You need to configure data-at-rest encryption for your NetApp ONTAP 9.8 cluster. Your company does not have Key Management Interoperability Protocol (KMIP) services available but must require a passphrase to be entered when a node is rebooted.
In this scenario, which two actions should be performed to satisfy these requirements? (Choose two.)
To configure data-at-rest encryption in a NetApp ONTAP 9.8 cluster without using KMIP services and requiring a passphrase upon node reboot, the appropriate actions are enabling onboard key management and enabling common criteria mode. Enabling onboard key management provides the internal support for key management, which is necessary for encryption. Common criteria mode requires a passphrase to be entered when a node is rebooted, ensuring additional security. Using an external key management server is not suitable since KMIP services are not available, and enabling cluster-wide FIPS-compliant mode typically necessitates external key management support.
I think A,B...
I agree, Enabling onboard key management by default you are not required to enter a passphrase when the node is rebooted. To be asked the password , you need to enable the common criteria mode also. Source: Page 13 in the reference.
It appears the answer is AB. ONTAP 9.6 and later: ************ This article describes the procedure to configure the Onboard Key Manager (OKM) for password-protected boot. ONTAP versions 9.4 and later have the capability to require the Onboard Key Manager (OKM) passphrase during the system boot process. 1. Run the key manager setup wizard with the following command: ::> security key-manager onboard enable -cc-mode-enabled yes *********** In the above command "-CC-Mode_enabled" CC is for common criteria.
The FIPS-compliant mode just can be used if the KMIP server is available. The onboard key management encryption and common criteria mode provide the passphrase each time a node reboots. So, the answer should "A" and "B", I think.
A and B are correct.
https://docs.netapp.com/us-en/ontap/encryption-at-rest/enable-onboard-key-management-96-later-nve-task.html "Set cc-mode-enabled=yes to require that users enter the key manager passphrase after a reboot. For NVE, if you set cc-mode-enabled=yes, volumes you create with the volume create and volume move start commands are automatically encrypted. The - cc-mode-enabled option is not supported in MetroCluster configurations. The security key-manager onboard enable command replaces the security key-manager setup command."
A&D. A. Enable onboard key management and D. Enable cluster-wide FIPS-compliant mode would satisfy the requirements for data-at-rest encryption with a passphrase required at node reboot.