Skip to main content

Data replication encryption

Contributors netapp-aherbin netapp-dbagwell

To supplement data at rest encryption, you can encrypt ONTAP data replication traffic between clusters using TLS 1.2 with a pre-shared key for SnapMirror, SnapVault, or FlexCache.

When replicating data for disaster recovery, caching, or backup, you must protect that data during transport over the wire from one ONTAP cluster to another. Doing so prevents malicious man-in-the-middle attacks against sensitive data while it is in flight.

Beginning with ONTAP 9.6, Cluster Peering Encryption provides TLS 1.2 AES-256 GCM encryption support for ONTAP data replication features such as SnapMirror, SnapVault, and FlexCache. Encryption is setup by way of a pre-shared key (PSK) between two cluster peers.

Customers who use technologies like NSE, NVE, and NAE to protect data at rest can also use end-to-end data encryption by upgrading to ONTAP 9.6 or later to use Cluster Peering Encryption.

Cluster peering encrypts all data between the cluster peers. For example, when using SnapMirror, all peering information as well as all SnapMirror relationships between the source and destination cluster peer are encrypted. You cannot send clear-text data between cluster peers with Cluster Peering Encryption enabled.

Beginning with ONTAP 9.6, new cluster-peer relationships have encryption enabled by default. To enable encryption on cluster peer relationships that were created before ONTAP 9.6, you must upgrade the source and destination cluster to 9.6. In addition, you must use the cluster peer modify command to change both the source and destination cluster peers to use Cluster Peering Encryption.

You can convert an existing peer relationship to use Cluster Peering Encryption in ONTAP 9.6 as shown in the following example:

On the Destination Cluster Peer

cluster2::> cluster peer modify cluster1 -auth-status-admin use-authentication -encryption-protocol-proposed tls-psk

When prompted enter a passphrase.

On the Source Cluster Peer

cluster1::> cluster peer modify cluster2 -auth-status-admin use-authentication -encryption-protocol-proposed tls-psk

When prompted enter the same passphrase you created in the previous step.