AFF

SED disk encryption key query

Baiju625
500 Views

Hi Experts.

On AFF cluster with 16 SED disks, I have assigned one of the key shown in the" security key-manager key show". Just wanted to check if this is ok, or do I need to assign a key from Node1 to node1 assigned disks and key from node2 to node2 assigned disks.

Also " security key-manager key show" displays at least a dozen of keys. Is it ok to use any one of the key for encryption purpose?

Note below display is edited and the key is just a arbitrary key.

CLUS1> storage encryption disk show
Disk Mode Data Key ID
-------- ---- ----------------------------------------------------------------
1.0.0 data 00000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.1 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.2 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.3 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.4 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.5 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.6 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.7 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.16 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.17 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.18 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.19 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.20 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.21 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.22 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
1.0.23 data 0000000000000000012345567788999000007AADFA22323929ADSDKSJ11111SS
16 entries were displayed.

 

 

1 ACCEPTED SOLUTION

darb0505
462 Views

@Baiju625,

 

Unless your security protocol requires you to use multiple keys then you are fine with just using on. 

 

Reference: Enable onboard key management in ONTAP 9.6 and later and Assign a data authentication key to a FIPS drive or SED (onboard key management)

 

You can also rotate the keys if that is required.  KB: How to rotate encryption keys for NetApp Storage Encryption (NSE), explains the process of rotating the keys for both External and Onboard key manager (OKM).

 

Let us know if you have any follow up questions.


Thanks,

Brad

 

Team NetApp

View solution in original post

1 REPLY 1

darb0505
463 Views

@Baiju625,

 

Unless your security protocol requires you to use multiple keys then you are fine with just using on. 

 

Reference: Enable onboard key management in ONTAP 9.6 and later and Assign a data authentication key to a FIPS drive or SED (onboard key management)

 

You can also rotate the keys if that is required.  KB: How to rotate encryption keys for NetApp Storage Encryption (NSE), explains the process of rotating the keys for both External and Onboard key manager (OKM).

 

Let us know if you have any follow up questions.


Thanks,

Brad

 

Team NetApp
Public