Table of ContentsView in Frames

Running the Storage Encryption setup wizard

You launch the Storage Encryption setup wizard by using the key_manager setup command. You should run the Storage Encryption setup wizard after you complete setup of the storage system and the storage volumes or when you need to change Storage Encryption settings after initial setup.

Steps

  1. Access the nodeshell by entering the following command: system node run -node node_name
  2. Enter the following command at the storage system prompt: key_manager setup
  3. Complete the steps in the wizard to configure Storage Encryption.
  4. Exit the nodeshell and return to the clustershell by entering the following command: exit

Example

The following command launches the Storage Encryption setup wizard and shows an example of how to configure Storage Encryption:

storage-system*> key_manager setup
Found client certificate file client.pem.
Registration successful for client.pem.
Found client private key file client_private.pem.
Is this file protected by a passphrase? [no]: 
Registration successful for client_private.pem.
Enter the IP address for a key server, 'q' to quit:  172.22.192.192
Enter the IP address for a key server, 'q' to quit:  q
Enter the TCP port number for kmip server [6001] :

You will now be prompted to enter a key tag name. The
key tag name is used to identify all keys belonging to this
Data ONTAP system. The default key tag name is based on the
system's hostname.

Would you like to use <storage-system> as the default key tag name? [yes]: 

Registering 1 key servers...
Found client CA certificate file 172.22.192.192_CA.pem.
Registration successful for 172.22.192.192_CA.pem.
Registration complete.

You will now be prompted for a subset of your network configuration
setup.  These parameters will define a pre-boot network environment
allowing secure connections to the registered key server(s).

Enter network interface:  e0a
Enter IP address:  172.16.132.165
Enter netmask:   255.255.252.0
Enter gateway:  172.16.132.1

Do you wish to enter or generate a passphrase for the system's
encrypting drives at this time? [yes]:  yes

Would you like the system to autogenerate a passphrase? [yes]:  yes

Key ID: 080CDCB20000000001000000000000003FE505B0C5E3E76061EE48E02A29822C

Make sure that you keep a copy of your passphrase, key ID, and key tag
name in a secure location in case it is ever needed for recovery purposes.

Should the system lock all encrypting drives at this time? yes
Completed rekey on 4 disks: 4 successes, 0 failures, including 0 unknown key and 0 authentication failures.
Completed lock on 4 disks: 4 successes, 0 failures, including 0 unknown key and 0 authentication failures.