Transitioning to external key management from onboard key management
If you want to switch to external key management from onboard key management, you must delete the onboard key management configuration before you can enable external key management.
Before you begin
For hardware-based encryption, you must reset the data keys of all FIPS drives or SEDs to the default value.
For software-based encryption, you must unencrypt all volumes.
You must be a cluster administrator to perform this task.
Delete the onboard key management configuration for a cluster:
| For this ONTAP version... | Use this command... |
|---|---|
| ONTAP 9.6 and later | security key-manager onboard disable |
| ONTAP 9.5 and earlier | security key-manager delete-key-database |
For complete command syntax, see the man pages.
Example
The following ONTAP 9.6 command deletes the onboard key management configuration for cluster1 :
clusterl::> security key-manager onboard disable
Give documentation feedback