Professional Documents
Culture Documents
How To Recover A Lost Passphrase While Using Onboard Encryption and NVE Within ONTAP
How To Recover A Lost Passphrase While Using Onboard Encryption and NVE Within ONTAP
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_reco…
Updated: Tue, 18 Oct 2022 17:01:03 GMT
Applies to
• ONTAP 9
• Onboard Key Manager (OKM)
• NetApp Volume Encryption (NVE)
• NetApp Storage Encryption (NSE)
'NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations
provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations
provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or 1
techniques herein is a customers responsibility and depends on the customers ability to evaluate and integrate them into the customers operational
environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this
document.'
Description
The cluster passphrase used to configure OKM is unknown and there are encrypted volumes or disks.
• ONTAP provides the ability to be configured for onboard key management to encrypt data at rest.
◦ The configuration is secured with a cluster-wide passphrase that is entered when the onboard key
manager is configured and can be changed as needed.
◦ If the cluster-wide passphrase is lost, the recovery procedure involves unencrypting any volume using
NVE or NAE encryption in order to reconfigure onboard key manager.
Procedure
All volumes and disks must be un-encrypted before deleting the OKM configuration. Do not perform any
other maintenance on the cluster until this process is complete as some maintenance activities require the
cluster-wide passphrase to be entered.
Unencrypting Volumes
2. If the disks show as encrypted, proceed with these steps. Otherwise skip to the next section.
© 2020 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 2
3. Assign FIPS key to the SED's using the default manufacture secure ID 0x0 (full read/write access):
::> set -privilege advanced
::*> storage encryption disk modify -fips-key-id 0x0 -disk * >> (run this command
twice)
5. Assign Data key to the SED's using the default manufacture secure ID 0x0 (full read/write access):
::*> storage encryption disk modify -data-key-id 0x0 -disk * >> (run this command
twice)
6. Verify all disks are complete and set from mode 'data' to mode 'open' with key-id 0x0:
© 2020 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 3
Configure Volumes with New Encryption Keys
Notes:
Additional Information
• Unencrypting volume data
• For NetApp Aggregate Encryption (NAE) follow the procedure for NAE.
© 2020 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 4