使用 OKM 时更换 TPM 芯片主板后 NVE 卷离线

最后更新
另存为PDF

Views:: 82

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: core

Last Updated:

适用于

ONTAP 9
板载密钥管理器 (OKM)
NetApp 卷加密 (NetApp Volume Encryption, NVE)
NetApp 聚合加密（NAE）
支持可信平台模块（TPM）的平台

问题描述

在节点上使用 TPM 芯片进行主板更换。
下次重新启动节点后，OKM 将否决回馈：

Sun Jun 05 01:24:41 +0530 [CLUSTER1-01: cf_giveback: gb.sfo.veto.kmgr.keysmissing:error]: Giveback of aggregate aggr1 failed due to unavailability of volume encryption keys for the encrypted volumes of the aggregate on the partner node CLUSTER1-02.

随后使用-override-vetoes true标记手动完成回馈，导致所有加密卷都处于离线状态。
EMS 日志回馈后的错误：

Sun Jun 05 09:31:13 +0530 [CLUSTER1-02: vv_apply_special11: crypto.import.failed:alert]: ERROR: Import of key with key ID xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx failed. Additional information: wrapping key not found.

Sun Jun 05 09:31:13 +0530 [CLUSTER1-02: vv_apply_special11: wafl.mount.transient.error:error]: WAFL: Unable to mount volume vol1, UUID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx due to Encryption key error.. Volume is taken offline due to transient errors.

在引导等待回馈之前，引导/控制台日志中会出现一个错误，指示未导入密钥：

Jun 05 10:28:25 [CLUSTER1-02:crypto.okmrecovery.failed:ALERT: ERROR: Import of the onboard key hierarchy failed: failed to import keyfailed.