Configuring NetApp Volume Encryption

NetApp Volume Encryption (NVE) is a software-based technology for encrypting data at rest one volume at a time. An encryption key accessible only to the storage system ensures that volume data cannot be read if the underlying device is repurposed, returned, misplaced, or stolen.

Understanding NVE

Both data, including Snapshot copies, and metadata are encrypted. Access to the data is given by a unique XTS-AES-256 key, one per volume. An external key management server or Onboard Key Manager serves keys to nodes:

The external key management server is a third-party system in your storage environment that serves keys to nodes using the Key Management Interoperability Protocol (KMIP).
The Onboard Key Manager is a built-in tool that serves keys to nodes from the same storage system as your data.

You can enable encryption on a new or existing volume. NVE supports the full range of storage efficiency features, including deduplication and compression.

You can use NVE on any type of aggregate (HDD, SSD, hybrid, array LUN), with any RAID type, and in any supported ONTAP implementation, including ONTAP Select. You can also use NVE with NetApp Storage Encryption (NSE) to “double encrypt” data on NSE drives.

When to use KMIP servers

Although it is less expensive and typically more convenient to use the onboard key manager, you should set up KMIP servers if any of the following are true:

Your encryption key management solution must comply with Federal Information Processing Standards (FIPS) 140-2 or the OASIS KMIP standard.
You need a multi-cluster solution.
KMIP servers support multiple clusters with centralized management of encryption keys.
Your business requires the added security of storing authentication keys on a system or in a location different from the data.
KMIP servers store authentication keys separately from your data.

Support details

The following table shows NVE support details:

Resource or feature	Support details
Platforms	AES-NI offload capability required: see the Hardware Universe (HWU) to verify that NetApp Volume Encryption is supported for your platform.
ONTAP	All ONTAP implementations. Support for ONTAP Cloud is available in ONTAP 9.5 and later.
Devices	HDD, SSD, hybrid, array LUN.
RAID	RAID0, RAID4, RAID-DP, RAID-TEC.
Volumes	Data volumes only. You cannot encrypt data on a root volume, an SVM root volume, or a MetroCluster metadata volume.
Storage efficiency	Deduplication, compression, compaction, FlexClone. Clones use the same key as the parent, even after splitting the clone from the parent. You are warned to rekey the split clone.
Replication	For volume replication, the destination volume must have been enabled for encryption. For SVM replication, the destination volume is automatically encrypted, unless the destination does not contain a node that supports volume encryption, in which case replication succeeds, but the destination volume is not encrypted. For MetroCluster configurations, keys are replicated to the partner site by the configuration replication service (CRS).
Compliance	Starting with ONTAP 9.2, SnapLock is supported.
FlexGroups	Starting with ONTAP 9.2, FlexGroups are supported.
7-Mode transition	Starting with 7-Mode Transition Tool 3.3, you can use the 7-Mode Transition Tool CLI to perform copy-based transition to NVE-enabled destination volumes on the clustered system.

Configuring NetApp Volume Encryption

Understanding NVE

When to use KMIP servers

Support details

More information