Skip to main content
NetApp Knowledge Base

MCC with NSE drives: "security key-manager key delete" deletes keys used by the DR Cluster

Views:
89
Visibility:
Public
Votes:
0
Category:
metrocluster
Specialty:
MetroCluster
Last Updated:

Applies to

  • ONTAP 9
  • Metrocluster
  • NetApp Storage Encryption (NSE)
  • Key Management Interoperability Protocol (KMIP)

Issue

In Metrocluster environment, security key-manager key delete command deletes NSE keys used by the DR Cluster:
 
  1. Two separate keys are applied to the SED drives of cluster1 and cluster2:

cluster1:: *> storage encryption disk show
Disk     Mode Data Key ID
-------- ---- ----------------------------------------------------------------
1.10.0   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.1   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.2   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

 

cluster2:: *> storage encryption disk show
Disk     Mode Data Key ID
-------- ---- ----------------------------------------------------------------
2.30.15  data 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
2.30.16  data 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
2.30.17  data 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

 

  1. Both keys are restored on both clusters as expected:

cluster1::*> security key-manager key query

                 Node: cluster1n1
              Vserver: cluster1
          Key Manager: 10.xx.xx.xx:5696
     Key Manager Type: KMIP
  Key Manager Policy: -
Key Tag                               Key Type  Restored
------------------------------------  --------  --------
cluster2                          NSE-AK    yes
    Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1                          NSE-AK    yes
    Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000


                 Node: cluster1n2
              Vserver: cluster1
          Key Manager: 10.xx.xx.xx:5696
     Key Manager Type: KMIP
  Key Manager Policy: -
Key Tag                               Key Type  Restored
------------------------------------  --------  --------
cluster2                          NSE-AK    yes
    Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1                          NSE-AK    yes
    Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000


cluster2::*> security key-manager key query

               Node: cluster2n1
            Vserver: cluster2
        Key Manager: 10.xx.xx.xx:5696
   Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                               Key Type  Restored
------------------------------------  --------  --------
cluster2                          NSE-AK    yes
    Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1                          NSE-AK    yes
    Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
               Node: cluster2n2
            Vserver: cluster2
        Key Manager: 10.xx.xx.xx:5696
   Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                               Key Type  Restored
------------------------------------  --------  --------
cluster2                          NSE-AK    yes
    Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000
cluster1                          NSE-AK    yes
    Key ID: 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000

 

  1. Deleting the key AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA from cluster1 fails as expected:

cluster1::security key-manager key*> delete -key-id 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
Error: command failed: Authentication key with KeyID "00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000" cannot be deleted since it is in use by one or more self-encrypting drives.

  1. However, deleting the same key from cluster2 succeeds and the key disappears from both cluster1 and cluster2:

cluster2::*> security key-manager key delete -key-id 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0000000000000000
cluster2::*>

 

cluster2::*> security key-manager key query

               Node: cluster2n1
            Vserver: cluster2
        Key Manager: 10.xx.xx.xx:5696
   Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                               Key Type  Restored
------------------------------------  --------  --------
cluster2                          NSE-AK    true
    Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000


               Node: cluster2n2
            Vserver: cluster2
        Key Manager: 10.87.124.35:5696
   Key Manager Type: KMIP
Key Manager Policy: -

Key Tag                               Key Type  Restored
------------------------------------  --------  --------
cluster2                          NSE-AK    true
    Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000


cluster1::*> security key-manager key query

               Node: cluster1n1
            Vserver: cluster1
        Key Manager: 10.xx.xx.xx:5696
   Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                               Key Type  Restored
------------------------------------  --------  --------
cluster2                          NSE-AK    true
    Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000


               Node: cluster1n2
           Vserver: cluster1
        Key Manager: 10.xx.xx.xx:5696
   Key Manager Type: KMIP
Key Manager Policy: -
Key Tag                               Key Type  Restored
------------------------------------  --------  --------
cluster2                          NSE-AK    true
    Key ID: 00000000000000000200000000000BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB0000000000000000

 

  1. While the SED drives of cluster1 are still using the missing key:

cluster1::*> security key-manager key storage encryption disk show
Disk     Mode Data Key ID
-------- ---- ----------------------------------------------------------------
1.10.0   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.1   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1.10.2   data 00000000000000000200000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

 
 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.