Configuring NetApp Storage Encryption

NetApp Storage Encryption (NSE) supports self-encrypting disks (SEDs) that encrypt data as it is written. The data cannot be read without an encryption key stored on the disk. The encryption key, in turn, is accessible only to an authenticated node.

Understanding NSE

On an I/O request, a node authenticates itself to an SED using an authentication key retrieved from an external key management server or Onboard Key Manager:

NSE supports self-encrypting HDDs and SSDs. You can use NetApp Volume Encryption with NSE to “double encrypt” data on NSE drives.

When to use KMIP servers

Although it is less expensive and typically more convenient to use the onboard key manager, you should set up KMIP servers if any of the following are true:

Support details

The following table shows important NSE support details. See the Interoperability Matrix for the latest information about supported KMIP servers, storage systems, and disk shelves.

Resource or feature Support details
MetroCluster NSE does not support MetroCluster.
Non-homogenous disk sets All disks for a node or HA pair must be self-encrypting. Conforming HA pairs can coexist with non-conforming HA pairs in the same cluster.
10 Gb network interfaces Starting with ONTAP 9.3, NSE supports 10 Gb network interfaces for communications with external key management servers.
Ports for communication with the key management server Starting with ONTAP 9.3, you can use any storage controller port for communication with the key management server. Otherwise, you should use port e0m for communication with key management servers. Depending on the storage controller model, certain network interfaces might not be available during the boot process for communication with key management servers.