topic Re: Onboard Key Manager onboard sync question in ONTAP Discussions

Onboard Key Manager onboard sync question

WAYNEWATKINS — Wed, 04 Jun 2025 11:08:07 GMT

ONTAP version 9.6P7 - Using Onboard KMS for Aggregate Level Encryption -

When I query the KMS using the security key-manager key query command it reports back some keys as False under restored on just one of the nodes (2-node cluster). It then tells me to use the security key-manager onboard sync command to restore a key(s).

I've ran the sync command a couple of times and nothing appears to happen? It still displays False keys?

The only volume I have at the moment is an SVM root volume which was encrypted at creation time in a data aggregate fine.

Has anyone else seen the sync command work before?

Re: Onboard Key Manager onboard sync question

TMACMD — Wed, 27 May 2020 12:22:40 GMT

Please provide the exact commands!

The commands were modified/deprecated into ONTAP 9.7. For using the onboard key-manager, you should be using the:

security key-manager onboard

Command sets. Specifically:

security key-manager onboard sync

I know there was/is a bug when NOT using the "onboard" commands.

Re: Onboard Key Manager onboard sync question

WAYNEWATKINS — Wed, 27 May 2020 12:31:07 GMT

I'm using the following command to check key status

security key-manager key query -node node

Then using the following

security key-manager onboard sync

This then prompts me for the cluster-wide passphrase.

If I check the key status again later it still reports keys needed to be restored?

Thanks

Re: Onboard Key Manager onboard sync question

TMACMD — Wed, 27 May 2020 12:59:59 GMT

Yeah...I think you are seeing the bug I was talking about (Fixed in 9.7 at least, maybe a 9.6P but not sure)

It might be this one.

https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1259828

(although it says fixed in 9.6P7)

Once you upgrade to ONTAP 9.7, this should be fully resolved. I have seen this before. It is a display bug. You could open a case with NetApp Support so they may track it.

Re: Onboard Key Manager onboard sync question

WAYNEWATKINS — Wed, 27 May 2020 13:51:18 GMT

I did hit that bug so I upgraded to 9.6P7 which stopped the "Loop detected in next()" messages.

Now, I am seeing this new issue?

May be it will go away if upgraded 9.7? I'm a bit reluctant to go to 9.7 at the moment as we have seen a performance issue after recently upgrading to 9.7 which is under investigation.

Thank you.