase MUST be 32 to 256 ASCII-range characters long.

Step 2:

Check the Keys

cluster2::> security key-manager key query -node cluster2-01



Node: cluster2-01

Vserver: cluster2

Key Manager: onboard

Key Manager Type: OKM



Key Tag                               Key Type  Restored

------------------------------------  --------  --------

cluster2-01                           NSE-AK    true

Key ID: 000000000000000002000000000001006a4cdad760624da1f32a58fe1e6c986f0000000000000000

cluster2-01                           NSE-AK    true

Key ID: 000000000000000002000000000001009426182227410fcf2aba4988886a80b00000000000000000

2 entries were displayed.

Additional Information

Configure onboard key management