Table of ContentsView in Frames

Changing the authentication key

You can change the authentication key at any time by using the key_manager rekey command. You might want to change the authentication key as part of your security protocol or when moving an aggregate to another storage system.

Steps

  1. Access the nodeshell by entering the following command: system node run -node node_name
  2. Perform one of the following actions:
    If you want to... Then...
    Change the authentication key and enter a new one manually
    1. Enter the following command at the storage system prompt: key_manager rekey -manual -key_tag key_tag
    2. When prompted, enter the new authentication key.

      It must be 20 to 32 characters long.

    Change the authentication key and have the system generate a new one automatically Enter the following command at the storage system prompt: key_manager rekey -key_tag key_tag
    key_tag is the label used to associate keys with a particular storage system. If you do not specify a key tag, the storage system uses the key tag specified when you set up Storage Encryption. If you did not specify this key tag during setup, it uses the parent key tag as the default. Each node has a parent key tag. HA pair members share the same parent key tag.
  3. Exit the nodeshell and return to the clustershell by entering the following command: exit

Example

The following command changes the authentication key and prompts you to enter a new one manually. You can run the disk encrypt show command after completion to verify the results.

storage-system> key_manager rekey -manual
Please enter a new passphrase: 
Please reenter the new passphrase: 

New passphrase generated.
Key ID: 080CDCB2000000000100000000000000B0A11CBF3DDD20EFB0FBB5EE198DB22A
Key tag: storage-system

Notice: Remember to store the passphrase and the Key ID in a secure location.

Passphrase, key ID, and key tag synchronized with the following key server(s):
 172.16.132.118
 172.16.132.211
Completed rekey on 4 disks: 4 successes, 0 failures, including 0 unknown key and 0 authentication failures.