Skip to main content

Manage keys with a cloud provider

Contributors netapp-ahibbard netapp-aaron-holt netapp-lenida netapp-thomi

Beginning in ONTAP 9.10.1, you can use Azure Key Vault (AKV) and Google Cloud Platform's Key Management Service (Cloud KMS) to protect your ONTAP encryption keys in a cloud-hosted application. Beginning with ONTAP 9.12.0, you can also protect NVE keys with AWS' KMS.

AWS KMS, AKV and Cloud KMS can be used to protect NetApp Volume Encryption (NVE) keys only for data SVMs.

About this task

Key management with a cloud provider can be enabled with the CLI or the ONTAP REST API.

When using a cloud provider to protect your keys, be aware that by default a data SVM LIF is used to communicate with the cloud key management endpoint. A node management network is used to communicate with the cloud provider's authentication services (login.microsoftonline.com for Azure; oauth2.googleapis.com for Cloud KMS). If the cluster network is not configured correctly, the cluster will not properly utilize the key management service.

When utilizing a cloud provider key management service, you should be aware of the following limitations:

  • Cloud-provider key management is not available for NetApp Storage Encryption (NSE) and NetApp Aggregate Encryption (NAE). External KMIPs can be used instead.

  • Cloud-provider key management is not available for MetroCluster configurations.

  • Cloud-provider key management can only be configured on a data SVM.

Before you begin

Enable external key management

Enabling external key management depends on the specific key manager you use. Choose the tab of the appropriate key manager and environment.

AWS
Before you begin
  • You must create a grant for the AWS KMS key that will be used by the IAM role managing encryption. The IAM role must include a policy that allows the following operations:

    • DescribeKey

    • Encrypt

    • Decrypt
      +
      For more information, see AWS documentation for grants.

Enable AWS KMV on an ONTAP SVM
  1. Before you begin, obtain both the access key ID and secret key from your AWS KMS.

  2. Set the privilege level to advanced:
    set -priv advanced

  3. Enable AWS KMS:
    security key-manager external aws enable -vserver svm_name -region AWS_region -key-id key_ID -encryption-context encryption_context

  4. When prompted, enter the secret key.

  5. Confirm the AWS KMS was configured correctly:
    security key-manager external aws show -vserver svm_name

Azure
Enable Azure Key Vault on an ONTAP SVM
  1. Before you begin, you need to obtain the appropriate authentication credentials from your Azure account, either a client secret or certificate.
    You must also ensure all nodes in the cluster are healthy. You can check this with the command cluster show.

  2. Set privileged level to advanced
    set -priv advanced

  3. Enable AKV on the SVM
    security key-manager external azure enable -client-id client_id -tenant-id tenant_id -name -key-id key_id -authentication-method {certificate|client-secret}
    When prompted, enter either the client certificate or client secret from your Azure account.

  4. Verify AKV is enabled correctly:
    security key-manager external azure show vserver svm_name
    If the service reachability is not OK, establish the connectivity to the AKV key management service via the data SVM LIF.

Google Cloud
Enable Cloud KMS on an ONTAP SVM
  1. Before you begin, obtain the private key for the Google Cloud KMS account key file in a JSON format. This can be found in your GCP account.
    You must also ensure all nodes in the cluster are healthy. You can check this with the command cluster show.

  2. Set privileged level to advanced:
    set -priv advanced

  3. Enable Cloud KMS on the SVM
    security key-manager external gcp enable -vserver svm_name -project-id project_id-key-ring-name key_ring_name -key-ring-location key_ring_location -key-name key_name
    When prompted, enter the contents of the JSON file with the Service Account Private Key

  4. Verify that Cloud KMS is configured with the correct parameters:
    security key-manager external gcp show vserver svm_name
    The status of kms_wrapped_key_status will be “UNKNOWN” if no encrypted volumes have been created.
    If the service reachability is not OK, establish the connectivity to the GCP key management service via data SVM LIF.

If one or more encrypted volumes is already configured for a data SVM and the corresponding NVE keys are managed by the admin SVM onboard key manager, those keys should be migrated to the external key management service. To do this with the CLI, run the command:
security key-manager key migrate -from-Vserver admin_SVM -to-Vserver data_SVM
New encrypted volumes cannot be created for the tenant's data SVM until all NVE keys of the data SVM are successfully migrated.