You need to configure data-at-rest encryption for your NetApp ONTAP 9.8 cluster. Your company does not have Key Management Interoperability Protocol (KMIP) services available but must require a passphrase to be entered when a node is rebooted.
In this scenario, which two actions should be performed to satisfy these requirements? (Choose two.)
A. Enable onboard key management
B. Enable common criteria mode
C. Configure an external key management server
D. Enable cluster-wide FtPS-compliant mode
A&B
You can opt to require the OKM passphrase by using the -enable-cc-mode true option with the security key-manager setup command.
This can be turned on prior to moving a controller and disk shelves and turned off after the move is complete.
Starting with ONTAP 9.6, the command is security key-manager onboard enable -cc-mode-enabled yes.
A and B are correct
https://docs.netapp.com/us-en/ontap/pdfs/sidebar/Configure_NetApp_Volume_Encryption.pdf
Page 14 says A and B