How to configure OKM for NVE & Where to Get Encryption Key
Applies to
- ONTAP 9
- NetApp Volume Encryption (NVE)
- On Board Key Manager (OKM)
Answer
The Onboard Key Manager is a built-in tool that serves authentication keys to nodes from the same storage system as your data. When using OKM you do not need an external key manager to generate encryption keys – the keys are generated automatically – all you need to do is run “
security key-manager onboard enable
”Step 1:
Run
Step 2:
security key-manager onboard enable
commandcluster2::> security key-manager onboard enable
Enter the cluster-wide passphrase for the Onboard Key Manager:
Re-enter the cluster-wide passphrase:
After configuring the Onboard Key Manager, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. To view the data, use the "security key-manager onboard show-back up" command.
The onboard passphrase MUST be 32 to 256 ASCII-range characters long.
Step 2:
Check the Keys
cluster2::> security key-manager key query -node cluster2-01
Node: cluster2-01
Vserver: cluster2
Key Manager: onboard
Key Manager Type: OKM
Key Tag Key Type Restored
------------------------------------ -------- --------
cluster2-01 NSE-AK true
Key ID: 000000000000000002000000000001006a4cdad760624da1f32a58fe1e6c986f0000000000000000
cluster2-01 NSE-AK true
Key ID: 000000000000000002000000000001009426182227410fcf2aba4988886a80b00000000000000000
2 entries were displayed.