Do You Know Your ONTAP Encryption Passphrase?

This post was prompted by a question:

"Q: I think we know the passphrase, but how do I check it is correct?"

Remembering the ONTAP encryption passphrase is very important! If you need to add new nodes to a cluster - or maybe for a headswap - you will need to know the encryption passphrase. And you can only change the passphrase if you know what it is.

When we setup the onboard key-manager, we need to create a passphrase:

cluster1::*> security key-manager onboard enable

Enter the cluster-wide passphrase for the Onboard Key Manager:

The above also outputs the backup key (which cannot be deciphered to tell you what the passphrase is.)

If we do an update-passphrase but enter the wrong passphrase, it errors:

cluster1::*> security key-manager onboard update-passphrase

Warning: This command will reconfigure the cluster passphrase for the Onboard Key Manager.

Do you want to continue? {y|n}: y

Enter current passphrase:

Error: command failed: Cluster-wide passphrase is incorrect.

And you can run a show-backup to see the backup key is unchanged:

cluster1::*> security key-manager onboard show-backup

When you successfully change the passphrase (this does not affect encryption keys - it's just the passphrase to make changes with the OKM) you will get a slightly different backup key (see appendix for complete output.)

cluster1::*> security key-manager onboard update-passphrase

Warning: This command will reconfigure the cluster passphrase for the Onboard Key Manager.

Do you want to continue? {y|n}: y

Enter current passphrase:

Enter new passphrase:

Reenter the new passphrase:

After updating the Onboard Key Manager passphrase...

Note: If you just want to check the passphrase, do a Ctrl-C when it asks you for the new passphrase.

I think it was ONTAP 9.11.1 where the command become onboard sync when adding new nodes to the cluster:

cluster1::*> security key-manager onboard sync

Enter the cluster-wide passphrase for the Onboard Key Manager:

Before it was setup -node NEWNODE:

cluster1::*> security key-manager setup -node NODE-03

Enter the cluster-wide passphrase for the Onboard Key Manager. To continue the configuration, enter the passphrase, otherwise type "exit":

Another Way

There is another way of checking, this is to get the backup from:

security key-manager onboard show-backup

And verify the key with the passphrase:

security key-manager onboard verify-backup

APPENDIX: Output showing changing passphrase also subtlety changes the backup key.

cluster1::*> security key-manager onboard enable

Enter the cluster-wide passphrase for the Onboard Key Manager:

Re-enter the cluster-wide passphrase:

After setting up the Onboard Key Manager, save the encrypted backup data, displayed below, along with the cluster passphrase in a safe location so that you can use it if you need to perform a manual recovery operation. To view the encrypted backup data again, use the "security key-manager onboard show-backup" command.

--------------------------BEGIN BACKUP--------------------------

TmV0QXBwIEtleSBCbG9iAAEBAAAEAAAAcAEAAAAAAABdVC5yAAAAACEAAAAAAAAA

QAAAAAAAAAC/ZeDCAAAAAJ34J+/VvtAh0wk5lAU0+jhaIJ6Orkm6FGd6n+konw/g

ZizyzPDJnDWOmQgVGprx7r1Rk2ksRKhYYdczvGvX0DgiAAAAAAAAACgAAAAAAAAA

3WTh7gAAAAAAAAAAAAAAAAIAAAAAAAgAZJEIWvdeHr5RCAvHGclo+wAAAAAAAAAA

IgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAAAAAAAAAAAAACAAAAAAAJAGr3tJA/LRzU

QRHwv+1aWvAAAAAAAAAAACQAAAAAAAAAgAAAAAAAAABxoLxtAAAAACUkeGbrchD4

7BH5aVCplZGwAY8wkY7t5BtMJX+lAofU8WPO4heyzQ4AAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABOZXRBcHAgS2V5IEJsb2IA

AQEAAAMAAAAYAQAAAAAAAJviFLQAAAAAIgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAA

AAAAAAAAAAACAAAAAAAJAGr3tJA/LRzUQRHwv+1aWvAAAAAAAAAAACIAAAAAAAAA

KAAAAAAAAAAMRKsgAAAAAAAAAAAAAAAAAgAAAAAAAQB5fUTU2XW+lj52CLbqH6LC

AAAAAAAAAAAkAAAAAAAAAIAAAAAAAAAAsa45qQAAAACbJ9JQZkf6kUF3U+4ylCGH

77+Sa5KqIgMguIJJki25zmkdf9arNx0RAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAE5ldEFwcCBLZXkgQmxvYgABAQAAAwAAABgBAAAAAAAA

FIOghQAAAAAiAAAAAAAAACgAAAAAAAAAQ5NxHQAAAAAAAAAAAAAAAAIAAAAAAAkA

ave0kD8tHNRBEfC/7Vpa8AAAAAAAAAAAIgAAAAAAAAAoAAAAAAAAADYPMfoAAAAA

AAAAAAAAAAACAAAAAAABALMT+5l0RdWD42S2pp5MUIwAAAAAAAAAACQAAAAAAAAA

gAAAAAAAAADqr1mzAAAAADTKt3sd2v9PX+xxruZh/IHMKYgHX+ZpIB3KoXERgnmD

2XfqVrwhMRUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

---------------------------END BACKUP---------------------------

cluster1::*> security key-manager onboard update-passphrase

Warning: This command will reconfigure the cluster passphrase for the Onboard Key Manager.

Do you want to continue? {y|n}: y

Enter current passphrase:

Enter new passphrase:

Reenter the new passphrase:

After updating the Onboard Key Manager passphrase, save the encrypted backup data, displayed below, along with the cluster passphrase in a safe location so that you can use it if you need to perform a manual recovery operation. To view the encrypted backup data again, use the "security key-manager onboard show-backup" command.

--------------------------BEGIN BACKUP--------------------------

TmV0QXBwIEtleSBCbG9iAAEBAAAEAAAAcAEAAAAAAAAHjw78AAAAACEAAAAAAAAA

QAAAAAAAAAAcg4CIAAAAAHTwH17QRb4oO63uim3uAOVhZtUCNbl6AtzloJZIQBoT

Qai3h+Ubw9nzXPAWwXGPMo6l4x8bIDZNIKBtLuRcMyUiAAAAAAAAACgAAAAAAAAA

3WTh7gAAAAAAAAAAAAAAAAIAAAAAAAgAZJEIWvdeHr5RCAvHGclo+wAAAAAAAAAA

IgAAAAAAAAAoAAAAAAAAAEOTcR0AAAAAAAAAAAAAAAACAAAAAAAJAGr3tJA/LRzU

QRHwv+1aWvAAAAAAAAAAACQAAAAAAAAAgAAAAAAAAAB+E2ZBAAAAANy/gsa01f0a

h0qip2a9biwbMVO/Yl7imJxHykN69867NwFi1jrSJuQAAAAAAAAAAAAAAAAAAAAA