topic Re: NVE: Force immediate deletion of keys from external key manager in ONTAP Discussions

NVE: Force immediate deletion of keys from external key manager

JaneGil — Wed, 04 Jun 2025 12:57:18 GMT

Hi,
I'm doing extensive external key manager testing, and am being throttled by not being able to delete the key manager configuration because it says there are encrypted volumes. All the encrypted volumes have been deleted, but I have found from testing that the keys for these volumes aren't deleted from the key manager until some batch process runs in the middle of the night. As long as the keys are still hanging around, the cluster won't let me delete the configuration so I can re-test.

Does anyone know of a way to force the deletion of these keys?

I've tried working around this by creating an encrypted volume for testing purposes and then using the "volume move start" command to unencrypt it, but I'm being told that operation isn't supported for the encrypted volume for some reason. Is that because an external key manager is involved? I assume that command would otherwise work.

All the relevant commands I'm trying and the responses are below.

Thanks.
Jane

SAT-NVE::*> security key-manager delete-kmip-config

Error: command failed:
Encrypted volumes are found in the cluster. Use the "volume show
-encryption-state !none" command to view all such volumes. Move these
volumes to plain-text volumes using the "volume move start <vol_name>
-vserver <vserver_name> -destination-aggregate <aggr_name>
-encrypt-destination false " command before attempting to disable
external key management by removing all the keys.

SAT-NVE::*> volume show -encryption-state !none
There are no entries matching your query.

After creating a new encrypted volume to test the volume move start command...

SAT-NVE::*> volume show -encryption-state !none
Vserver Volume Aggregate State Type Size Available Used%
--------- ------------ ------------ ---------- ---- ---------- ---------- -----
SAT-01 vol_jane SAT_NVE_01_SSD_1
online RW 1GB 972.5MB 0%

SAT-NVE::*> volume move start vol_jane -vserver SAT-NVE -destination-aggregate SAT_VNE_01_SSD_2 -encrypt-destination false

Error: command failed: This operation is not supported for the system volume "vol_jane".

Re: NVE: Force immediate deletion of keys from external key manager

AlexDawson — Wed, 16 Jan 2019 02:55:26 GMT

Hi there!

We have this document available which outlines how to make data inaccessible in given scenarios - while it is written for self encrypting drives, many of the concepts are the same for NVE.

I acknowledge it doesn't directly answer your question -I am providing it to perhaps help inform testing and use scenarios for encrypted volumes.

If you don't have any luck here with a direct answer, I suggest that you should submit a support case.

Re: NVE: Force immediate deletion of keys from external key manager

JaneGil — Wed, 16 Jan 2019 21:07:28 GMT

Hi Alex,

Thanks for the response.

Yes, NSE was a little different to work with since taking them back to MSID deleted the keys off the external key manager immediately enabling you to wipe out out the key manager config.

I'm working around it with NVE by just not creating any encrypted volumes now just to test the certificate installation process and TLS session establishment. As long as I don't create any keys, I can retest as much as I want in any give day.

Thanks again.

Jane

Re: NVE: Force immediate deletion of keys from external key manager

anemic_iceman — Thu, 25 Apr 2019 17:52:17 GMT

You need to purge the deleted volume from the recovery-queue, then the keys on kmip server will be removed.

Re: NVE: Force immediate deletion of keys from external key manager

JaneGil — Fri, 26 Apr 2019 13:43:21 GMT

Thanks for this!!