Configure NetApp Volume Encryption overview
NetApp Volume Encryption (NVE) is a software-based technology for encrypting data at rest one volume at a time. An encryption key accessible only to the storage system ensures that volume data cannot be read if the underlying device is repurposed, returned, misplaced, or stolen.
Understanding NVE
With NVE, both metadata and data (including Snapshot copies) are encrypted. Access to the data is given by a unique XTS-AES-256 key, one per volume. An external key management server or Onboard Key Manager (OKM) serves keys to nodes:
-
The external key management server is a third-party system in your storage environment that serves keys to nodes using the Key Management Interoperability Protocol (KMIP). It is a best practice to configure external key management servers on a different storage system from your data.
-
The Onboard Key Manager is a built-in tool that serves keys to nodes from the same storage system as your data.
Beginning with ONTAP 9.7, aggregate and volume encryption is enabled by default if you have a volume encryption (VE) license and use an onboard or external key manager. The VE license is included with ONTAP One. Whenever an external or onboard key manager is configured there is a change in how the encryption of data at rest is configured for brand new aggregates and brand new volumes. Brand new aggregates will have NetApp Aggregate Encryption (NAE) enabled by default. Brand new volumes that are not part of an NAE aggregate will have NetApp Volume Encryption (NVE) enabled by default. If a data storage virtual machine (SVM) is configured with its own key-manager using multi-tenant key management, then the volume created for that SVM is automatically configured with NVE.
You can enable encryption on a new or existing volume. NVE supports the full range of storage efficiency features, including deduplication and compression. Beginning with ONTAP 9.14.1, you can enable NVE on existing SVM root volumes.
If you are using SnapLock, you can enable encryption only on new, empty SnapLock volumes. You cannot enable encryption on an existing SnapLock volume. |
You can use NVE on any type of aggregate (HDD, SSD, hybrid, array LUN), with any RAID type, and in any supported ONTAP implementation, including ONTAP Select. You can also use NVE with hardware-based encryption to “double encrypt” data on self-encrypting drives.
When NVE is enabled, the core dump is also encrypted.
Aggregate-level encryption
Ordinarily, every encrypted volume is assigned a unique key. When the volume is deleted, the key is deleted with it.
Beginning with ONTAP 9.6, you can use NetApp Aggregate Encryption (NAE) to assign keys to the containing aggregate for the volumes to be encrypted. When an encrypted volume is deleted, the keys for the aggregate are preserved. The keys are deleted if the entire aggregate is deleted.
You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication. Aggregate-level deduplication is otherwise not supported by NVE.
Beginning with ONTAP 9.7, aggregate and volume encryption is enabled by default if you have a volume encryption (VE) license and use an onboard or external key manager.
NVE and NAE volumes can coexist on the same aggregate. Volumes encrypted under aggregate-level encryption are NAE volumes by default. You can override the default when you encrypt the volume.
You can use the volume move
command to convert an NVE volume to an NAE volume, and vice versa. You can replicate an NAE volume to an NVE volume.
You cannot use secure purge
commands on an NAE volume.
When to use external key management servers
Although it is less expensive and typically more convenient to use the onboard key manager, you should set up KMIP servers if any of the following are true:
-
Your encryption key management solution must comply with Federal Information Processing Standards (FIPS) 140-2 or the OASIS KMIP standard.
-
You need a multi-cluster solution, with centralized management of encryption keys.
-
Your business requires the added security of storing authentication keys on a system or in a location different from the data.
Scope of external key management
The scope of external key management determines whether key management servers secure all the SVMs in the cluster or selected SVMs only:
-
You can use a cluster scope to configure external key management for all the SVMs in the cluster. The cluster administrator has access to every key stored on the servers.
-
Beginning with ONTAP 9.6, you can use an SVM scope to configure external key management for a named SVM in the cluster. That's best for multitenant environments in which each tenant uses a different SVM (or set of SVMs) to serve data. Only the SVM administrator for a given tenant has access to the keys for that tenant.
-
Beginning with ONTAP 9.10.1, you can use Azure Key Vault and Google Cloud KMS to protect NVE keys only for data SVMs. This is available for AWS's KMS beginning in 9.12.0.
You can use both scopes in the same cluster. If key management servers have been configured for an SVM, ONTAP uses only those servers to secure keys. Otherwise, ONTAP secures keys with the key management servers configured for the cluster.
A list of validated external key managers is available in the NetApp Interoperability Matrix Tool (IMT). You can find this list by entering the term "key managers" into the IMT's search feature.
Support details
The following table shows NVE support details:
Resource or feature |
Support details |
---|---|
Platforms |
AES-NI offload capability required. See the Hardware Universe (HWU) to verify that NVE and NAE are supported for your platform. |
Encryption |
Beginning with ONTAP 9.7, newly created aggregates and volumes are encrypted by default when you add a volume encryption (VE) license and have an onboard or external key manager configured. If you need to create an unencrypted aggregate, use the following command:
If you need to create a plain text volume, use the following command:
Encryption is not enabled by default when:
|
ONTAP |
All ONTAP implementations. Support for ONTAP Cloud is available in ONTAP 9.5 and later. |
Devices |
HDD, SSD, hybrid, array LUN. |
RAID |
RAID0, RAID4, RAID-DP, RAID-TEC. |
Volumes |
Data volumes and existing SVM root volumes. You cannot encrypt data on MetroCluster metadata volumes. In versions of ONTAP earlier than 9.14.1, you cannot encrypt data on the SVM root volume with NVE. Beginning with ONTAP 9.14.1, ONTAP supports NVE on SVM root volumes. |
Aggregate-level encryption |
Beginning with ONTAP 9.6, NVE supports aggregate-level encryption (NAE):
|
SVM scope |
Beginning with ONTAP 9.6, NVE supports SVM scope for external key management only, not for Onboard Key Manager. MetroCluster is supported beginning with ONTAP 9.8. |
Storage efficiency |
Deduplication, compression, compaction, FlexClone. Clones use the same key as the parent, even after splitting the clone from the parent. You should perform a |
Replication |
|
Compliance |
Beginning with ONTAP 9.2, SnapLock is supported in both Compliance and Enterprise modes, for new volumes only. You cannot enable encryption on an existing SnapLock volume. |
FlexGroups |
Beginning with ONTAP 9.2, FlexGroups are supported. Destination aggregates must be of the same type as source aggregates, either volume-level or aggregate-level. Beginning with ONTAP 9.5, in-place rekey of FlexGroup volumes is supported. |
7-Mode transition |
Beginning with 7-Mode Transition Tool 3.3, you can use the 7-Mode Transition Tool CLI to perform copy-based transition to NVE-enabled destination volumes on the clustered system. |
FAQ - NetApp Volume Encryption and NetApp Aggregate Encryption