Skip to main content
Cloud Volumes ONTAP
All cloud providers
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Set up Cloud Volumes ONTAP to use a customer-managed key in Azure

Contributors netapp-rlithman netapp-bcammett

Data is automatically encrypted on Cloud Volumes ONTAP in Azure using Azure Storage Service Encryption with a Microsoft-managed key. But you can use your own encryption key instead by following the steps on this page.

Data encryption overview

Cloud Volumes ONTAP data is automatically encrypted in Azure using Azure Storage Service Encryption. The default implementation uses a Microsoft-managed key. No setup is required.

If you want to use a customer-managed key with Cloud Volumes ONTAP, then you need to complete the following steps:

  1. From Azure, create a key vault and then generate a key in that vault

  2. From BlueXP, use the API to create a Cloud Volumes ONTAP working environment that uses the key

Key rotation

If you create a new version of your key, Cloud Volumes ONTAP automatically uses the latest key version.

How data is encrypted

BlueXP uses a disk encryption set, which enables management of encryption keys with managed disks not page blobs. Any new data disks also use the same disk encryption set. Lower versions will use Microsoft-managed key, instead of the customer-managed key.

After you create a Cloud Volumes ONTAP working environment that is configured to use a customer-managed key, Cloud Volumes ONTAP data is encrypted as follows.

Cloud Volumes ONTAP configuration System disks used for key encryption Data disks used for key encryption

Single node

  • Boot

  • Core

  • NVRAM

  • Root

  • Data

Azure HA single availability zone with page blobs

  • Boot

  • Core

  • NVRAM

None

Azure HA single availability zone with shared managed disks

  • Boot

  • Core

  • NVRAM

  • Root

  • Data

Azure HA multiple availability zones with shared managed disks

  • Boot

  • Core

  • NVRAM

  • Root

  • Data

All Azure storage accounts for Cloud Volumes ONTAP are encrypted using a customer-managed key. If you want to encrypt your storage accounts during their creation, you must create and provide the ID of the resource in the CVO creation request. This applies for all type of deployments. If you do not provide it, the storage accounts still will be encrypted, but BlueXP will first create the storage accounts with Microsoft-managed key encryption and then will update the storage accounts to use the customer-managed key.

Create a user-assigned managed identity

You have the option to create a resource called a user-assigned managed identity. Doing so allows you to encrypt your storage accounts when you create a Cloud Volumes ONTAP working environment. We recommend creating this resource prior to creating a key vault and generating a key.

The resource has the following ID: userassignedidentity.

Steps
  1. In Azure, go to Azure services and select Managed Identities.

  2. Click Create.

  3. Provide the following details:

    • Subscription: Choose a subscription. We recommend choosing the same subscription as the Connector subscription.

    • Resource group: Use an existing resource group or create a new one.

    • Region: Optionally, select the same region as the Connector.

    • Name: Enter a name for the resource.

  4. Optionally, add tags.

  5. Click Create.

Create a key vault and generate a key

The key vault must reside in the same Azure subscription and region in which you plan to create the Cloud Volumes ONTAP system.

If you created a user-assigned managed identity, while creating the key vault, you should also create an access policy for the key vault.

Steps
  1. Create a key vault in your Azure subscription.

    Note the following requirements for the key vault:

    • The key vault must reside in the same region as the Cloud Volumes ONTAP system.

    • The following options should be enabled:

      • Soft-delete (this option is enabled by default, but must not be disabled)

      • Purge protection

      • Azure Disk Encryption for volume encryption (for single node systems or HA pairs in multiple zones)

    • The following option should be enabled if you created a user-assigned managed identity:

      • Vault access policy

  2. If you selected Vault access policy, click Create to create an access policy for the key vault. If not, skip to step 3.

    1. Select the following permissions:

      • get

      • list

      • decrypt

      • encrypt

      • unwrap key

      • wrap key

      • verify

      • sign

    2. Select the user-assigned managed identity (resource) as the principal.

    3. Review and create the access policy.

  3. Generate a key in the key vault.

    Note the following requirements for the key:

    • The key type must be RSA.

    • The recommended RSA key size is 2048, but other sizes are supported.

Create a working environment that uses the encryption key

After you create the key vault and generate an encryption key, you can create a new Cloud Volumes ONTAP system that is configured to use the key. These steps are supported by using the BlueXP API.

Required permissions

If you want to use a customer-managed key with a single node Cloud Volumes ONTAP system, ensure that the BlueXP Connector has the following permissions:

"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/diskEncryptionSets/write",
"Microsoft.Compute/diskEncryptionSets/delete"
"Microsoft.KeyVault/vaults/deploy/action",
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/vaults/accessPolicies/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
Steps
  1. Obtain the list of key vaults in your Azure subscription by using the following BlueXP API call.

    For an HA pair: GET /azure/ha/metadata/vaults

    For single node: GET /azure/vsa/metadata/vaults

    Make note of the name and resourceGroup. You'll need to specify those values in the next step.

  2. Obtain the list of keys within the vault by using the following BlueXP API call.

    For an HA pair: GET /azure/ha/metadata/keys-vault

    For single node: GET /azure/vsa/metadata/keys-vault

    Make note of the keyName. You'll need to specify that value (along with the vault name) in the next step.

  3. Create a Cloud Volumes ONTAP system by using the following BlueXP API call.

    1. For an HA pair:

      POST /azure/ha/working-environments

      The request body must include the following fields:

      "azureEncryptionParameters": {
                    "key": "keyName",
                    "vaultName": "vaultName"
      }
      Note Include the "userAssignedIdentity": " userAssignedIdentityId" field if you created this resource to be used for storage account encryption.
    2. For a single node system:

      POST /azure/vsa/working-environments

      The request body must include the following fields:

      "azureEncryptionParameters": {
                    "key": "keyName",
                    "vaultName": "vaultName"
      }
      Note Include the "userAssignedIdentity": " userAssignedIdentityId" field if you created this resource to be used for storage account encryption.
Result

You have a new Cloud Volumes ONTAP system that is configured to use your customer-managed key for data encryption.