Skip to main content
NetApp Knowledge Base

Modification of key IDs on an NSE disk fails due to missing key ID in key cache

Views:
80
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9
  • NetApp Storage Encryption (NSE)
  • Federal Information Processing Standard (FIPS)
  • External Key Manager (EKM)

Issue

  • Setting the data key ID to 0x0 on a specific NSE disk fails with the below error:

::> storage encryption disk modify -disk 1.0.4 -data-key-id 0x0

Error: Setting the data key ID to the manufacture secure ID is not allowed when in FIPS-compliance mode.

  • The command to modify the fips-key-id to 0x0 executes without errors, but it does not complete successfully:

::> storage encryption disk modify -disk 1.0.4 -fips-key-id 0x0

Info: Starting modify on 1 disk on node Node-02.
      View the status of the operation by using the "storage encryption disk show-status" command.

::> storage encryption disk show-status
        FIPS    Latest   Start               Execution  Disks  Disks      Disks
Node    Support Request  Timestamp          Time (sec)  Begun   Done Successful
------- ------- -------- ------------------ ---------- ------ ------ ----------
Node-01 true   modify 8/25/2023 09:59:57         2     12     12         12
Node-02 true   modify 8/29/2023 06:15:37         0      1      1          0
2 entries were displayed.

  • The data-key-id and fips-key-id of that specific disk are different from the other disks:

::> storage encryption disk show -fields fips-key-id,data-key-id
disk       data-key-id                              fips-key-id
-------    ---------------------------------------- -------------------------------------------
1.0.1   000000000000100ABA0F6E8XXXXXXXXXXXXXXXX8775 000000000000100ABA0F6E8XXXXXXXXXXXXXXXX8775
1.0.2   000000000000100ABA0F6E8XXXXXXXXXXXXXXXX8775 000000000000100ABA0F6E8XXXXXXXXXXXXXXXX8775
1.0.3   000000000000100ABA0F6E8XXXXXXXXXXXXXXXX8775 000000000000100ABA0F6E8XXXXXXXXXXXXXXXX8775
1.0.4   000000000000010022F3E53E0AXXXXXXXXXXXX360DF 000000000000010022F3E53E0AXXXXXXXXXXXX360DF

  • An attempt to restore the keys says there are no keys to be restored:

::> security key-manager restore
No keys need to be restored

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.