I'm just reviewing the FlashCache and FlashPool SE presentation (search for "SE presentation Flash Cache" on Field Portal) and I read that FlashCache is "not a good option with NetApp Storage Encryption (NSE) systems".
Does anyone have a technical explanation of why this is?
Solved! See The Solution
Yep, I was thinking that might be the reasoning but then I was trying to think of a way that data in the cache could be accessed without going through the host that has direct access to the underlying volume and I can't see how that could be done easily (although, where there's a will...). I wonder is there any other reson why it's not recommended.
Even though FlashCache looses its data during reboot, it doesn’t mean data couldn’t be restored with advanced techniques.
There are no other reasons for my knowledge.
You can try to reach the person who made the presentation to ask what he/she means by “not best suitable”.
I went with your suggestion and emailed the team responsible for the content of the presentation (firstname.lastname@example.org). I'll post their reply here when I get it.
One of the reasons for my confusion is that the presentation says that you can use Flash Cache with NVE. But surely the problem of data being held in FlashCache in unencrypted form is still there? Or maybe not?
Just got this reply from the team:
"NSE drives are FIPS 140-2 Level 2 validated. FIPS 140-2 Level 2 requires physical security measures (e.g. tamper resistant screws, security chips, etc) as opposed to Level 1 which is software only.
NVE is FIPS 140-2 Level 1 validated.
Does that help?"
I've been told to always recommend Flash Pool with NSE as it's apparently the only available option. Not really a technical explanation and it doesn't help those of us in regions where FIPS doesn't apply.
I just got this update from another guy on the NetApp technical marketing team:
In my experience, customers who want the FIPS 140-2 Level 2 validated encryption of NSE systems require persistently-cached data to be encrypted as well. Since NSE systems rely on the drives (HDDs and SSDs) to encrypt data at rest, Flash Pool with encrypting SSDs in the only hybrid FAS configuration that meets this requirement.
My final update on this subject. I just found this buried in a slide deck presented at Insight 2018:
Flash Cache - "Cached blocks are encrypted when NetApp Volume Encryption (NVE) is used, but not on NetApp Storage Encryption (NSE) FAS systems"
Flash pool - "Cached blocks are encrypted when NVE is used and with NSE systems"