Preparing to upgrade nodes using Lenovo Storage Encryption with external key management servers

If you are using Lenovo Storage Encryption (LSE) and upgrading to ONTAP 9.4 or later, you must use the command line interface (CLI) to delete any server connections before performing the upgrade.

Verify that the LSE drives are unlocked, open, and set to the default manufacture secure ID 0x0:storage encryption disk show -disk*
Enter the advanced privilege mode:
set -privilege advanced
Use the default manufacture secure ID 0x0 to assign the FIPS key to the self-encrypting disks (SEDs): storage encryption disk modify -fips-key-id 0x0 -disk *
Verify that assigning the FIPS key to all disks is complete: storage encryption disk show-status
Verify that the mode for all disks is set to data: storage encryption disk show
View the configured KMIP servers: security key-manager show
Delete the configured KMIP servers: security key-manager delete -address kmip_ip_address
Delete the external key manager configuration:security key-manager delete-kmip-config
Note
This step does not remove the LSE certificates.

After the upgrade is complete, you must reconfigure the KMIP server connections.

Give documentation feedback