At least since ONTAP 9.0 there's an option with storage aggregate create: "-encrypt true". The documentation about this
is poor. The only hint I found is in the command reference reading: "This parameter specifies that the new aggregate be
encrypted. If this parameter is set to true, the specified aggregate's contents will be encrypted." Command reference for ONTAP 9.5 states: "The value encrypt is deprecated and may be removed in a future release of
Questions 1. Will that mean that all volumes created in this aggregate will be encrypted regardless of the NVE options set with volume creation? 2. Are there any differences or disadvantages compared to using the NVE option for all volumes in the respective aggregate? 3. For encrypted aggregates are marked as deprecated: What will happen with ecnrypted aggregate data if the feature isn't supported any more in future releases of ONTAP ? 4. Are encrypted aggregates combinable with snaplock?
This documentation reflects an -encrypt option that can only be used for those versions of ONTAP running in cloud providers like AWS, but I understand why you're asking - this could be documented better.
At this time, shipping versions of ONTAP only support volume encryption and disk based NSE/FDE encryption, however, if you are interested in this functionality, I encourage you to review the documentation for future releases of ONTAP, and let us know if you have any questions based on the documentation provided for that release.
so I can *not* use encrypted aggregates with my normal shipped ONTAP, although the only piece of documentation I can find about is suggesting I could... - It cries out for a documentation update on this, otherwise it might confuse others too who would be keen on the feature.
I am interested in this functionality, because we've got regulatory demands. They prohibit us from giving back defective disks to Netapp except we can proove all data has been deleted before or it has been encrypted all the time. The problem with volume based encryption is you could create an unencrypted volume, fill it with critical data and delete it. Or you could delete some of the unencrypted data at the client and encrypt the volume later. Is there an ONTAP/WAFL mechanism guaranteeing that the deleted unencrypted blocks can't be found anymore on a disk? - If not, the only way to proove this would be a kind of cyclical monitoring, looking for the ecnryption status of all existing volumes and historicize the results. - Quite cumbersome.
As aggregates usually aren't deleted the aggregate encryption would be charming in my eyes.
i understand your concerns and will respond in a few days with more information that is currently not public.
it is probably too late, but if at all possible this is a discussion you should have at time of initial proposal- we do have a support uplift that does not require disk return (called NRD or non returnable disks), or we have full disk encryption/native storage encryption (FDE/NSE) offerings - but they can’t be mixed with unencrypted drives, to prevent a data spill.
i will return to this post in a few days time. Please hold tight 🙂
Hi there! We have today announced ONTAP 9.6, which includes support for software encryption of disk aggregates 🙂 Please keep an eye out for download date of release candidates, and work with your account team to come up with a migration strategy