Enabling external key management in ONTAP 9.5 and 9.4

You can use one or more KMIP servers to secure the keys the cluster uses to access encrypted data. You can connect up to four KMIP servers to a node. A minimum of two servers is recommended for redundancy and disaster recovery.

Before you begin

The KMIP SSL client and server certificates must have been installed.
You must be a cluster administrator to perform this task.
You must configure the MetroCluster environment before you enable encryption.

About this task

ONTAP configures KMIP server connectivity for all nodes in the cluster.

Configure key manager connectivity for cluster nodes: security key-manager setup
The key manager setup wizard opens.
Enter the appropriate response at each prompt.
Add a KMIP server: security key-manager add -address key_management_server_ipaddress
Example
clusterl::> security key-manager add -address 20.1.1.1
Add an additional KMIP server for redundancy: security key-manager add -address key_management_server_ipaddress
Example
clusterl::> security key-manager add -address 20.1.1.2

Verify that all configured KMIP servers are connected: security key-manager show -status

For complete command syntax, see the man page.

Example

cluster1::> security key-manager show -status

Node            Port      Registered Key Manager  Status
--------------  ----      ----------------------  ---------------
node1     5696      20.1.1.1                available
node1     5696      20.1.1.2                available
node2     5696      20.1.1.1                available
node2     5696      20.1.1.2                available

Give documentation feedback