Active IQ Unified Manager Discussions

Newbie: NetApp Encryption

financeinmotion
3,582 Views

Dear All,

I'm all new to the NetApp arena and have a probably silly question here that I couldn't find the answer to. We have a FAS2020 here and was asked by someone auditing our environment whether the data stored on there is encrypted or not. Can anyone help?

If someone broke in to the server room and took the FAS , will they be able to access all the data? I've seen that one can change the root password in another thread quite easily.  I assume you cannot access the data if you take only one disk away... ?!

Eagerly waiting for your kind help.

Many Thanks

Eddie

5 REPLIES 5

columbus_admin
3,582 Views

Matteo,

     Taking a single disk would be almost useless to anyone.  Let's assume you have a small raid group of 6 disks on your 2020.  That means that one or two disks are parity, I will use two in this example.

Your data is spread over those 4 data disks at random, using a proprietary file system, WAFL.  Now assuming someone could read the file system using just a single disk, they may get some complete files, but the likelihood of that is very remote.

     Now let's go full out, if you have your 2020 fully populated, you have 12 disks, most likely all in a single raid group, making up a single aggregate.  Remove two parity disks again, and most likely one for spare.  You are now spread over nine disks at random, the filesystem still has to be overcome, but the data has been written in far greater swaths. 

Do the auditors require your RAID drives in servers be encrypted?  This was how we fought the auditors at a previous employer.  If a RAID group on a server is not required to be encrypted because the data does not exist on a single disk, why should the storage array be required to?  Obviously, this may not be an acceptable challenge to your auditors, but it is a valid question.

- Scott

financeinmotion
3,582 Views

thanks for the prompt and detailed explanation, Scott. Much appreciated.

How about if they took the whole appliance home? They would then have the 2020 with all the disks in and access to the plain data right? They just need to reset the root password as described here http://communities.netapp.com/message/21967?tstart=-355?

Thanks again!

columbus_admin
3,582 Views

Sorry Matteo, but yes if they could remove the entire appliance, they could access your data.  Unfortunately, the 2020 will not be moving passed 7.3, so full disk encryption is not available, but anything that can support 8.0 and up will have it available.  Otherwise you would need an encryption device like a Decru or the Brocade fabric encryption options to address that.

Many people have issues with being able to reset the root password that easily...I think NetApp is simply being realistic, if I have unfettered physical access, your data is going to be mine.

- Scott

aborzenkov
3,582 Views

I believe disk encryption requires special drives and all disks in a filer must support it. So it probably a bit more limited than “anything that can support 8.0”.

columbus_admin
3,581 Views

I will have to look that up, drives that support it are required, I don't remember it requiring special shelves...Thanks for the heads up, something else to look into!

Edit:  I have found that according to documentation, only the ds4243 is supported per the currently available white paper.

- Scott

Message was edited by: Scott Chubb

Public