Cannot unjoin nodes with NSE drives keyed

Last updated

Mar 6, 2025
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 47

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: core

Last Updated:: 3/6/2025, 10:44:00 PM

Applies to

ONTAP 9
NetApp Storage Encryption (NSE)
Onboard Key Manager (OKM)

Issue

Cannot unjoin or remove cluster nodes:

Cluster::*> cluster unjoin -node Cluster-01

Error: command failed: Cannot remove node "Cluster-01" because its self-encrypting drives use authentication keys (AKs) that will not be available to the node after it leaves the cluster. Use the "storage encryption disk show" and "storage encryption disk modify" commands to set the FIPS and data AKs of devices owned by the node and the failover partner to the default manufacture secure ID (MSID), keyID 0x0.

No key manager is configured:

Cluster::*> security key-manager key query No matching keys found.

Disks have keys assigned

Cluster::*> storage encryption disk show Disk Mode Data Key ID -------- ---- ---------------------------------------------------------------- ... 1.10.20 open 1.10.21 open 1.10.22 open 1.10.23 open 2.0.0 data 00000000000000000200000000000100AFB1954A0CD3735E2D76E085E41E2B4B 2.0.1 data 00000000000000000200000000000100AFB1954A0CD3735E2D76E085E41E2B4B 2.0.2 data 00000000000000000200000000000100AFB1954A0CD3735E2D76E085E41E2B4B 2.0.3 data 00000000000000000200000000000100AFB1954A0CD3735E2D76E085E41E2B4B 2.0.4 data 00000000000000000200000000000100AFB1954A0CD3735E2D76E085E41E2B4B ...