Configuring NetApp Volume Encryption

NetApp Volume Encryption (NVE) is a software-based technology for encrypting data at rest one volume at a time. An encryption key accessible only to the storage system ensures that volume data cannot be read if the underlying device is repurposed, returned, misplaced, or stolen.

Understanding NVE

Both data, including Snapshot copies, and metadata are encrypted. Access to the data is given by a unique XTS-AES-256 key, one per volume. An external key management server or Onboard Key Manager serves keys to nodes:

You can enable encryption on a new or existing volume. NVE supports the full range of storage efficiency features, including deduplication and compression.

You can use NVE on any type of aggregate (HDD, SSD, hybrid, array LUN), with any RAID type, and in any supported ONTAP implementation, including ONTAP Select. You can also use NVE with NetApp Storage Encryption (NSE) to “double encrypt” data on NSE drives.

When to use KMIP servers

Although it is less expensive and typically more convenient to use the onboard key manager, you should set up KMIP servers if any of the following are true:

Support details

The following table shows NVE support details:

Resource or feature Support details
Platforms AES-NI offload capability required: see the Hardware Universe (HWU) to verify that NetApp Volume Encryption is supported for your platform.
ONTAP All ONTAP implementations. Support for ONTAP Cloud is available in ONTAP 9.5 and later.
Devices HDD, SSD, hybrid, array LUN.
RAID RAID0, RAID4, RAID-DP, RAID-TEC.
Volumes Data volumes only. You cannot encrypt data on a root volume, an SVM root volume, or a MetroCluster metadata volume.
Storage efficiency Deduplication, compression, compaction, FlexClone. Clones use the same key as the parent, even after splitting the clone from the parent. You are warned to rekey the split clone.
Replication
  • For volume replication, the destination volume must have been enabled for encryption.
  • For SVM replication, the destination volume is automatically encrypted, unless the destination does not contain a node that supports volume encryption, in which case replication succeeds, but the destination volume is not encrypted.
  • For MetroCluster configurations, keys are replicated to the partner site by the configuration replication service (CRS).
Compliance Starting with ONTAP 9.2, SnapLock is supported.
FlexGroups Starting with ONTAP 9.2, FlexGroups are supported.
7-Mode transition Starting with 7-Mode Transition Tool 3.3, you can use the 7-Mode Transition Tool CLI to perform copy-based transition to NVE-enabled destination volumes on the clustered system.