NSE: How to convert an external key management (KMIP) server to Onboard Key Manager (OKM) in ONTAP 9.1 or later
Applies to
- NetApp Storage Encryption (NSE)
- NetApp Volume Encryption (NVE)
- Onboard Key Manager (OKM)
- ONTAP 9.1 & higher
Description
This article describes the procedure to convert an existing key management (KMIP) server configuration to use Onboard Key Management in Data ONTAP 9.1 or later.
- The Onboard Key Manager secures the keys created on the cluster when encryption is enabled using NVE and/or NSE.
- Enable OKM on each cluster on which data encryption is planned.
- If you are using an external key management (KMIP) server with NetApp Storage Encryption (NSE), delete the external key manager configuration before enabling the Onboard Key Manager.
- Cluster peers and Metrocluster must have the same key-manager config. (either all OKM or all external KMIP).
- The KMIP configuration will need to be removed (using the procedure below) on all cluster peers using external KMIP's before installing OKM.