I have a few questions regarding the encryption solutions available with ONTAP 9.1. I have a customer that is interested in implementing "double encryption" of their data on the FAS2600 series filer(s). In order to get our products in line with this requirement, I was hoping to get the following questions answered:
With OKM, where are the encryption keys/passphrase data stored? On the filer hardware?
Does the OKM passphrase need to be entered upon a node reboot?
A couple pieces of NetApp documentation have conflicting information regarding changing of the OKM passphrase.This resource contains examples of prompts that state that reconfiguring of the passphrasen cannot be done:
> With OKM, where are the encryption keys/passphrase data stored? On the filer hardware?
With OKM the keys are stored encrypted in the replicated databases which are stored on disk, and it is additionally stored encrypted in the compact flash (onboard USB key). ONTAP requests the key at startup, decrypts it, then unlocks the drives with it, before purging the key from volatile memory.
> Does the OKM passphrase need to be entered upon a node reboot?