After ONTAP upgrade on a MetroCluster system, MetroCluster health reports as degraded: The following error is reported in metrocluster check or during switchover simulation: The "clus_salt" value in t...After ONTAP upgrade on a MetroCluster system, MetroCluster health reports as degraded: The following error is reported in metrocluster check or during switchover simulation: The "clus_salt" value in the Onboard Key Manager database was not properly updated The "clus_salt" value in the Onboard Key Manager database was not properly updated. From the output of the below command, it is observed that the SVM-KEK and NSE-AK keys match between the clusters:
See Solution when Command security key-manager key query shows that some of the VEK keys not restored. One or more nodes have onboard key management VEK keys that need to be restored.
When running >> security key-manager key show -restored no, some Volume Encryption Keys (VEKs) are reported as not restored Performing >> security key-manager onboard sync is successful (no errors) bu...When running >> security key-manager key show -restored no, some Volume Encryption Keys (VEKs) are reported as not restored Performing >> security key-manager onboard sync is successful (no errors) but does not show VEKs as restored All other encryption key types are restored, only VEKs are not ONTAP Upgrade Prechecks do not have any warnings related to encryption VEKs referenced as not restored are not in use by any volume currently on the cluster
Onboard Key Manager (OKM) VEKs are not listed under some nodes when performing "security key-manager key query" (security key-manager key query) Key Tag Key Type Restored If any listed keys have "fals...Onboard Key Manager (OKM) VEKs are not listed under some nodes when performing "security key-manager key query" (security key-manager key query) Key Tag Key Type Restored If any listed keys have "false" in the "Restored" column, run the "security key-manager external restore" command to restore the keys that are stored on an external key server and run the "security key-manager onboard sync" command to synchronize the keys that are part of the onboard key hierarchy.