2017-04-26 05:25 PM
I have a client that purchased a FAS-2552 array with standard drives. About a year after the purchase auditors are insisting that the client encrypt their data at rest. They were hoping that ONTAP 9.1 would allow them to run NVE but the entry level arrays do not support it as there isn't enough spare processing power to allow it.
At first I thought no problem I would simply install another shelf of NSE drives and migrate the data over but I don't believe it's a risk free and simple processes. It is my understanding that you pretty much have to wipe all the data even the root volumes before you can turn on the encryption and then you have to recreate the volumes and restore from a snapmirror from across the wire. This process would need to be done twice, once for each site, so two full resync across the wire as well as a long outage.
Brainstorming I'm thinking we could physically unrack and move the DR array to the PRI site and do the same thing but its still going to take a significant amount of time. Going deeper down the rabbit hole I was entertaining breaking the cluster and configuring it as two single node clusters but talk about risk!
Other than simply buying or borrowing a new array with NSE drives and performing a migration .... doesn anyone have any other ideas?
Solved! SEE THE SOLUTION
2017-04-26 05:41 PM - edited 2017-04-26 05:42 PM
For NSE you dont have to remove the data from the controller or wipe the controller
You can set them up any time..
My past experience is setting up NSE with "external key management" that was done almost a week after we complete the data migration.
I belive (or my understand is) NSE with "onboard key management" is very similar.. you dont have to wipe the controller, you can set them up any time.
as long as you have the supported diskshelf.
I'm not much help in case of NVE, here is some documentation for you to read. NetApp Volume Encryption
Hope this help.
2017-04-26 05:49 PM
The customer currently has STANDARD drives not NSE drives. They want to move to NSE drives .... I could be wrong but encryption is an all or nothing (include root volumes) approach.
I've searched but can't seem to find a step by step from NetApp.
2017-04-26 06:01 PM - edited 2017-04-26 06:04 PM
Add the TPM_2 License, Attach the NSE Drive to existing controller, (dont enable encryption yet)
disks will be accessable as normal disks.
Create new aggr using the NSE disks, then do the vol move.. to new aggr, once you complete the vol move.. remove the non-NSE Shelf,
and enable the onboard encryption.
2017-04-26 06:22 PM
Ok that sounds doable .... but the existing shelf is actually the internal drives.
Do I delete the standard aggregates and simply remove the drives from the controller?
2017-04-26 06:34 PM
You can verify the supported disks/shelf for FAS2552 in HWU.
Yeah, once you move the node-root volumes to NSE Drive, that could be the most challengeing part in this task.
You can remove those non-NSE disk (leave the bay empty) or replace those bay with NSE.
Rememeer, the technology of NSE is on disk, not on shelf.
If they are same size disks, you could use disk-replace command to replace the non-NSE with NSE.
so you might save yourself from the hassle of re-creating the node-root volume procedure.