Encrypting volumes with NetApp encryption solutions
Cloud Volumes ONTAP supports NetApp Volume Encryption (NVE) and NetApp Aggregate Encryption (NAE). NVE and NAE are software-based solutions that enable FIPS 140-2–compliant data-at-rest encryption of volumes. Learn more about these encryption solutions.
Both NVE and NAE are supported with an external key manager.
If you use NVE, you have the option to use your cloud provider's key vault to protect ONTAP encryption keys:
-
AWS Key Management Service (beginning in 9.12.0)
-
Azure Key Vault (AKV)
-
Google Cloud Key Management Service
New aggregates will have NAE enabled by default after you set up an external key manager. New volumes that aren't part of an NAE aggregate will have NVE enabled by default (for example, if you have existing aggregates that were created before setting up an external key manager).
Cloud Volumes ONTAP doesn't support onboard key management.
Your Cloud Volumes ONTAP system should be registered with NetApp Support. A NetApp Volume Encryption license is automatically installed on each Cloud Volumes ONTAP system that is registered with NetApp Support.
BlueXP doesn't install the NVE license on systems that reside in the China region. |
-
Review the list of supported key managers in the NetApp Interoperability Matrix Tool.
Search for the Key Managers solution. -
Configure external key management.
-
Azure: Azure Key Vault (AKV)
-
Google Cloud: Google Cloud Key Management Service