How to recover a lost passphrase while using onboard encryption and

NVE within ONTAP

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_reco…
Updated: Tue, 18 Oct 2022 17:01:03 GMT

Applies to
• ONTAP 9
• Onboard Key Manager (OKM)
• NetApp Volume Encryption (NVE)
• NetApp Storage Encryption (NSE)

'NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations
provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations
provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or 1
techniques herein is a customers responsibility and depends on the customers ability to evaluate and integrate them into the customers operational
environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this
document.'
 Description
The cluster passphrase used to configure OKM is unknown and there are encrypted volumes or disks.

• ONTAP provides the ability to be configured for onboard key management to encrypt data at rest.
◦ The configuration is secured with a cluster-wide passphrase that is entered when the onboard key
manager is configured and can be changed as needed.
◦ If the cluster-wide passphrase is lost, the recovery procedure involves unencrypting any volume using
NVE or NAE encryption in order to reconfigure onboard key manager.

Procedure

All volumes and disks must be un-encrypted before deleting the OKM configuration. Do not perform any
other maintenance on the cluster until this process is complete as some maintenance activities require the
cluster-wide passphrase to be entered.

Unencrypting Volumes

1. Verify all encrypted volumes:

::> volume show -encrypt true

2. Un-encrypt the encrypted volumes:

::> volume move start -vserver vs1 -volume vol1 -destination-aggregate
dst_aggr -encrypt-destination false

3. Verify no encrypted volumes are left:

::> volume show -encrypt true

Checking for NetApp Storage Encryption (NSE)

1. Check if any encrypted disks exist in the system.

::> storage encryption disk show

2. If the disks show as encrypted, proceed with these steps. Otherwise skip to the next section.

© 2020 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 2
 3. Assign FIPS key to the SED's using the default manufacture secure ID 0x0 (full read/write access):
::> set -privilege advanced
::*> storage encryption disk modify -fips-key-id 0x0 -disk * >> (run this command
twice)

4. Verify all disks are complete and set to mode 'data':

::*> storage encryption disk show-status
::*> storage encryption disk show

5. Assign Data key to the SED's using the default manufacture secure ID 0x0 (full read/write access):
::*> storage encryption disk modify -data-key-id 0x0 -disk * >> (run this command
twice)

6. Verify all disks are complete and set from mode 'data' to mode 'open' with key-id 0x0:

::*> storage encryption disk show-status

::*> storage encryption disk show

Removing and Reconfiguring the Onboard Key Manager

For ONTAP 9.5 and below:

1. Delete the Onboard Key Manager configuration:

::> set -privilege advanced
::*> security key-manager delete-key-database

2. Re-configure Onboard Key Manager:

::*> security key-manager setup

For ONTAP 9.6 and Above

1. Delete the Onboard Key Manager configuration:

::> set -privilege advanced

::*> security key-manager onboard disable

2. Re-configure Onboard Key Manager:

::*> security key-manager onboard enable

© 2020 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 3
 Configure Volumes with New Encryption Keys

1. Re-encrypt the volumes:

::> volume move start -vserver vs1 -volume vol1 -destination-aggregate
dst_aggr -encrypt-destination true

Notes:

• dst_aggr can be the volume’s current aggregate

• Starting with ONTAP 9.3, you can use the volume encryption conversion start command to enable
encryption of an existing volume (Applies only for step 6).

Additional Information
• Unencrypting volume data
• For NetApp Aggregate Encryption (NAE) follow the procedure for NAE.

© 2020 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 4