Aggregate encryption keys from decommissioned nodes remain in OKM

Last updated

Apr 3, 2025
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 80

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: CORE

Last Updated:: 4/3/2025, 2:19:31 PM

Applies to

ONTAP 9
Onboard Key Manager (OKM)

Issue

Encryption keys (of type VEK) with the same key-tag (20 keys per key-tag) are not restored and do not restore after performing onboard sync

cluster1::*> key query (security key-manager key query)

Node: cluster1-01 Vserver: cluster1 Key Manager: onboard Key Manager Type: OKM Key Manager Policy: -

Key Tag Key Type Encryption Restored ------------------------------------ -------- ------------ -------- cluster1-01 NSE-AK AES-256 true Key ID: 000000000000000002000000000001002493afaa9f620f1612e31846018d2d3a0000000000000000 cluster1-01 NSE-AK AES-256 true Key ID: 00000000000000000200000000000100b4a34ecc16364f9dccee7d1c16a579ed0000000000000000 93df9acc-3d21-4f06-ba64-b99a0a66d504 VEK XTS-AES-256 false Key ID: 0000000000000000020000000000050007c551aebfa5b5ab40230ad43e880b510000000000000000 93df9acc-3d21-4f06-ba64-b99a0a66d504 VEK XTS-AES-256 false Key ID: 000000000000000002000000000005001a80e9b1c7ce69f54eaa836d1455d6650000000000000000 <<<<<<<KEYS OMITTED FOR BREVITY>>>>>>> Key ID: 00000000000000000200000000000500d682e8efb2150d0d5a76cb9d2c6b2dc00000000000000000 93df9acc-3d21-4f06-ba64-b99a0a66d504 VEK XTS-AES-256 false Key ID: 00000000000000000200000000000500e00acebdcc4f5c43525e97e742426f1d0000000000000000 cluster1 SVM-KEK AES-256 true Key ID: 00000000000000000200000000000a009340adb7ef9d8923a67d7931302c15600000000000000000 23 entries were displayed.