Encryption

ONTAP offers both software- and hardware-based encryption technologies for ensuring that data at rest cannot be read if the storage medium is repurposed, returned, misplaced, or stolen.

NetApp Volume Encryption

NetApp Volume Encryption (NVE) is a software-based technology for encrypting data at rest one volume at a time. An encryption key accessible only to the storage system ensures that volume data cannot be read if the underlying device is separated from the system.

Both data, including Snapshot copies, and metadata are encrypted. Access to the data is given by a unique XTS-AES-256 key, one per volume. A built-in Onboard Key Manager secures the keys on the same system with your data.

You can use NVE on any type of aggregate (HDD, SSD, hybrid, array LUN), with any RAID type, and in any supported ONTAP implementation, including ONTAP Select. You can also use NVE with NetApp Storage Encryption (NSE) to “double encrypt” data on NSE drives, provided that you use the NSE Onboard Key Manager option.

NetApp Storage Encryption

NetApp Storage Encryption (NSE) supports "self-encrypting" disks (SEDs) that encrypt data as it is written. The data cannot be read without an encryption key stored on the disk. The encryption key, in turn, is accessible only to an authenticated node.

On an I/O request, a node authenticates itself to an SED using an authentication key retrieved from an external key management server or Onboard Key Manager:

NSE supports self-encrypting HDDs and SSDs. You can use NetApp Volume Encryption with NSE to “double encrypt” data on NSE drives, provided that you use the Onboard Key Manager.

When to use KMIP servers

Although it is less expensive and typically more convenient to use the Onboard Key Manager, you should set up KMIP servers if any of the following are true:

  • Your encryption key management solution must comply with Federal Information Processing Standards (FIPS) 140-2 or the OASIS KMIP standard.
  • You need a multi-cluster solution. KMIP servers support multiple clusters with centralized management of encryption keys.

    KMIP servers support multiple clusters with centralized management of encryption keys.

  • Your business requires the added security of storing authentication keys on a system or in a location different from the data. KMIP servers stores authentication keys separately from your data.

    KMIP servers stores authentication keys separately from your data.