Skip to main content
Cloud Volumes ONTAP
All cloud providers
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Encrypting volumes with NetApp encryption solutions

Contributors netapp-bcammett netapp-ahibbard netapp-manini netapp-rlithman

Cloud Volumes ONTAP supports NetApp Volume Encryption (NVE) and NetApp Aggregate Encryption (NAE). NVE and NAE are software-based solutions that enable FIPS 140-2–compliant data-at-rest encryption of volumes. Learn more about these encryption solutions.

Both NVE and NAE are supported with an external key manager.

If you use NVE, you have the option to use your cloud provider's key vault to protect ONTAP encryption keys:

  • AWS Key Management Service (beginning in 9.12.0)

  • Azure Key Vault (AKV)

  • Google Cloud Key Management Service

New aggregates will have NAE enabled by default after you set up an external key manager. New volumes that aren't part of an NAE aggregate will have NVE enabled by default (for example, if you have existing aggregates that were created before setting up an external key manager).

Cloud Volumes ONTAP doesn't support onboard key management.

What you'll need

Your Cloud Volumes ONTAP system should be registered with NetApp Support. A NetApp Volume Encryption license is automatically installed on each Cloud Volumes ONTAP system that is registered with NetApp Support.

Note BlueXP doesn't install the NVE license on systems that reside in the China region.
Steps
  1. Review the list of supported key managers in the NetApp Interoperability Matrix Tool.

    Tip Search for the Key Managers solution.
  2. Connect to the Cloud Volumes ONTAP CLI.

  3. Configure external key management.