ONTAP Hardware

Decrypt without Key Management Server FAS2220

BoredCoder
2,948 Views

Hi,

 

We're workign on migrating some legacy systems from our FAS2220s. All disks are encrypted.
Having blown the dust off the system, we discover that our key management solution (Tivoli) died a death some time in the past, with little to no hope of recovery.

The FAS systems have been happily working away for quite while, and we don't expect any issues migrating the remainder of the data (touch wood).
I've been asked if the system can be repuropsed, and I find myself lacking in an answer.

Can anyone advise if it's possible to decrypt the disks in the abence of a key? If not, I presume operation can continue as normal under whatever we intend for the system, but if there's a power down, it's all inaccessable.  Essentially, are these disks a write off?

Cheers!

1 ACCEPTED SOLUTION

marcinmf
2,822 Views

Hi, 

We just did some work on our SED system.

 

Based on the Ontap version the commands will be different. Here is the newest guide with all info you will need

https://library.netapp.com/ecm/ecm_download_file/ECMLP2572742

 

Since you dont have access to external key manager do not halt or restart anything. 

 

I am guessing that you are having self-encrypting drives (SEDs) - if you reboot the drives will not be able to authenticate and will come up as broken!

If your root drives are also encrypted then system will simply not boot and after that you can reinstall and start from scratch.

 

If you have all your data and just want to set up new key manager or just use the system in unprotected mode here is what you can do.

 

Returning SEDs to unprotected mode

 

An SED is protected from unauthorized access only if the authentication key ID for the node is set to a value other than the SED's default manufacturer secure ID (MSID), which the system evaluates to 0x0. You can return an SED to unprotected mode by using the storage encryption disk modify command to set the key ID to 0x0.

 

Steps

  1. Set the privilege level to advanced: set -privilege advanced

 

  1. If the SED is running in FIPS-compliance mode, set the FIPS authentication key ID for the node back to the default MSID: storage encryption disk modify -disk disk_id -fips-key-id 0x0

 

You can use the security key-manager query command to view key IDs.

 

Example cluster1::> storage encryption disk modify -disk 2.10.11 -fips-key-id 0x0

 

  1. Set the data authentication key ID for the node back to the default MSID: storage encryption disk modify -disk disk_id -data-key-id 0x0

 

You can use the security key-manager query command to view key IDs.

 

Example cluster1::> storage encryption disk modify -disk 2.10.11 -data-key-id 0x0 

 

 

 

You are almost done.  You have to delete an external key manager connection

security key-manager delete -address key_management_server_ipaddress

 

Example cluster1::> security key-manager delete -address 10.233.1.198

 

 

Now you can reboot and everything will work and be accessible. 

From here you can set up new external key manager and if you are running ontap 9 you can setup onboard key manager.

 

And again if you want to run it in unprotected mode there is nothing else to do.

Let me know if this worked.

Martin

 

View solution in original post

2 REPLIES 2

marcinmf
2,823 Views

Hi, 

We just did some work on our SED system.

 

Based on the Ontap version the commands will be different. Here is the newest guide with all info you will need

https://library.netapp.com/ecm/ecm_download_file/ECMLP2572742

 

Since you dont have access to external key manager do not halt or restart anything. 

 

I am guessing that you are having self-encrypting drives (SEDs) - if you reboot the drives will not be able to authenticate and will come up as broken!

If your root drives are also encrypted then system will simply not boot and after that you can reinstall and start from scratch.

 

If you have all your data and just want to set up new key manager or just use the system in unprotected mode here is what you can do.

 

Returning SEDs to unprotected mode

 

An SED is protected from unauthorized access only if the authentication key ID for the node is set to a value other than the SED's default manufacturer secure ID (MSID), which the system evaluates to 0x0. You can return an SED to unprotected mode by using the storage encryption disk modify command to set the key ID to 0x0.

 

Steps

  1. Set the privilege level to advanced: set -privilege advanced

 

  1. If the SED is running in FIPS-compliance mode, set the FIPS authentication key ID for the node back to the default MSID: storage encryption disk modify -disk disk_id -fips-key-id 0x0

 

You can use the security key-manager query command to view key IDs.

 

Example cluster1::> storage encryption disk modify -disk 2.10.11 -fips-key-id 0x0

 

  1. Set the data authentication key ID for the node back to the default MSID: storage encryption disk modify -disk disk_id -data-key-id 0x0

 

You can use the security key-manager query command to view key IDs.

 

Example cluster1::> storage encryption disk modify -disk 2.10.11 -data-key-id 0x0 

 

 

 

You are almost done.  You have to delete an external key manager connection

security key-manager delete -address key_management_server_ipaddress

 

Example cluster1::> security key-manager delete -address 10.233.1.198

 

 

Now you can reboot and everything will work and be accessible. 

From here you can set up new external key manager and if you are running ontap 9 you can setup onboard key manager.

 

And again if you want to run it in unprotected mode there is nothing else to do.

Let me know if this worked.

Martin

 

BoredCoder
2,774 Views

Martin,

Top banana!
I'll document this for review shortly, as we have finish moving the data off before we can move on to this, but this really helps!

Many thanks!


Public