Managing Lenovo encryption
ONTAP offers a rich set of services for managing encryption. You can restore authentication keys, replace SSL certificates, return SEDs to service when authentication keys are no longer available, and much more.
- Unencrypting volume data
You can use the volume move start command to move and unencrypt volume data. - Moving an encrypted volume
You can use the volume move start command to move an encrypted volume. The moved volume can reside on the same aggregate or a different aggregate. - Delegating authority to run the volume move command
You can use the volume move command to encrypt an existing volume, move an encrypted volume, or unencrypt a volume. Cluster administrators can run volume move command themselves, or they can delegate the authority to run the command to SVM administrators. - Changing the encryption key for a volume with the volume encryption rekey start command
It is a security best practice to change the encryption key for a volume periodically. You can use the volume encryption rekey start command to change the encryption key. - Changing the encryption key for a volume with the volume move start command
It is a security best practice to change the encryption key for a volume periodically. You can use the volume move start command to change the encryption key. The moved volume can reside on the same aggregate or a different aggregate. - Rotating authentication keys for Lenovo Storage Encryption
You can rotate authentication keys when using Lenovo Storage Encryption (LSE). - Deleting an encrypted volume
You can use the volume delete command to delete an encrypted volume. - Securely purging data on an encrypted volume
Beginning in ONTAP 9.4, you can use secure purge to non-disruptively scrub data on LVE-enabled volumes. Scrubbing data on an encrypted volume ensures that it cannot be recovered from the physical media, for example, in cases of “spillage,” where data traces may have been left behind when blocks were overwritten, or for securely deleting a vacating tenant's data. - Changing the onboard key management passphrase
It is a security best practice to change the onboard key management passphrase periodically. You should copy the new onboard key management passphrase to a secure location outside the storage system for future use. - Backing up onboard key management information manually
You should copy onboard key management information to a secure location outside the storage system whenever you configure the Onboard Key Manager passphrase. - Restoring onboard key management encryption keys
Occasionally, you may need to restore an onboard key management encryption key. Once you have verified that a key needs to be restored, you can run the Onboard Key Manager setup wizard to restore the key. - Restoring external key management encryption keys
You can manually restore external key management encryption keys andpush
them to a different node. You might want to do this if you are adding a new node to the cluster, or restarting a node that was down temporarily when you created the keys for the cluster. - Replacing SSL certificates
All SSL certificates have an expiration date. You must update your certificates before they expire to prevent loss of access to authentication keys. - Replacing a FIPS drive or SED
You can replace a FIPS drive or SED the same way you replace an ordinary disk. Make sure to assign new data authentication keys to the replacement drive. For a FIPS drive, you may also want to assign a new FIPS 140-2 authentication key. - Making data on a FIPS drive or SED inaccessible
If you want to make data on a FIPS drive or SED permanently inaccessible, but keep the drive’s unused space available for new data, you can sanitize the disk. If you want to make data permanently inaccessible and you do not need to reuse the drive, you can destroy it. - Returning a FIPS drive or SED to service when authentication keys are lost
The system treats a FIPS drive or SED as broken if you lose the authentication keys for it permanently and cannot retrieve them from the KMIP server. Although you cannot access or recover the data on the disk, you can take steps to make the SED’s unused space available again for data. - Returning a FIPS drive or SED to unprotected mode
A FIPS drive or SED is protected from unauthorized access only if the authentication key ID for the node is set to a value other than the default. You can return a FIPS drive or SED to unprotected mode by using the storage encryption disk modify command to set the key ID to the default. - Deleting an external key manager connection
You can disconnect a KMIP server from a node when you no longer need the server. You might disconnect a KMIP server when you are transitioning to volume encryption, for example. - Modifying external key management server properties
Starting with ONTAP 9.6, you can use the security key-manager external modify-server command to change the I/O timeout and username of an external key management server. - Transitioning to external key management from onboard key management
If you want to switch to external key management from onboard key management, you must delete the onboard key management configuration before you can enable external key management. - Transitioning to onboard key management from external key management
If you want to switch to onboard key management from external key management, you must delete the external key management configuration before you can enable onboard key management. - What happens when key management servers are not reachable during the boot process
ONTAP takes certain precautions to avoid undesired behavior in the event that a storage system configured for LSE cannot reach any of the specified key management servers during the boot process. - Disabling encryption by default with ONTAP 9.7 and later
Starting with ONTAP 9.7, aggregate and volume encryption is enabled by default if you have a volume encryption (VE) licence and use an onboard or external key manager. You can disable encryption by default if required.
Give documentation feedback