使用OKM时、在更换TPM芯片主板后、NVE卷脱机
适用场景
- ONTAP 9
- 板载密钥管理器(OKM)
- NetApp 卷加密 (NetApp Volume Encryption, NVE)
- NetApp聚合加密(NAE)
- 支持可信平台模块(TPM)的平台
问题描述
- 在节点上使用TPM芯片更换主板。
- 下次重新启动节点后、OKM会否决此恢复:
Sun Jun 05 01:24:41 +0530 [CLUSTER1-01: cf_giveback: gb.sfo.veto.kmgr.keysmissing:error]: Giveback of aggregate aggr1 failed due to unavailability of volume encryption keys for the encrypted volumes of the aggregate on the partner node CLUSTER1-02.
- 随后、使用
-override-vetoes true标志手动完成此恢复、导致中断、所有加密卷将脱机。 - 在进行恢复后EMS日志中出现错误:
Sun Jun 05 09:31:13 +0530 [CLUSTER1-02: vv_apply_special11: crypto.import.failed:alert]: ERROR: Import of key with key ID xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx failed. Additional information: wrapping key not found.Sun Jun 05 09:31:13 +0530 [CLUSTER1-02: vv_apply_special11: wafl.mount.transient.error:error]: WAFL: Unable to mount volume vol1, UUID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx due to Encryption key error.. Volume is taken offline due to transient errors.- 在启动以等待归还之前、启动/控制台日志中会显示一个错误、指示未导入密钥:
Jun 05 10:28:25 [CLUSTER1-02:crypto.okmrecovery.failed:ALERT: ERROR: Import of the onboard key hierarchy failed: failed to import keyfailed.