Manage keys with AWS Key Management Service
You can use AWS's Key Management Service (KMS) to protect your ONTAP encryption keys in an AWS-deployed application.
Key management with the AWS KMS can be enabled with the CLI or the ONTAP REST API.
When using the KMS, be aware that by default a data SVM's LIF is used to communicate with the cloud key management endpoint. A node management network is used to communicate with AWS's authentication services. If the cluster network is not configured correctly, the cluster will not properly utilize the key management service.
-
Cloud Volumes ONTAP must be running version 9.12.0 or later
-
You must have installed the Volume Encryption (VE) license and
-
You must have installed the Multi-tenant Encryption Key Management (MTEKM) license installed.
-
You must be a cluster or SVM administrator
-
You must have an active AWS subscription
You can only configure keys for a data SVM. |
Configuration
-
You must create a grant for the AWS KMS key that will be used by the IAM role managing encryption. The IAM role must include a policy that allows the following operations:
-
DescribeKey
-
Encrypt
-
Decrypt
To create a grant, refer to AWS documentation.
-
-
Add a policy to the appropriate IAM role. The policy should support the
DescribeKey
,Encrypt
, andDecrypt
operations.
-
Switch to your Cloud Volumes ONTAP environment.
-
Switch to the advanced privilege level:
set -privilege advanced
-
Enable the AWS key manager:
security key-manager external aws enable -vserver data_svm_name -region AWS_region -key-id key_ID -encryption-context encryption_context
-
When prompted, enter the secret key.
-
Confirm the AWS KMS was configured correctly:
security key-manager external aws show -vserver svm_name