Onboard encryption keys are not restored on newly added nodes despite successful key sync

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 323

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: core

Last Updated:

Applies to

ONTAP 9
Onboard Key Manager (OKM)
Trusted Platform Module (TPM)

Issue

The SVM-KEK keys are not restored on newly added nodes:

Cluster1::> security key-manager key show -restored no -used-by SVM-KEK

Node: Cluster1-10 Key Store: onboard Used By -------- SVM-KEK Key ID: 00000000000000000200000000000a00752bf46976631c4bda5b47766a45402e0000000000000000 SVM-KEK Key ID: 00000000000000000200000000000a008114560c46e4d1f8f8167ae2b5f547b10000000000000000 SVM-KEK Key ID: 00000000000000000200000000000a0088d4d298e3331af7cbd160a86ac6b3d20000000000000000

Node: Cluster1-11 Key Store: onboard Used By -------- SVM-KEK Key ID: 00000000000000000200000000000a0027e96b2aad32dd3df761833b059435ad0000000000000000 SVM-KEK Key ID: 00000000000000000200000000000a00752bf46976631c4bda5b47766a45402e0000000000000000 SVM-KEK Key ID: 00000000000000000200000000000a008114560c46e4d1f8f8167ae2b5f547b10000000000000000 6 entries were displayed.

Error: One or more nodes have onboard key management keys that need to be restored. Run the "security key-manager onboard sync" command to restore the onboard key hierarchy on those nodes.

The onboard keys are not restored even after running the security key-manager onboard sync command.