Upload appliance encryption key using the appliance maintenance console

When you enable secure data-at-rest, the appliance encryption key (AEK) is stored in the Composer NVRAM, off the Composer disk. In the unlikely event of AEK getting corrupted or missing, any of the nodes in the HPE OneView cluster may not come up successfully after a restart. In this case, the maintenance console of each node shows the error state of the node.

Error symptom

Action required of the user

Both nodes do not start up in a two node cluster. An error message is displayed to the user.

Visit the maintenance console of the individual nodes for recovery options.

One node comes up successfully in a two node cluster. The failed node shows 'Down' status in the HPE OneView GUI.

Visit the maintenance console of the failed node for recovery options.

Startup of a single node cluster fails. An error message is displayed to the user.

Visit the maintenance console of the failed node for recovery options.

The maintenance console provides corrective actions for the following cases:
  • Corrupted or missing keys: In this case, the administrator must enter the AEK in the maintenance console.
  • Faulty iLO: In this case, users must contact customer support to replace the faulty hardware.

Prerequisites

  • Secure data-at-rest option is set to Yes in the Settings > Security > Secure data-at-rest screen.
Procedure
  1. Access the appliance maintenance console main menu.
  2. Select Upload appliance encryption key. The saved copy of the encryption key must match the AEK in the backup version.
  3. In the subsequent dialog box, copy and paste the appliance encryption key.
    1. To upload the appliance encryption key, enter Y.
    2. To cancel the upload and return to the main menu, enter N.
  4. Verify by observing the encryption key upload and validation operation. Appliance encryption key uploaded and validated message are displayed when the operation is successful.