Encrypt data at rest on ASA r2 storage systems
When you encrypt data at rest, it can’t be read if a storage medium is repurposed, returned, misplaced, or stolen. You can use ONTAP System Manager to encrypt your data at the hardware and software level for dual-layer protection.
NetApp Storage Encryption (NSE) supports hardware encryption using self-encrypting drives (SEDs). SEDs encrypt data as it is written. Each SED contains a unique encryption key. Encrypted data stored on the SED can’t be read without the SED's encryption key. Nodes attempting to read from an SED must be authenticated to access the SED's encryption key. Nodes are authenticated by obtaining an authentication key from a key manager, then presenting the authentication key to the SED. If the authentication key is valid, the SED will give the node its encryption key to access the data it contains.
Use the ASA r2 onboard key manager or an external key manager to serve authentication keys to your nodes.
In addition to NSE, you can also enable software encryption to add another layer of security to your data.
-
In System manager, select Cluster > Settings.
-
In the Security section, under Encryption, select Configure.
-
Configure the key manager.
Option Steps Configure the Onboard key Manager
-
Select Onboard Key Manager to add the key servers.
-
Enter a passphrase.
Configure an external key manager
-
Select External key manager to add the key servers.
-
Select to add the key servers.
-
Add the KMIP server CA certificates.
-
Add the KMIP client certificates.
-
-
Select Dual-layer encryption to enable software encryption.
-
Select Save.
Now that you have encrypted your data at rest, if you are using the NVMe/TCP protocol, you can encrypt all the data sent over the network between your NVMe/TCP host and your ASA r2 system.
If you need to switch from the onboard key manager to an external key manager or vice versa, see Migrate ONTAP data encryption keys between key managers.