FAS and V-Series Storage Systems Discussions

NSE

I'm new to Netapp. Just want to confirm that to have NSE you need different self encrypting drives. We have Netapps and existing disk in production. Does it mean I have to discard the old disks and replace with disks capable of encryption?

5 REPLIES

Re: NSE

Yes you will need the NSE drives in both nodes of the HA pair to enable NSE.  NSE drives cannot be mixed with non-NSE drives in a HA pair.

Re: NSE

You will also need an external key management solution (read "expensive") to hold the unlocking keys for the disks, unless you are also able to run OnTap 9.0 which is just out now in Release Candidate stage.  OnTap 9.0 includes the capability to manage disk unlocking keys onboard.

 

 

Hope this helps you.

 

Bob Greenwald

Lead Storage Engineer, Consilio LLC

NCIE SAN, Data Protection

 

 

 

Kudos and accepted solutions are always appreciated.

Re: NSE

What about a system that has only SED disks but is currently not paired with a key manager and disks protection mode all set to open.  Is it possible to set a  key a spare disk and manually swap encrypted disks into an aggregate 1 at a time?  

 

 

Re: NSE

Follow up on my questions...

 

https://kb.netapp.com/app/answers/answer_view/a_id/1032894

 

Based on this KB it sounds to me like my drives are already encrypted, just with a 0x0 key and unlocked.  If that is the case what I am describing is really a key change.  If anyone has any input or confirm I would appreciate it.

Re: NSE

Hi Jordan,

 

That's essentially the case. NSE drives do the encryption themselves, ONTAP manages the initialisation/changing/unlocking of drives in interaction with either the internal (in newer versions) or external KMS.

 

If your system is already in production with data in place, please open a support ticket to walk through the process of enabling a KMS and setting an encryption key for the drives.

 

Hope this helps!

Forums