Learn about Cloud Volumes ONTAP data encryption and ransomware protection
Suggest changes
PDFs
Cloud Volumes ONTAP supports data encryption and provides protection against viruses and ransomware.
Encryption of data at rest
Cloud Volumes ONTAP supports the following encryption technologies:
-
NetApp encryption solutions (NVE and NAE)
-
Azure Storage Service Encryption
You can use NetApp encryption solutions with native encryption from your cloud provider, which encrypts data at the hypervisor level. Doing so would provide double encryption, which might be desired for very sensitive data. When the encrypted data is accessed, it’s unencrypted twice—once at the hypervisor-level (using keys from the cloud provider) and then again using NetApp encryption solutions (using keys from an external key manager).
NetApp encryption solutions (NVE and NAE)
Cloud Volumes ONTAP supports NetApp Volume Encryption (NVE) and NetApp Aggregate Encryption (NAE). NVE and NAE are software-based solutions that enable (FIPS) 140-2-compliant data-at-rest encryption of volumes. Both NVE and NAE use AES 256-bit encryption.
-
NVE encrypts data at rest one volume a time. Each data volume has its own unique encryption key.
-
NAE is an extension of NVE—it encrypts data for each volume, and the volumes share a key across the aggregate. NAE also allows common blocks across all volumes in the aggregate to be deduplicated.
Cloud Volumes ONTAP supports both NVE and NAE with external key management services (EKMs) provided by AWS, Azure, and Google Cloud, including third-party solutions, such as Fortanix. Unlike ONTAP, for Cloud Volumes ONTAP, encryption keys are generated at the cloud provider's side, not in ONTAP.
Cloud Volumes ONTAP uses the standard Key Management Interoperability Protocol (KMIP) services that ONTAP uses. For more information about the supported services, refer to the Interoperability Matrix Tool.
If you use NVE, you have the option to use your cloud provider's key vault to protect ONTAP encryption keys:
-
Azure Key Vault (AKV)
New aggregates have NetApp Aggregate Encryption (NAE) enabled by default after you set up an external key manager. New volumes that aren't part of an NAE aggregate have NVE enabled by default (for example, if you have existing aggregates that were created before setting up an external key manager).
Setting up a supported key manager is the only required step. For set up instructions, refer to Encrypt volumes with NetApp encryption solutions.
Azure Storage Service Encryption
Data is automatically encrypted on Cloud Volumes ONTAP in Azure using Azure Storage Service Encryption with a Microsoft-managed key.
You can use your own encryption keys if you prefer. Learn how to set up Cloud Volumes ONTAP to use a customer-managed key in Azure.
ONTAP virus scanning
You can use integrated antivirus functionality on ONTAP systems to protect data from being compromised by viruses or other malicious code.
ONTAP virus scanning, called Vscan, combines best-in-class third-party antivirus software with ONTAP features that give you the flexibility you need to control which files get scanned and when.
For information about the vendors, software, and versions supported by Vscan, refer to the NetApp Interoperability Matrix.
For information about how to configure and manage the antivirus functionality on ONTAP systems, refer to the ONTAP 9 Antivirus Configuration Guide.
Ransomware protection
Ransomware attacks can cost a business time, resources, and reputation. BlueXP enables you to implement the NetApp solution for ransomware, which provides effective tools for visibility, detection, and remediation.
-
BlueXP identifies volumes that are not protected by a Snapshot policy and enables you to activate the default Snapshot policy on those volumes.
Snapshot copies are read-only, which prevents ransomware corruption. They can also provide the granularity to create images of a single file copy or a complete disaster recovery solution.
-
BlueXP also enables you to block common ransomware file extensions by enabling ONTAP's FPolicy solution.
