Skip to main content
NetApp Knowledge Base

Encrypted volume rehost  in Azure CVO with AKV put the keymanager in the mixed state

Views:
41
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9.14.1P6 and below
  • Azure Key Vault (AKV)
  • Volume rehost

Issue

After an unsuccessful volume rehost of an encrypted volume from Azure Key Vault enabled vserver to vserver without any key-manager configured, the AKV keystore ends up in a mixed state:
 

Cluster::*> security key-manager external azure check 

Vserver: svm1
Node: node-01

Category: service_reachability
              Status: OK

Category: ekmip_server
              Status: OK

Category: kms_wrapped_key_status
              Status: UNKNOWN
              Details: The top-level internal key protection key (KEK) is
                       unavailable on node node-01. Reason: The
                       key manager is in mixed state.

 
The encryption stops working at the vserver level and any attempt to create / delete / move an encrypted volume results in the following error:
 
Volume encryption keys (VEK) cannot be created or deleted for data Vserver "svm1". External key management has been configured for data Vserver "svm1" but VEKs for existing encrypted volumes of this data Vserver are stored in key manager configured for the admin Vserver. Either use the (privilege: advanced) "security key-manager key migrate -from-vserver <admin vserver_name> -to-vserver <data vserver_name>" command to migrate existing keys of this data Vserver from the admin Vserver's key manager to this data Vserver's key manager or unconfigure the key manager for this data Vserver.
 

WARNING

DO NOT execute the commands or attempt to unconfigure the key manager as suggested in the error message!!!

Contact NetApp technical support for further assistance.

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.