Storage encryption
To protect sensitive data in the event of a disk that is stolen, returned, or repurposed use hardware-based NetApp Storage Encryption or software-based NetApp Volume Encryption/NetApp Aggregate Encryption. Both mechanisms are FIPS-140-2 validated and when using hardware-based mechanisms with software-based mechanisms, the solution qualifies for Commercial Solutions for Classified (CSfC) Program. It enables enhanced security protection for secret and top-secret data at rest at both the hardware and software layers.
Data-at-rest encryption is important to protect sensitive data in the event of a disk that is stolen, returned, or repurposed.
ONTAP 9 has three Federal Information Processing Standard (FIPS) 140-2-compliant data-at-rest encryption solutions:
-
NetApp Storage Encryption (NSE) is a hardware solution that uses self-encrypting drives.
-
NetApp Volume Encryption (NVE) is a software solution that enables encryption of any data volume on any drive type where it is enabled with a unique key for each volume.
-
NetApp Aggregate Encryption (NAE) is a software solution that enables encryption of any data volume on any drive type where it is enabled with unique keys for each aggregate.
NSE, NVE, and NAE can use either external key management or the onboard key manager (OKM). Use of NSE, NVE, and NAE does not affect ONTAP storage efficiency features. However, NVE volumes are excluded from aggregate deduplication. NAE volumes participate in and benefit from aggregate deduplication.
The OKM provides a self-contained encryption solution for data at rest with NSE, NVE, or NAE.
NVE, NAE, and OKM use the ONTAP CryptoMod. CryptoMod is listed on the CMVP FIPS 140-2 validated modules list. See FIPS 140-2 Cert# 4144.
To begin OKM configuration, use the security key-manager onboard enable
command. To configure external Key Management Interoperability Protocol (KMIP) key managers, use the security key-manager external enable
command. Starting with ONTAP 9.6, multitenancy is supported for external key managers. Use the -vserver <vserver name>
parameter to enable external key management for a specific SVM. Prior to 9.6, the security key-manager setup
command was used to configure both OKM and external key managers. For onboard key management, this configuration walks the operator or administrator through the passphrase setup and additional parameters for configuring OKM.
A part of the configuration is provided in the following example:
cluster1::> security key-manager setup Welcome to the key manager setup wizard, which will lead you through the steps to add boot information. Enter the following commands at any time "help" or "?" if you want to have a question clarified, "back" if you want to change your answers to previous questions, and "exit" if you want to quit the key manager setup wizard. Any changes you made before typing "exit" will be applied. Restart the key manager setup wizard with "security key-manager setup". To accept a default or omit a question, do not enter a value. Would you like to configure onboard key management? {yes, no} [yes]: Enter the cluster-wide passphrase for onboard key management. To continue the configuration, enter the passphrase, otherwise type "exit": Re-enter the cluster-wide passphrase: After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. To view the data, use the "security key-manager backup show" command.
Beginning with ONTAP 9.4, You can use the -enable-cc-mode
true option with security key-manager setup
to require that users enter the passphrase after a reboot. For ONTAP 9.6 and later, the command syntax is security key-manager onboard enable -cc-mode-enabled yes
.
Beginning with ONTAP 9.4, you can use the secure-purge
feature with advanced privilege to nondisruptively "scrub" data on NVE-enabled volumes. Scrubbing data on an encrypted volume ensures that it cannot be recovered from the physical media. The following command securely purges the deleted files on vol1 on SVM vs1:
cluster1::> volume encryption secure-purge start -vserver vs1 -volume vol1
Beginning with ONTAP 9.7, NAE and NVE are enabled by default if the VE license is in place, either OKM or external key managers are configured, and NSE is not used. NAE volumes are created by default on NAE aggregates, and NVE volumes are created by default on non-NAE aggregates. You can override this by entering the following command:
cluster1::*> options -option-name encryption.data_at_rest_encryption.disable_by_default true
Beginning with ONTAP 9.6, you can use an SVM scope to configure external key management for a data SVM in the cluster. This is best for multitenant environments in which each tenant uses a different SVM (or set of SVMs) to serve data. Only the SVM administrator for a given tenant has access to the keys for that tenant. For more information, see enable external key management in ONTAP 9.6 and later in the ONTAP documentation.
Beginning in ONTAP 9.11.1, you can configure connectivity to clustered external key management servers by designating primary and secondary key servers on an SVM. For more information, see configure clustered external key servers in the ONTAP documentation.
Beginning in ONTAP 9.13.1, you can configure external key manager servers in system manager. For more information, see Manage external key managers in the ONTAP documentation.