Failed to generate cluster key encryption key in kernel

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 25

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: core

Last Updated:

Applies to

ONTAP 9
Onboard Key Manager (OKM)

Issue

Changing the OKM passphrase fails with the below error:

Error: command failed: Internal error. Failed to generate cluster key encryption key in kernel. Key manager returned: 18. Crypto return code: 30.

The following events are reported in EMS:

[Node-01: svc_queue_thread: crypto.debug:info]: Onboard key hierarchy creation failed: NKEK key creation failed: 30.

During the reboot of the node, the following events are seen:

TPM is not initialized and is getting reset SSAL: tss_tpm_reset:1037 SSAL: tss_tpm_clear:908 Entry SSAL: tss_tpm_clear:917 Exit SSAL: tss_tpm_createprimary:816 SSAL: tss_tpm_evictcontrol:760 SSAL: tss_tpm_flush:319 SSAL: tss_tpm_nvdefinespace:611 nvIndex 16777216 SSAL: tss_tpm_nvwrite:708 nvIndex 16777216 Failed to retrieve keys WARNING: /etc/rc: /usr/sbin/okm_init failed (77); authentication keys might not be available

[Node-01:crypto.okmrecovery.failed:ALERT]: Import of the Onboard Key Manager (OKM) hierarchy has failed: no onboard keys found. Additional information: Onboard keys not found.

An attempt to sync the OKM fails with the below error:

::> security key-manager onboard sync Error: command failed: The Onboard Key Manager has failed to sync on the local node "Node-01", error: "Internal error". Failed to setup the Onboard Key Manager on node "Node-01"