Hi, I'm doing extensive external key manager testing, and am being throttled by not being able to delete the key manager configuration because it says there are encrypted volumes. All the encrypted volumes have been deleted, but I have found from testing that the keys for these volumes aren't deleted from the key manager until some batch process runs in the middle of the night. As long as the keys are still hanging around, the cluster won't let me delete the configuration so I can re-test.
Does anyone know of a way to force the deletion of these keys?
I've tried working around this by creating an encrypted volume for testing purposes and then using the "volume move start" command to unencrypt it, but I'm being told that operation isn't supported for the encrypted volume for some reason. Is that because an external key manager is involved? I assume that command would otherwise work.
All the relevant commands I'm trying and the responses are below.
Error: command failed: Encrypted volumes are found in the cluster. Use the "volume show -encryption-state !none" command to view all such volumes. Move these volumes to plain-text volumes using the "volume move start <vol_name> -vserver <vserver_name> -destination-aggregate <aggr_name> -encrypt-destination false " command before attempting to disable external key management by removing all the keys.
SAT-NVE::*> volume show -encryption-state !none There are no entries matching your query.
After creating a new encrypted volume to test the volume move start command...
SAT-NVE::*> volume show -encryption-state !none Vserver Volume Aggregate State Type Size Available Used% --------- ------------ ------------ ---------- ---- ---------- ---------- ----- SAT-01 vol_jane SAT_NVE_01_SSD_1 online RW 1GB 972.5MB 0%
Yes, NSE was a little different to work with since taking them back to MSID deleted the keys off the external key manager immediately enabling you to wipe out out the key manager config.
I'm working around it with NVE by just not creating any encrypted volumes now just to test the certificate installation process and TLS session establishment. As long as I don't create any keys, I can retest as much as I want in any give day.