I'm just reviewing the FlashCache and FlashPool SE presentation (search for "SE presentation Flash Cache" on Field Portal) and I read that FlashCache is "not a good option with NetApp Storage Encryption (NSE) systems".
Does anyone have a technical explanation of why this is?
Yep, I was thinking that might be the reasoning but then I was trying to think of a way that data in the cache could be accessed without going through the host that has direct access to the underlying volume and I can't see how that could be done easily (although, where there's a will...). I wonder is there any other reson why it's not recommended.
I went with your suggestion and emailed the team responsible for the content of the presentation (firstname.lastname@example.org). I'll post their reply here when I get it.
One of the reasons for my confusion is that the presentation says that you can use Flash Cache with NVE. But surely the problem of data being held in FlashCache in unencrypted form is still there? Or maybe not?
"NSE drives are FIPS 140-2 Level 2 validated. FIPS 140-2 Level 2 requires physical security measures (e.g. tamper resistant screws, security chips, etc) as opposed to Level 1 which is software only.
NVE is FIPS 140-2 Level 1 validated.
Does that help?"
I've been told to always recommend Flash Pool with NSE as it's apparently the only available option. Not really a technical explanation and it doesn't help those of us in regions where FIPS doesn't apply.
I just got this update from another guy on the NetApp technical marketing team:
In my experience, customers who want the FIPS 140-2 Level 2 validated encryption of NSE systems require persistently-cached data to be encrypted as well. Since NSE systems rely on the drives (HDDs and SSDs) to encrypt data at rest, Flash Pool with encrypting SSDs in the only hybrid FAS configuration that meets this requirement.