Skip to main content

Checking LVE or LSE on systems running ONTAP 9.6 and later

Before shutting down the impaired node, you need to check whether the system has either Lenovo Volume Encryption (LVE) or Lenovo Storage Encryption (LSE) enabled. If so, you need to verify the configuration.

  1. Check whether LVE is configured for any volumes in the cluster: volume show -is-encrypted true
    If any volumes are listed in the output, LVE is configured and you need to verify the LVE configuration. If no volumes are listed, check whether LSE is configured.
  2. Check whether LSE is configured: storage encryption disk show
    • If the command output list the drive details with Mode & Key ID information, LSE is configured and you need to verify the LSE configuration.
    • If no disks are shown, LSE is not configured.
    • If LVE and LSE are not configured, it's safe to shut down the impaired node.

Verifying LVE configuration

  1. Display the key IDs of the authentication keys that are stored on the key management servers: security key-manager query
    • If the Key Manager type displays external and the Restored column displays yes, it's safe to shut down the impaired node.
    • If the Key Manager type displays onboard and the Restored column displays yes, you need to complete some additional steps.
    • If the Key Manager type displays external and the Restored column displays anything other than yes, you need to complete some additional steps.
    • If the Key Manager type displays onboard and the Restored column displays anything other than yes, you need to complete some additional steps.
  2. If the Key Manager type displays onboard and the Restored column displays yes, manually backup the OKM information:
    1. Go to advanced privilege mode and enter y when prompted to continue: set -priv advanced
    2. Enter the command to display the key management information: security key-manager onboard show-backup
    3. Copy the contents of the backup information to a separate file or your log file. You'll need it in disaster scenarios where you might need to manually recover OKM.
    4. Return to admin mode: set -priv admin
    5. Shut down the impaired node.
  3. If the Key Manager type displays external and the Restored column displays anything other than yes:
    1. Restore the external key management authentication keys to all nodes in the cluster: security key-manager external restore
      If the command fails, contact Lenovo Support.

      https://datacentersupport.lenovo.com/

    2. Verify that the Restored column equals yes for all authentication keys: security key-manager key query
    3. Shut down the impaired node.
  4. If the Key Manager type displays onboard and the Restored column displays anything other than yes:
    1. Enter the onboard security key-manager sync command: security key-manager onboard sync
      Note

      Enter the customer's onboard key management passphrase at the prompt. If the passphrase cannot be provided, contact Lenovo Support.

      https://datacentersupport.lenovo.com/

    2. Verify the Restored column shows yes for all authentication keys: security key-manager key query
    3. Verify that the Key Manager type shows onboard, manually backup the OKM information.
    4. Go to advanced privilege mode and enter y when prompted to continue: set -priv advanced
    5. Enter the command to display the key management backup information: security key-manager onboard show-backup
    6. Copy the contents of the backup information to a separate file or your log file. You'll need it in disaster scenarios where you might need to manually recover OKM.
    7. Return to admin mode: set -priv admin
    8. You can safely shutdown the node.

Verifying LSE configuration

  1. Display the key IDs of the authentication keys that are stored on the key management servers: security key-manager query
    • If the Key Manager type displays external and the Restored column displays yes, it's safe to shut down the impaired node.
    • If the Key Manager type displays onboard and the Restored column displays yes, you need to complete some additional steps.
    • If the Key Manager type displays external and the Restored column displays anything other than yes, you need to complete some additional steps.
    • If the Key Manager type displays external and the Restored column displays anything other than yes, you need to complete some additional steps.
  2. If the Key Manager type displays onboard and the Restored column displays yes, manually backup the OKM information:
    1. Go to advanced privilege mode and enter y when prompted to continue: set -priv advanced
    2. Enter the command to display the key management information: security key-manager onboard show-backup
    3. Copy the contents of the backup information to a separate file or your log file. You'll need it in disaster scenarios where you might need to manually recover OKM.
    4. Return to admin mode: set -priv admin
    5. You can safely shutdown the node.
  3. If the Key Manager type displays external and the Restored column displays anything other than yes:
    1. Enter the onboard security key-manager sync command: security key-manager external sync
      If the command fails, contact Lenovo Support.

      https://datacentersupport.lenovo.com/

    2. Verify that the Restored column equals yes for all authentication keys: security key-manager key query
    3. You can safely shutdown the node.
  4. If the Key Manager type displays onboard and the Restored column displays anything other than yes:
    1. Enter the onboard security key-manager sync command: security key-manager onboard sync
      Enter the customer's onboard key management passphrase at the prompt. If the passphrase cannot be provided, contact Lenovo Support.

      https://datacentersupport.lenovo.com/

    2. Verify the Restored column shows yes for all authentication keys: security key-manager key query
    3. Verify that the Key Manager type shows onboard, manually backup the OKM information.
    4. Go to advanced privilege mode and enter y when prompted to continue: set -priv advanced
    5. Enter the command to display the key management backup information: security key-manager onboard show-backup
    6. Copy the contents of the backup information to a separate file or your log file. You'll need it in disaster scenarios where you might need to manually recover OKM.
    7. Return to admin mode: set -priv admin
    8. You can safely shutdown the node.