ONTAP Discussions

Encrypted volume and unreachable external key manager


We're in a bit of a pickle.


In our lab, we have a NetApp appliance running ONTAP 9.6.    It was integrated with an external key manager several months ago that was reconfigured.   There's one encrypted volume on the appliance that we don't care about.  The appliance can no longer communicate with the key manager, but we've loaded new certificates on it to be able to re-establish communication.


This is essentially the same situation that you'd encounter if you let a certificate expire, so I'm following those instructions here:  https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-nve%2FGUID-D457F0DF-420A-4FE7-A782-040878F0D000.html

When I attempt to remove the server as instructed, I'm told I can't because there's an encrypted volume.

SAT-NVE::*> security key-manager external remove-servers -vserver SAT-NVE -key-servers

Error: command failed: The key server at "" contains volume encryption keys that are currently in use and not available from any other configured key server.


When I attempt to delete the encrypted volume, I can't do that because it can't reach the external key manager.

SAT-NVE::*> volume delete -vserver SAT-01 -volume EncryptedVM

Error: command failed: One or more key servers are unavailable for Vserver "SAT-NVE". Use the "security key-manager external show-status -vserver SAT-NVE"  command to check the status of the key servers. Verify that the network configuration is correct.

The -force attribute didn't help.


How do I get out of this loop?   





Have you tried "set advanced" and try using the "-force" option with the "volume delete" command?


Yes, thanks, I tried that, and it didn't help.  


I'm concerned for our customers because I don't know they can renew or replace a certificate if they have encrypted volumes (which all our customers do).  




I figured it out.  You have use diagnostic mode to force the update of the certificate, and ignore the warning.  Of course the private key will be different for the new certificate, but it will work.  


SAT-NVE::security key-manager external*> modify -vserver SAT-NVE -client-cert NetAppNVE_DB1A

Warning: The new client certificate public or private keys are different from the existing client
certificate. This could lead to failure in retrieving the keys from the configured key
Do you want to continue? {y|n}: y

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.