FAS and V-Series Storage Systems Discussions


I'm new to Netapp. Just want to confirm that to have NSE you need different self encrypting drives. We have Netapps and existing disk in production. Does it mean I have to discard the old disks and replace with disks capable of encryption?



Yes you will need the NSE drives in both nodes of the HA pair to enable NSE.  NSE drives cannot be mixed with non-NSE drives in a HA pair.


You will also need an external key management solution (read "expensive") to hold the unlocking keys for the disks, unless you are also able to run OnTap 9.0 which is just out now in Release Candidate stage.  OnTap 9.0 includes the capability to manage disk unlocking keys onboard.



Hope this helps you.


Bob Greenwald

Lead Storage Engineer, Consilio LLC

NCIE SAN, Data Protection




Kudos and accepted solutions are always appreciated.


What about a system that has only SED disks but is currently not paired with a key manager and disks protection mode all set to open.  Is it possible to set a  key a spare disk and manually swap encrypted disks into an aggregate 1 at a time?  




Follow up on my questions...




Based on this KB it sounds to me like my drives are already encrypted, just with a 0x0 key and unlocked.  If that is the case what I am describing is really a key change.  If anyone has any input or confirm I would appreciate it.


Hi Jordan,


That's essentially the case. NSE drives do the encryption themselves, ONTAP manages the initialisation/changing/unlocking of drives in interaction with either the internal (in newer versions) or external KMS.


If your system is already in production with data in place, please open a support ticket to walk through the process of enabling a KMS and setting an encryption key for the drives.


Hope this helps!