ONTAP Discussions

NVE: Force immediate deletion of keys from external key manager

JaneGil
4,758 Views

Hi,
I'm doing extensive external key manager testing, and am being throttled by not being able to delete the key manager configuration because it says there are encrypted volumes.  All the encrypted volumes have been deleted, but I have found from testing that the keys for these volumes aren't deleted from the key manager until some batch process runs in the middle of the night.  As long as the keys are still hanging around,  the cluster won't let me delete the configuration so I can re-test.   


Does anyone know of a way to force the deletion of these keys?    


I've tried working around this by creating an encrypted volume for testing purposes and then using the "volume move start" command to unencrypt it, but I'm being told that operation isn't supported for the encrypted volume for some reason.    Is that because an external key manager is involved?    I assume that command would otherwise work.

All the relevant commands I'm trying and the responses are below.

Thanks.
Jane


 

SAT-NVE::*> security key-manager delete-kmip-config

Error: command failed:
Encrypted volumes are found in the cluster. Use the "volume show
-encryption-state !none" command to view all such volumes. Move these
volumes to plain-text volumes using the "volume move start <vol_name>
-vserver <vserver_name> -destination-aggregate <aggr_name>
-encrypt-destination false " command before attempting to disable
external key management by removing all the keys.

SAT-NVE::*> volume show -encryption-state !none
There are no entries matching your query.

After creating a new encrypted volume to test the volume move start command...

SAT-NVE::*> volume show -encryption-state !none
Vserver Volume Aggregate State Type Size Available Used%
--------- ------------ ------------ ---------- ---- ---------- ---------- -----
SAT-01 vol_jane SAT_NVE_01_SSD_1
online RW 1GB 972.5MB 0%

SAT-NVE::*> volume move start vol_jane -vserver SAT-NVE -destination-aggregate SAT_VNE_01_SSD_2 -encrypt-destination false

Error: command failed: This operation is not supported for the system volume "vol_jane".




1 ACCEPTED SOLUTION

anemic_iceman
4,471 Views

You need to purge the deleted volume from the recovery-queue, then the keys on kmip server will be removed.

View solution in original post

4 REPLIES 4

AlexDawson
4,719 Views

Hi there!

 

We have this document available which outlines how to make data inaccessible in given scenarios - while it is written for self encrypting drives, many of the concepts are the same for NVE.

 

I acknowledge it doesn't directly answer your question -I am providing it to perhaps help inform testing and use scenarios for encrypted volumes.

 

If you don't have any luck here with a direct answer, I suggest that you should submit a support case.

JaneGil
4,661 Views

Hi Alex,

 

Thanks for the response.

 

Yes, NSE was a little different to work with since taking them back to MSID deleted the keys off the external key manager immediately enabling you to wipe out out the key manager config.  


I'm working around it with NVE by just not creating any encrypted volumes now just to test the certificate installation process and TLS session establishment.   As long as I don't create any keys, I can retest as much as I want in any give day.

Thanks again.

Jane

anemic_iceman
4,472 Views

You need to purge the deleted volume from the recovery-queue, then the keys on kmip server will be removed.

JaneGil
4,387 Views

Thanks for this!!

Public