2016-04-15 03:34 AM
We have a use case where we want to be able to achive WORM storage (Snaplock Compliance) and also making sure that the data on the volume is encrypted in the filesystem. On top of that encryption, the requirement is to be able to change the encryption key at a pre-defined frequency and still achieve WORM storage for compliance.
This would mean to have a capability to re-encrypt with the new encryption key without changing the worm status of the file or still being compliant.
My question is can Snaplock compliance support this kind of use case, if yes then what storage solution is supported/recomended by NetApp to achieve this.
I can provide more details if anything is not clear in the questions.
2016-04-18 12:02 PM
If your plan is to re-encrypt the entire snaplock volume, then it would require a full overwrite. You are changing every block on disk. Snaplocks goal is to prevent the blocks on disk from being changed/deleted. These would seem to be incompatible requirements.
Another strategy in encryption is to encrypt the data with a master key. This master key is then encrypted using a user-known key or passphrase. When the user key is changed the master key is re-encrypted using the new user key and the remaining data is untouched. In this case, only the storage containing the encrypted master key needs to be modified so this may be more feasible.
Or you could let the storage controller do it: