I believe that recommendation based on the assumption that FlashCache is not encrypted and might be a way to access (some) of the encrypted data.

Hi Damien,

Yep, I was thinking that might be the reasoning but then I was trying to think of a way that data in the cache could be accessed without going through the host that has direct access to the underlying volume and I can't see how that could be done easily (although, where there's a will...). I wonder is there any other reson why it's not recommended.

Cheers,

Neil.

Even though FlashCache looses its data during reboot, it doesn’t mean data couldn’t be restored with advanced techniques.

There are no other reasons for my knowledge.

You can try to reach the person who made the presentation to ask what he/she means by “not best suitable”.

Hi Damien,

I went with your suggestion and emailed the team responsible for the content of the presentation (ng-aff-fas-tme@netapp.com).  I'll post their reply here when I get it.

One of the reasons for my confusion is that the presentation says that  you can use Flash Cache with NVE. But surely the problem of data being held in FlashCache in unencrypted form is still there? Or maybe not?

Cheers,

Neil.

Just got this reply from the team:

"NSE drives are FIPS 140-2 Level 2 validated.  FIPS 140-2 Level 2 requires physical security measures (e.g. tamper resistant screws, security chips, etc) as opposed to Level 1 which is software only. 

NVE is FIPS 140-2 Level 1 validated.

Does that help?"

I've been told to always recommend Flash Pool with NSE as it's apparently the only available option. Not really a technical explanation and it doesn't help those of us in regions where FIPS doesn't apply.

My final update on this subject. I just found this buried in a slide deck presented at Insight 2018:

Flash Cache - "Cached blocks are encrypted when NetApp Volume Encryption (NVE) is used, but not on NetApp Storage Encryption (NSE) FAS systems"

Flash pool - "Cached blocks are encrypted when NVE is used and with NSE systems"