Manage keys with a cloud provider
Beginning in ONTAP 9.10.1, you can use Azure Key Vault (AKV) and Google Cloud Platform's Key Management Service (Cloud KMS) to protect your ONTAP encryption keys in a cloud-hosted application. Beginning with ONTAP 9.12.0, you can also protect NVE keys with AWS' KMS.
AWS KMS, AKV and Cloud KMS can be used to protect NetApp Volume Encryption (NVE) keys only for data SVMs.
Key management with a cloud provider can be enabled with the CLI or the ONTAP REST API.
When using a cloud provider to protect your keys, be aware that by default a data SVM LIF is used to communicate with the cloud key management endpoint. A node management network is used to communicate with the cloud provider's authentication services (login.microsoftonline.com for Azure; oauth2.googleapis.com for Cloud KMS). If the cluster network is not configured correctly, the cluster will not properly utilize the key management service.
When utilizing a cloud provider key management service, you should be aware of the following limitations:
-
Cloud-provider key management is not available for NetApp Storage Encryption (NSE) and NetApp Aggregate Encryption (NAE). External KMIPs can be used instead.
-
Cloud-provider key management is not available for MetroCluster configurations.
-
Cloud-provider key management can only be configured on a data SVM.
-
You must have configured the KMS on the appropriate cloud provider.
-
The ONTAP cluster's nodes must support NVE.
-
You must have installed the Volume Encryption (VE) and multi-tenant Encryption Key Management (MTEKM) licenses. These licenses are included with ONTAP One.
-
You must be a cluster or SVM administrator.
-
The data SVM must not include any encrypted volumes or employ a key manager. If the data SVM includes encrypted volumes, you must migrate them before configuring the KMS.
Enable external key management
Enabling external key management depends on the specific key manager you use. Choose the tab of the appropriate key manager and environment.
-
You must create a grant for the AWS KMS key that will be used by the IAM role managing encryption. The IAM role must include a policy that allows the following operations:
-
DescribeKey
-
Encrypt
-
Decrypt
+
For more information, see AWS documentation for grants.
-
-
Before you begin, obtain both the access key ID and secret key from your AWS KMS.
-
Set the privilege level to advanced:
set -priv advanced
-
Enable AWS KMS:
security key-manager external aws enable -vserver svm_name -region AWS_region -key-id key_ID -encryption-context encryption_context
-
When prompted, enter the secret key.
-
Confirm the AWS KMS was configured correctly:
security key-manager external aws show -vserver svm_name
-
Before you begin, you need to obtain the appropriate authentication credentials from your Azure account, either a client secret or certificate.
You must also ensure all nodes in the cluster are healthy. You can check this with the commandcluster show
. -
Set privileged level to advanced
set -priv advanced
-
Enable AKV on the SVM
security key-manager external azure enable -client-id client_id -tenant-id tenant_id -name -key-id key_id -authentication-method {certificate|client-secret}
When prompted, enter either the client certificate or client secret from your Azure account. -
Verify AKV is enabled correctly:
security key-manager external azure show vserver svm_name
If the service reachability is not OK, establish the connectivity to the AKV key management service via the data SVM LIF.
-
Before you begin, obtain the private key for the Google Cloud KMS account key file in a JSON format. This can be found in your GCP account.
You must also ensure all nodes in the cluster are healthy. You can check this with the commandcluster show
. -
Set privileged level to advanced:
set -priv advanced
-
Enable Cloud KMS on the SVM
security key-manager external gcp enable -vserver svm_name -project-id project_id-key-ring-name key_ring_name -key-ring-location key_ring_location -key-name key_name
When prompted, enter the contents of the JSON file with the Service Account Private Key -
Verify that Cloud KMS is configured with the correct parameters:
security key-manager external gcp show vserver svm_name
The status ofkms_wrapped_key_status
will be“UNKNOWN”
if no encrypted volumes have been created.
If the service reachability is not OK, establish the connectivity to the GCP key management service via data SVM LIF.
If one or more encrypted volumes is already configured for a data SVM and the corresponding NVE keys are managed by the admin SVM onboard key manager, those keys should be migrated to the external key management service. To do this with the CLI, run the command:
security key-manager key migrate -from-Vserver admin_SVM -to-Vserver data_SVM
New encrypted volumes cannot be created for the tenant's data SVM until all NVE keys of the data SVM are successfully migrated.