General Discussion
General Discussion
Hello friends,
I have a question, I need to create an encrypted volume and I do not know how to do it I have a FAS2552 cabin as I read a little I have to encrypt the aggregate but I already have volumes that are in production so I just wanted to know if it can be done to a new volume then I do not know if I need a license.
Thanks
Solved! See The Solution
The license is not a problem as it is included with ONTAP 9.x except for some geographic restrictions. I did some research and to enable NVE or NAE the controllers CPU needs the advanced encryption standard instruction set (AES-NI). A check of Hardware Universe shows the 2552 does not support AES-NI. The 2552 does support encrypted drives but they cannot be mixed with unencrypted drives on a cluster so all the drives would need to be replaced.
There are many options depending on hardware and ONTAP version. NetApp Volume Encryption (NVE) is included in ONTAP 9.x at no extra charge. There are geographic restrictions to encryption technology. The entire aggregate does not need to be encrypted. Volumes can be encrypted individually. All the volumes on an encrypted aggregate have to be encrypted with the aggregate key or with a volume key. Please review the below. If your questions are not addressed please let me know.
FAQ: NetApp Volume Encryption and NetApp Aggregate Encryption
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/FAQ%3A_NetApp_Volume_Encryption_and_NetApp_Aggregate_Encryption
NetApp Encryption Power Guide
https://docs.netapp.com/ontap-9/topic/com.netapp.doc.pow-nve/Encryption%20of%20data%20at%20rest.pdf
NetApp Volume Encryption and NetApp Aggregate Encryption
https://www.netapp.com/pdf.html?item=/media/17070-ds-3899.pdf
NetApp Storage Encryption
https://www.netapp.com/pdf.html?item=/media/7563-ds-3213-en.pdf
Hello,
I will check the documentation but some things are still not very clear to me.
Regards
What's still not clear?
There's two types of encryption-at-rest available . "physical" i.e. NSE/SED drives and "software" based inside ONTAP, that is NVE and NAE (volume encryption and aggr encryption).
The FAS2552 only supports the physical. i.e. NSE/SED drives. But that is a physical change of replacing non-NSE drives with NSE drives and a re-init of the cluster.
Thank you, @SpindleNinja @NetApp_SR
It is now clear to me that the 2552 can only be physical.
Regards
Hi @NetApp_SR
I have some doubts. I currently have a FAS2552 with ONTAP 9.8P4 as I read the requirements would not be compatible in addition to making NVE has to be licensed. Is this correct? According to my provider that was included.
What solution could be done if this is not possible?
Greetings
The license is not a problem as it is included with ONTAP 9.x except for some geographic restrictions. I did some research and to enable NVE or NAE the controllers CPU needs the advanced encryption standard instruction set (AES-NI). A check of Hardware Universe shows the 2552 does not support AES-NI. The 2552 does support encrypted drives but they cannot be mixed with unencrypted drives on a cluster so all the drives would need to be replaced.