Encrypted volume rehost in Azure CVO with AKV put the keymanager in the mixed state
Applies to
- ONTAP 9.14.1P6 and below
- Azure Key Vault (AKV)
- Volume rehost
Issue
After an unsuccessful
volume rehost
of an encrypted volume from Azure Key Vault enabled vserver to vserver without any key-manager configured, the AKV keystore ends up in a mixed state
:Cluster::*> security key-manager external azure check
Vserver: svm1
Node: node-01
Category: service_reachability
Status: OK
Category: ekmip_server
Status: OK
Category: kms_wrapped_key_status
Status: UNKNOWN
Details: The top-level internal key protection key (KEK) is
unavailable on node node-01. Reason: The
key manager is in mixed state.
The encryption stops working at the vserver level and any attempt to
create / delete / move
an encrypted volume results in the following error:Volume encryption keys (VEK) cannot be created or deleted for data Vserver "svm1". External key management has been configured for data Vserver "svm1" but VEKs for existing encrypted volumes of this data Vserver are stored in key manager configured for the admin Vserver. Either use the (privilege: advanced) "security key-manager key migrate -from-vserver <admin vserver_name> -to-vserver <data vserver_name>" command to migrate existing keys of this data Vserver from the admin Vserver's key manager to this data Vserver's key manager or unconfigure the key manager for this data Vserver.
WARNING DO NOT execute the commands or attempt to unconfigure the key manager as suggested in the error message!!! Contact NetApp technical support for further assistance. |