Need to add steps when onboard key manager is configured to restore onboard key hierarchy from special boot menu

[wdiane1]

Need to add steps when onboard key manager is configured to restore onboard key hierarchy from special boot menu on new controller after head swap at the very end.

(10) Set Onboard Key Manager recovery secrets. (11) Configure node for external key management.

Selection (1-10)? 10

1. From the cluster CLI, issue the command security key-manager backup show This will be needed for the Boot Menu steps.
2. From the LOADER> on new platform boot_ontap menu to access the Boot Menu
3. Option (10) Set Onboard Key Manager recovery secrets Selection (1-10)? 10
4. Enter the cluster passphrase twice (passphrase was configured during OKM setup)
5. Paste the output of backup content from Step 1 as shown in red below.
6. After the node boots to "Waiting for giveback...", perform storage failover giveback -ofnode -only-cfo-aggregates true
7. After the node boots, enter security key-manager setup -node to properly update the configuration of the node to the boot media. Note: you will need to enter the cluster passphrase again at this step.
8. Verify the SVM-KEK authentication key on the node where boot media was replaced shows as restored yes, enter security key-manager key show -used-by SVM-KEK -fields restored
9. Only after confirm SVM-KEK is restored, giveback the data aggregates, enter storage failover giveback -ofnode

[netapp-pcarriga]

Hi Diane, thanks for the feedback. I've created a BURT ticket to track this issue and update the documentation. Thanks! Paula

[netapp-pcarriga]

Hi Diane, to help give context on the feedback, could you please provide the following information:

• Does the feedback relate to root volume encryption or just volume encryption?
• The storage failover giveback is not expected in a controller upgrade so can you confirm if you're using the upgrade procedure to perform a controller head swap?

Thanks!

[wdiane1]

Hi Paula,

It relates to onboard key manager with NVE volumes. With root volume encryption the node will not boot, which is something which needs to be addressed as well as part of controller head swap.

…Diane

From: Paula Carrigan @.> Sent: Wednesday, December 15, 2021 1:36 PM To: NetAppDocs/ontap-systems-upgrade @.> Cc: Williford, Diane @.>; Author @.> Subject: Re: [NetAppDocs/ontap-systems-upgrade] Need to add steps when onboard key manager is configured to restore onboard key hierarchy from special boot menu (Issue #13)

NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi Diane, to help give context on the feedback, could you please provide the following information:

• Does the feedback relate to root volume encryption or just volume encryption?
• The storage failover giveback is not expected in a controller upgrade so can you confirm if you're using the upgrade procedure to perform a controller head swap? Thanks!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/NetAppDocs/ontap-systems-upgrade/issues/13#issuecomment-995064595, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AORTZV6ZDM63E74DOQCWLKDURDNZ3ANCNFSM5J7WX7PA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[netapp-pcarriga]

Thanks, Diane.

[wdiane1]

NVE and encrypted root volume

[ntap-bmegan]

@netapp-pcarriga - Please update status or close if work is complete.

[netapp-pcarriga]

@wdiane1 - This update has been included and is being tracked in GH https://github.com/NetAppDocs/ontap-systems-upgrade/issues/35. Closing this issue.