NVE volumes offline after TPM chip motherboard replacement when using OKM

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 680

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: core

Last Updated:

Applies to

ONTAP 9
Onboard Key Manager (OKM)
NetApp Volume Encryption (NVE)
NetApp Aggregate Encryption (NAE)
Platforms which support Trusted Platform Module (TPM)

Issue

Motherboard replacement with a TPM chip is performed on the node.
After the next reboot of the node, the giveback is vetoed by OKM:

Sun Jun 05 01:24:41 +0530 [CLUSTER1-01: cf_giveback: gb.sfo.veto.kmgr.keysmissing:error]: Giveback of aggregate aggr1 failed due to unavailability of volume encryption keys for the encrypted volumes of the aggregate on the partner node CLUSTER1-02.

The giveback is subsequently manually completed with -override-vetoes true flag, resulting in an outage with all encrypted volumes going offline.
Errors in EMS log after giveback:

Sun Jun 05 09:31:13 +0530 [CLUSTER1-02: vv_apply_special11: crypto.import.failed:alert]: ERROR: Import of key with key ID xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx failed. Additional information: wrapping key not found.

Sun Jun 05 09:31:13 +0530 [CLUSTER1-02: vv_apply_special11: wafl.mount.transient.error:error]: WAFL: Unable to mount volume vol1, UUID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx due to Encryption key error.. Volume is taken offline due to transient errors.

Just prior to booting for waiting for giveback, an error appears in the boot/console log indicating keys are not imported:

Jun 05 10:28:25 [CLUSTER1-02:crypto.okmrecovery.failed:ALERT: ERROR: Import of the onboard key hierarchy failed: failed to import keyfailed.