ONTAP Discussions

SnapCompress & Snap Encrypt

moncyvarghese
6,941 Views

hi ,

Can anyone tell what is snap compress  & snap encrypt . if any one does have ppt explain this features it would really great

regards

Moncy Varghese

17 REPLIES 17

mscarpi
6,842 Views

Hi Moncy

Where do you read about that "product" names? Ontap do not have a SnapCompress or Snap Encrypt software feature.

regards

Marco

petter_glenstrup
6,843 Views

Hi

I am also very interrested in knowing more about the 2 Ontap features: Snapencrypt and Snaptrust !

I have searched both Fiedlportal and NOW, but there are no hits on the the two feature names.

Could anyone link som TR or somthing or guide us to a site where we can learn more obout these features ??

Regards

Petter Glenstrup

radek_kubka
6,843 Views

Hi,

I reckon the first thing may be referring to the new capability of actually compressing volumes:

http://communities.netapp.com/message/36259#36259

The second term does not ring any bells & I am not aware of any 'on the box' encryption capability (even being hinted). So far external encryption is the only option available, e.g. in the form of Decru or Brocade appliances.

Regards,

Radek

ekashpureff
6,843 Views

Radek -

It's not a Decru any more - it's a DataFort !

: )

Sssssh. I'll share a SnapSecret with you:

It's a marketing thing. I'll be SnapHappy about it all !

SnapTrust/SnapEncrypt = LKM (Lifetime Key Mgt) + BES (Brocade Encryption Switch) ?

Yes, I'm getting silly here.

I hope this response has been helpful to you.

At your service,


Eugene E. Kashpureff
ekashp@kashpureff.org
Fastlane NetApp Instructor and Independent Consultant
http://www.fastlaneus.com/ http://www.linkedin.com/in/eugenekashpureff

(P.S. I appreciate points for helpful or correct answers.)

petter_glenstrup
6,843 Views

Hi

Okay NSE is NetApp Storage Encryption = Decru/Datafort ?

Is Data ONTAP Encryption also = Decru/Datafort ?

Best Regards

Petter Glenstrup

ekashpureff
6,843 Views

Petter -

The only at rest encryption I know of offered by NetApp is DataFort.

The E-series for NAS and iscsi is still available. The S-series for SCSI and F-series for FC have been discontinued.

The LKM key mgt device is now bundled with Brocade encryption switches for a FC solution.

The encryption technologies supported on filer would be NFSv4 with full Kerberos and IPSec for data in-flight.

Other encryption would include SSH and SSL for command and control.

I haven't heard about new 'SnapEncrypt' solutions, but am never surprised with what marketing comes up with.

If there is any other encryption NetApp offers or is coming then I'd love to hear about it.

I hope this response has been helpful to you.

At your service,


Eugene E. Kashpureff
ekashp@kashpureff.org
Fastlane NetApp Instructor and Independent Consultant
http://www.fastlaneus.com/ http://www.linkedin.com/in/eugenekashpureff

(P.S. I appreciate points for helpful or correct answers.)

petter_glenstrup
6,843 Views

Hi

I know every product of the external encryption solutions offerede from NetApp.

But i read this NetApp User Group from Belgien (BNUG) from Global Infrastructure NGA.pdf where they explain that they use a "internal" Ontap feature Snapencrypt and snaptrust on the volumes they SnapVault encrypted and trusted, from the customers to the vfiler.

I read it like they are not using any 3rd party or external NetApp Datafort solution, but they "just" enable a 128bit or 256 or AES encryption on the Vol in Ontap !

And it is this feature that i am seeking more informations about, this way we as a NetApp SnapMirror&SnapVault as a services provider, we can use this std. ontap features and not pay extra for enctryption hw/sw.

Regards

Petter Glenstrup

petter_glenstrup
6,843 Views

Sorry the link is:http://communities.netapp.com/docs/DOC-8712

See the doc from Global Infr...(page 25).they didnt buy the Decru because it was to expensive, but:

NetApp just came out with
this features encryption on volume. You can decide the level of
encryption (128 bits, 256 bits, AES, public key, …). Again easy to
implement:
  snapencrypt /vol/database-db1 start –protocol AES –key 256
  snaptrust /vol/database-db1 host-db-1 host-app-1

Maybe i am reading this wrong, but it seems to me as this snapencrypt and snaptrust is a Ontap features, and not a Datafort (Decru) solution, bu i can be reading it the wrong way !

ekashpureff
6,842 Views

Petter -

I briefed through the slides and did see a reference to Decru on slide #22 of the second presentation.

There's this reference on slide #25:

NetApp suggests DECRU   too expensive. NetApp just came out with
this features encryption on volume. You can decide the level of
encryption (128 bits, 256 bits, AES, public key, …). Again easy to
implement:
  snapencrypt /vol/database-db1 start –protocol AES –key 256
  snaptrust /vol/database-db1 host-db-1 host-app-1

I've got no idea where this comes from ! It's not in 8.0.1, nor does a search of the NOW site come up with anything ?

What interests me is that it seems to be a very specific reference. A Google search comes up with a Mozilla reference.

If anybody else knows anything about this, I'd love to hear it, but I think it's all just a rumour.

I also noticed a reference to lack of integration with SnapMirror and SnapVault with regard to SnapManager.

Wondered whether they'd seen the OnCommand Protection Mgr integration in the newer versions ?

I hope this response has been helpful to you.

At your service,


Eugene E. Kashpureff
ekashp@kashpureff.org
Fastlane NetApp Instructor and Independent Consultant
http://www.fastlaneus.com/ http://www.linkedin.com/in/eugenekashpureff

(P.S. I appreciate points for helpful or correct answers.)

petter_glenstrup
6,325 Views

Yeah maybe it is a secret new tool that are being released from NetApp in the near future, and maybe it is not !

But as you mention it is used in a very specific manor in this NUG conference, and this led me to ask about it.

I will try and hunt down the BNUG author and ask them about it.

Best Regards

Petter Glenstrup

eric_franckx
6,325 Views

Hi,

these commands 'snapcompress', 'snapencrypt' and 'snaptrust'  doesn't exist.

They are comming from ideas at NorthgateArinso about missing features on Netapp and that the 'our' business (and also other ones) required. We have present them last year at internal Netapp conference/meeting.

As I see some people are interested ... good hopping Netapp will in the future integrate this type of features.

Only compress is available --> need to requets this to Netapp --> license. (free)

For encryption, it is possible with the last shelf model --> but the problem with this is that everything is encrypted --> use the disk encryption feature (limited features).

Regards,

Eric

radek_kubka
6,325 Views

Interestingly enough, purely from a mathematical standpoint compression & encryption are *very* similar.

Hmm, compression is here, so is encryption on the filer just behind the corner?

That would be very nice, as we've lost at least one deal purely due to a competitor's offering including 'data at rest' encryption (financial sector, so not a big surprise...)

Regards,
Radek

eric_franckx
6,325 Views

Hi,

Some years ago I discuss about command snapcompress and snapencrypt. At this time these commands didn't exist and I was hoping that they will be available in future (now ...) but it still not the case.  It is a shame.

More and more business want to optimize their storage (space efficiency, I/O, CPU on the heads... ) and are looking to compress the data and also secure the access to the data (business requirement, new law ...) but still not easy to implement and still require extra boxes/softwares.

  1. On the level on encryption, Netapp delivers encryption on disk level on Ontap 8.1 RC3 minimum. why on disk level ? why could I not decide which volume required encryption related to policies like for RTO/RPO (snapshots, snapmirror, snapvaults, ...). I would like to decide that this volume contains critical data ... (HR data , ...) and should be secure.
    I would find wonderful a command like : snapencrypt /vol/volname  <key_length> <cypher>.
  2. On the level on compression, compression is also available on Ontap 8.1. But Netapp doesn't recommend to use it in production. Why ? due the fact it can use/kill your CPU on the heads.
  3. Why Netapp doesn't use additional dedicated card like GPU. If Ontap dectect the card it will send automatically the encrytpion/decryption, comrpess/decomress to this card. It will go faster and will relieve the heads's CPU.

Why is this not available ? SIS/dedup is very good. You can use it on primary data compare to other vendor that only do it (or recommend) on secondary/offline data. Netapp has the same approach now for the compress.

I wish so much this approach, to have all these features on a box and don't need extra box ... where is the speech of Netapp : simplify storage management ? Maybe next year, maybe in some years ... maybe never ...

Regards,

Eric

radek_kubka
6,325 Views

Hi Eric,

  1. On the level on encryption, Netapp delivers encryption on disk level on Ontap 8.1 RC3 minimum. why on disk level ?

Because it relies on self-encrypting disk drives. Have a look at this doc for more details: https://fieldportal.netapp.com/ci_getfile.asp?method=1&uid=7178&docid=29445

This doc shows also what else is / will be available regarding encryption of data on NetApp: https://fieldportal.netapp.com/ci_getfile.asp?method=1&uid=7178&docid=32623

(both docs are available to NetApp & NetApp partners only)

Regards,

Radek

eric_franckx
6,325 Views

Hi,

thanks for the fast response. But I don't care about self-encrypting disk drives. Actually you have to encrypt all your disk in the shelves/aggregates on the head.  So for your backup you have to encrypt also all your SATA disk for your backup. If the data/block is encrypted by Ontap, the data is secure, can be replicate with snapmirror between data center in a secure way and the the block should be decrypted on the target because the snapmirro should also sync the key used to encrypt the volume.

Also if you don't use encrypt disk you can use DataFort. when we request info it, they didn't know if they still continue it, what was the future (10 Gb supported or not). For you info we use only NAS features for all our database on NFS.

It means also that you have to add boxes (cables, software, knowledge, ....) and the COSTS !!!  ... simplify storage ??? Dedup on volume is the best approach and the encryption should work in the same way = use or not a feature = a simple command.

If I want to listen CD in my car , I don't need to buy a radio that cost so much than the car

Regards,

Eric

radek_kubka
4,986 Views

Hey, don't shoot the messenger, okay?

Data encryption at rest on the box (or on the disk) protects against one corner case only - actual disk theft (so probably not a major concern for most DCs!)

If it makes you feel any better, EMC implementation is equally, hmm, limited - the whole array, or nothing: http://www.emc.com/collateral/hardware/white-papers/h8073-symmetrix-data-at-rest-encryption-wp.pdf

eric_franckx
4,986 Views

No I will not shoot the messenger ... it is good to share opinion & experience.

EMC huummmmm

But I think the customer should be able to select options/way of doing the job and the consequence : dedicated box (performance, not head impact, ...), in-the-box fonction (use command to activate it, could have performance impact, ...)

Regards,

Eric

Public