General Discussion

Encrypted Volume Creation

TdA
4,376 Views

Hello friends,

 

I have a question, I need to create an encrypted volume and I do not know how to do it I have a FAS2552 cabin as I read a little I have to encrypt the aggregate but I already have volumes that are in production so I just wanted to know if it can be done to a new volume then I do not know if I need a license.

 

Thanks

1 ACCEPTED SOLUTION

NetApp_SR
3,923 Views

The license is not a problem as it is included with ONTAP 9.x except for some geographic restrictions. I did some research and to enable NVE or NAE the controllers CPU needs the advanced encryption standard instruction set (AES-NI). A check of Hardware Universe shows the 2552 does not support AES-NI. The 2552 does support encrypted drives but they cannot be mixed with unencrypted drives on a cluster so all the drives would need to be replaced.

View solution in original post

6 REPLIES 6

NetApp_SR
4,318 Views

There are many options depending on hardware and ONTAP version. NetApp Volume Encryption (NVE) is included in ONTAP 9.x at no extra charge. There are geographic restrictions to encryption technology. The entire aggregate does not need to be encrypted. Volumes can be encrypted individually. All the volumes on an encrypted aggregate have to be encrypted with the aggregate key or with a volume key. Please review the below. If your questions are not addressed please let me know.

 

FAQ: NetApp Volume Encryption and NetApp Aggregate Encryption
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/FAQ%3A_NetApp_Volume_Encryption_and_NetApp_Aggregate_Encryption

 

NetApp Encryption Power Guide
https://docs.netapp.com/ontap-9/topic/com.netapp.doc.pow-nve/Encryption%20of%20data%20at%20rest.pdf

 

NetApp Volume Encryption and NetApp Aggregate Encryption
https://www.netapp.com/pdf.html?item=/media/17070-ds-3899.pdf

 

NetApp Storage Encryption
https://www.netapp.com/pdf.html?item=/media/7563-ds-3213-en.pdf

 

 

 

TdA
4,109 Views

Hello,

I will check the documentation but some things are still not very clear to me.

Regards

SpindleNinja
3,905 Views

What's still not clear? 

 

There's two types of encryption-at-rest available .   "physical" i.e. NSE/SED drives and "software" based inside ONTAP, that is NVE and NAE (volume encryption and aggr encryption).  

 

The FAS2552 only supports the physical. i.e. NSE/SED drives.   But that is a physical change of replacing non-NSE drives with NSE drives and a re-init of the cluster.   

 

TdA
3,903 Views

Thank you, @SpindleNinja @NetApp_SR 

It is now clear to me that the 2552 can only be physical.

Regards

TdA
3,993 Views

Hi @NetApp_SR 

 

I have some doubts. I currently have a FAS2552 with ONTAP 9.8P4 as I read the requirements would not be compatible in addition to making NVE has to be licensed. Is this correct? According to my provider that was included.

What solution could be done if this is not possible?

Greetings

NetApp_SR
3,924 Views

The license is not a problem as it is included with ONTAP 9.x except for some geographic restrictions. I did some research and to enable NVE or NAE the controllers CPU needs the advanced encryption standard instruction set (AES-NI). A check of Hardware Universe shows the 2552 does not support AES-NI. The 2552 does support encrypted drives but they cannot be mixed with unencrypted drives on a cluster so all the drives would need to be replaced.

Public