topic Re: Enable Data Encryption on Existing Object Data in Object Storage

Enable Data Encryption on Existing Object Data

jimb32 — Wed, 04 Jun 2025 10:01:43 GMT

We have a SG appliance running 11.5. We have 2 load-balanced admin nodes and 8 storage nodes. We have the SG front-ended with an AFF-400. When we installed the SG we did not enable data encryption. We do have Volume Encryption enabled on the AFF. From what I read, if we enable data encryption on the SG now, it will only encrypt new data added to the SG and it will not encrypt any existing data. Is there a way to encrypt existing data? The ultimate goal is to have the data encrypted at rest.

Re: Enable Data Encryption on Existing Object Data

aronk — Tue, 26 Apr 2022 14:47:05 GMT

FabricPool encrypts the data stored to the cloud tier. From the FabricPool Best Practices TR:

Cloud tier

All objects encrypted by NVE/NAE remain encrypted when moved to the cloud tier. Client-side encryption keys are owned by ONTAP. All objects not encrypted using NVE/NAE are automatically encrypted server-side using AES-256-GCM encryption. No additional encryption is necessary. Server-side encryption keys are owned by the respective object store.

Re: Enable Data Encryption on Existing Object Data

OliverSchubert — Tue, 26 Apr 2022 15:02:58 GMT

Hi,

according to TR-4598 page 40:

Security:
All data encrypted by ONTAP NVE/NAE remains encrypted when moved to the cloud tier. Client-side encryption keys are owned by ONTAP. All objects not encrypted using ONTAP NVE/NAE are automatically encrypted by StorageGRID using AES-256-GCM encryption. No additional encryption is necessary. NetApp recommends disabling stored object encryption in StorageGRID.

Best
Oliver

Re: Enable Data Encryption on Existing Object Data

jimb32 — Tue, 26 Apr 2022 15:06:07 GMT

Thanks aronk. That's a big help. One follow-on question. If we create a tenant account with a S3 bucket - can that be encrypted at the bucket level and if so, can it be encrypted after the data is added to the SG?

Re: Enable Data Encryption on Existing Object Data

aronk — Tue, 26 Apr 2022 15:17:11 GMT

Yes, StorageGRID supports the put-bucket-encryption API. No, encryption is only set on newly ingested objects.

Example

aws s3api put-bucket-encryption --bucket encryptme --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}' --profile encrypt --endpoint-url https://192.169.0.100 --no-verify-ssl