NVE volumes offline after TPM chip motherboard replacement when using OKM
Applies to
- ONTAP 9
- Onboard Key Manager (OKM)
- NetApp Volume Encryption (NVE)
- NetApp Aggregate Encryption (NAE)
- Platforms which support Trusted Platform Module (TPM)
Issue
- Motherboard replacement with a TPM chip is performed on the node.
- After the next reboot of the node, the giveback is vetoed by OKM:
Sun Jun 05 01:24:41 +0530 [CLUSTER1-01: cf_giveback: gb.sfo.veto.kmgr.keysmissing:error]: Giveback of aggregate aggr1 failed due to unavailability of volume encryption keys for the encrypted volumes of the aggregate on the partner node CLUSTER1-02.
- The giveback is subsequently manually completed with
-override-vetoes true
flag, resulting in an outage with all encrypted volumes going offline. - Errors in EMS log after giveback:
Sun Jun 05 09:31:13 +0530 [CLUSTER1-02: vv_apply_special11: crypto.import.failed:alert]: ERROR: Import of key with key ID xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx failed. Additional information: wrapping key not found.
Sun Jun 05 09:31:13 +0530 [CLUSTER1-02: vv_apply_special11: wafl.mount.transient.error:error]: WAFL: Unable to mount volume vol1, UUID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx due to Encryption key error.. Volume is taken offline due to transient errors.
- Just prior to booting for waiting for giveback, an error appears in the boot/console log indicating keys are not imported:
Jun 05 10:28:25 [CLUSTER1-02:crypto.okmrecovery.failed:ALERT: ERROR: Import of the onboard key hierarchy failed: failed to import keyfailed.