Skip to main content

Creating authentication keys in ONTAP 9.6 and later

You can use the security key-manager key create command to create the authentication keys for a node and store them on the configured KMIP servers.

Before you begin

You must be a cluster administrator to perform this task.

About this task

If your security setup requires you to use different keys for data authentication and FIPS 140-2 authentication, you should create a separate key for each. If that is not the case, you can use the same authentication key for FIPS compliance that you use for data access.

ONTAP creates authentication keys for all nodes in the cluster.

  • This command is not supported when onboard key management is enabled.

  • You receive a warning if the configured key management servers are already storing more than 128 authentication keys.

    You can use the security key-manager key delete command to delete any unused keys. The security key-manager key delete command fails if the given key is currently in use by ONTAP.

  1. Create the authentication keys for cluster nodes: security key-manager key create -key-tag passphrase_label -prompt-for-key true|false
    Note
    Setting prompt-for-key=true causes the system to prompt the cluster administrator for the passphrase to use when authenticating encrypted drives. Otherwise, the system automatically generates a 32-byte passphrase.

    The security key-manager key create command replaces the security key-manager create-key command. For complete command syntax, see the man page.

    Example

    The following example creates the authentication keys for cluster1 , automatically generating a 32-byte passphrase:

    cluster1::> security key-manager key create
    Key ID: 000000000000000002000000000001006268333f870860128fbe17d393e5083b0000000000000000
  2. Verify that the authentication keys have been created: security key-manager key query -node node
    Note
    The security key-manager key query command replaces the security key-manager query key command. For complete command syntax, see the man page.

    The key ID displayed in the output is an identifier used to refer to the authentication key. It is not the actual authentication key or the data encryption key.

    Example

    The following example verifies that authentication keys have been created for cluster1 :

    cluster1::> security key-manager key query
           Vserver: cluster1
       Key Manager: external
              Node: node1

    Key Tag                               Key Type  Restored
    ------------------------------------  --------  --------
    node1                                 NSE-AK    yes
        Key ID: 000000000000000002000000000001000c11b3863f78c2273343d7ec5a67762e0000000000000000
    node1                                 NSE-AK    yes
        Key ID: 000000000000000002000000000001006f4e2513353a674305872a4c9f3bf7970000000000000000

           Vserver: cluster1
       Key Manager: external
              Node: node2 

    Key Tag                               Key Type  Restored
    ------------------------------------  --------  --------
    node2                                 NSE-AK    yes
        Key ID: 000000000000000002000000000001000c11b3863f78c2273343d7ec5a67762e0000000000000000
    node2                                 NSE-AK    yes
        Key ID: 000000000000000002000000000001006f4e2513353a674305872a4c9f3bf7970000000000000000