Ways to encrypt ONTAP Cloud data in AWS

You can choose whether to encrypt data on ONTAP Cloud systems in AWS when you create a new working environment. If data encryption is needed, you can choose between ONTAP Cloud encryption and AWS-managed encryption.

ONTAP Cloud encryption

You can protect your data from unauthorized access by using data-at-rest encryption provided by ONTAP Cloud. This optional feature encrypts and decrypts data using encryption keys that are stored on one or more key managers that are under your control.

Communication with key managers is always secure. ONTAP Cloud connects to key managers using a TLS connection and communicates using the Key Management Interoperability Protocol (KMIP).

ONTAP Cloud uses the XTS-AES algorithm, a mode of the Advanced Encryption Standard (AES), to protect data-at-rest. Before data is written to disk, it is encrypted using XTS-AES. When data is read from disk, the encrypted data is decrypted using XTS-AES before being sent to the requester.

If you use the NetApp Storage Encryption feature with a physical FAS system and enable encryption on an ONTAP Cloud system, any data that you replicate between those systems is decrypted before it is replicated and then re-encrypted after it is replicated.

You must set up and configure a key management infrastructure to use ONTAP Cloud encryption.

Key manager requirements for ONTAP Cloud encryption

Encryption using the AWS KMS

The AWS Key Management Service (KMS) is a managed service that gives you control of encryption keys without having to administer a key management infrastructure. If you choose AWS-managed encryption, Cloud Manager requests data keys using a customer master key (CMK).

AWS Documentation: EBS Encryption

AWS Documentation: What is AWS Key Management Service?

If you want to use this encryption option, then you must ensure that the AWS KMS is set up appropriately.

AWS Key Management Service requirements