由于密钥缓存中缺少密钥ID、修改NSE磁盘上的密钥ID失败
适用场景
- ONTAP 9
- NetApp 存储加密( NSE )
- 联邦信息处理标准 (FIPS)
- 外部密钥管理器(EKM)
问题描述
- 在特定NSE磁盘上将数据密钥ID设置为0x0失败、并显示以下错误:
::> storage encryption disk modify -disk 1.0.4 -data-key-id 0x0
Error: Setting the data key ID to the manufacture secure ID is not allowed when in FIPS-compliance mode.
- 用于将FIPS-key-id修改为0x0的命令执行时不会出现错误、但无法成功完成:
::> storage encryption disk modify -disk 1.0.4 -fips-key-id 0x0
Info: Starting modify on 1 disk on node Node-02.
View the status of the operation by using the "storage encryption disk show-status" command.
::> storage encryption disk show-status
FIPS Latest Start Execution Disks Disks Disks
Node Support Request Timestamp Time (sec) Begun Done Successful
------- ------- -------- ------------------ ---------- ------ ------ ----------
Node-01 true modify 8/25/2023 09:59:57 2 12 12 12
Node-02 true modify 8/29/2023 06:15:37 0 1 1 0
2 entries were displayed.
- 该特定磁盘的数据密钥ID和FIPS-key-id与其他磁盘不同:
::> storage encryption disk show -fields fips-key-id,data-key-id
disk data-key-id fips-key-id
------- ---------------------------------------- -------------------------------------------
1.0.1 000000000000100ABA0F6E8XXXXXXXXXXXXXXXX8775 000000000000100ABA0F6E8XXXXXXXXXXXXXXXX8775
1.0.2 000000000000100ABA0F6E8XXXXXXXXXXXXXXXX8775 000000000000100ABA0F6E8XXXXXXXXXXXXXXXX8775
1.0.3 000000000000100ABA0F6E8XXXXXXXXXXXXXXXX8775 000000000000100ABA0F6E8XXXXXXXXXXXXXXXX8775
1.0.4 000000000000010022F3E53E0AXXXXXXXXXXXX360DF 000000000000010022F3E53E0AXXXXXXXXXXXX360DF
- 尝试还原密钥时、系统会显示没有要还原的密钥:
::> security key-manager restore
No keys need to be restored