You can perform various tasks to manage Storage Encryption, including viewing and removing key management servers, and creating, deleting, restoring and synchronizing authentication keys.
Adding key management servers
You can use the key_manager add command to link key management servers to the storage system. This enables you to add additional key management servers for redundancy after initial setup or to replace existing key management servers.
Verifying key management server links You use the key_manager status or key_manager query commands to verify that all key management servers are successfully linked to the storage system. These commands are useful for verifying proper operation and troubleshooting.
Removing key management servers
If you no longer want to use a key management server to store authentication keys used by self-encrypting disks in the storage system, you can remove the key management server link to the storage system by using the key_manager remove command.
Changing the authentication key
You can change the authentication key at any time by using the key_manager rekey command. You might want to change the authentication key as part of your security protocol or when moving an aggregate to another storage system.
Retrieving authentication keys
You can use the key_manager restore command to retrieve authentication keys from a key management server to a storage system. For example, when you created authentication keys on a node, you use this command to retrieve the keys for use on the partner node.
SSL issues due to expired certificates
If the SSL certificates used to secure key management communication between the storage system and key management servers expire, the storage system can no longer retrieve authentication keys from the key management server at bootup. This issue can cause data on SEDs to be unavailable. You can prevent this issue by updating all SSL certificates before their individual expiration dates.
Returning SEDs to unprotected mode
If your storage system is configured to use Storage Encryption but you decide to stop using this feature, you can do so by returning the SEDs to unprotected mode. You cannot disable Storage Encryption altogether because SEDs always encrypt data for storage. However, you can return them to unprotected mode where they no longer use secret authentication keys, and use the default MSID instead.