Skip to main content
Cloud Volumes ONTAP
All cloud providers
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Manage keys with AWS Key Management Service

Contributors netapp-rlithman netapp-ahibbard

You can use AWS's Key Management Service (KMS) to protect your ONTAP encryption keys in an AWS-deployed application.

Key management with the AWS KMS can be enabled with the CLI or the ONTAP REST API.

When using the KMS, be aware that by default a data SVM's LIF is used to communicate with the cloud key management endpoint. A node management network is used to communicate with AWS's authentication services. If the cluster network is not configured correctly, the cluster will not properly utilize the key management service.

Before you begin
  • Cloud Volumes ONTAP must be running version 9.12.0 or later

  • You must have installed the Volume Encryption (VE) license and

  • You must have installed the Multi-tenant Encryption Key Management (MTEKM) license installed.

  • You must be a cluster or SVM administrator

  • You must have an active AWS subscription

Note You can only configure keys for a data SVM.

Configuration

AWS
  1. You must create a grant for the AWS KMS key that will be used by the IAM role managing encryption. The IAM role must include a policy that allows the following operations:

  2. Add a policy to the appropriate IAM role. The policy should support the DescribeKey, Encrypt, and Decrypt operations.

Cloud Volumes ONTAP
  1. Switch to your Cloud Volumes ONTAP environment.

  2. Switch to the advanced privilege level:
    set -privilege advanced

  3. Enable the AWS key manager:
    security key-manager external aws enable -vserver data_svm_name -region AWS_region -key-id key_ID -encryption-context encryption_context

  4. When prompted, enter the secret key.

  5. Confirm the AWS KMS was configured correctly:
    security key-manager external aws show -vserver svm_name