How ONTAP Cloud encryption works with SafeNet key managers

Understanding how ONTAP Cloud encryption works with SafeNet key managers can help you set up and use the feature.

The following graphic shows the steps and components involved in the encryption process when using SafeNet key managers:

This illustration shows how to set up and use ONTAP Cloud encryption. The following text describes this illustration.

  1. The Cloud Manager Admin sets up Cloud Manager as follows:
    1. Generates a certificate signing request (CSR), uses it to obtain a signed certificate from a certificate authority (CA), and then installs the signed certificate in Cloud Manager.
    2. Adds details about key managers and key manager CA certificates in Cloud Manager.
  2. Users launch ONTAP Cloud instances with encryption enabled.

    Cloud Manager sets up ONTAP Cloud by installing the key manager CA certificate, generating and installing a client certificate, configuring the KMIP client, and linking the system to one or more key managers.

    • Users can enable encryption only when launching a new instance in AWS; it cannot be enabled afterward.
    • All data on the system is encrypted, except for the root aggregate, which does not contain user data.
  3. For each aggregate, ONTAP Cloud generates and sends an encryption key to key managers.
  4. Each time ONTAP Cloud boots, it authenticates with key managers to obtain encryption keys, which are then stored in cache and never displayed in cleartext.
    Note: ONTAP Cloud communicates with key managers when it boots and when new aggregates are created. It does not communicate with key managers at any other time.
  5. Before data is written to disk, it is encrypted using XTS-AES.

    When data is read from disk, the encrypted data is decrypted using XTS-AES before being sent.