Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

ONTAP Discussions

Help: Client migration from standard drive to NSE drives on the same array?

TwistRate

I have a client that purchased a FAS-2552 array with standard drives.   About a year after the purchase auditors are insisting that the client encrypt their data at rest.   They were hoping that ONTAP 9.1 would allow them to run NVE but the entry level arrays do not support it as there isn't enough spare processing power to allow it. 

 

At first I thought no problem I would simply install another shelf of NSE drives and migrate the data over but I don't believe it's a risk free and simple processes.   It is my understanding that you pretty much have to wipe all the data even the root volumes before you can turn on the encryption and then you have to recreate the volumes and restore from a snapmirror from across the wire.   This process would need to be done twice, once for each site,  so two full resync across the wire as well as a long outage.

 

Brainstorming I'm thinking we could physically unrack and move the DR array to the PRI site and do the same thing but its still going to take a significant amount of time.   Going deeper down the rabbit hole I was entertaining breaking the cluster and configuring it as two single node clusters but talk about risk!

 

Other than simply buying or borrowing a new array with NSE drives and performing a migration .... doesn anyone have any other ideas?  

 

 

1 ACCEPTED SOLUTION

robinpeter

 

 

You can verify the supported disks/shelf for FAS2552 in HWU.

 

Yeah, once you move the node-root volumes to NSE Drive, that could be the most challengeing part in this task.

You can remove those non-NSE disk (leave the bay empty) or replace those bay with NSE.

Rememeer, the technology of NSE is on disk, not on shelf.

 

If they are same size disks, you could use disk-replace command to replace the non-NSE with NSE.

so you might save yourself from the hassle of re-creating the node-root volume procedure.

 

View solution in original post

5 REPLIES 5

robinpeter

For NSE you dont have to remove the data from the controller or wipe the controller 

You can set them up any time.. 

 

My past experience is setting up NSE with "external key management" that was done almost a week after we complete the data migration.

 

I belive (or my understand is) NSE with "onboard key management" is very similar.. you dont have to wipe the controller, you can set them up any time.

as long as you have the supported diskshelf.

 

 

I'm not much help in case of NVE, here is some documentation for you to read. NetApp Volume Encryption

 

Hope this help.

 

TwistRate

The customer currently has STANDARD drives not NSE drives.   They want to move to NSE drives .... I could be wrong but encryption is an all or nothing (include root volumes) approach.  

 

I've searched but can't seem to find a step by step from NetApp.   

robinpeter

Add the TPM_2 License, Attach the NSE Drive to existing controller, (dont enable encryption yet) 

disks will be accessable as normal disks. 

 

Create new aggr using the NSE disks, then do the vol move.. to new aggr, once you complete the vol move.. remove the non-NSE Shelf,

and enable the onboard encryption.

 

 

 

TwistRate

Ok that sounds doable .... but the existing shelf is actually the internal drives.  

 

Do I delete the standard aggregates and simply remove the drives from the controller?

 

 

robinpeter

 

 

You can verify the supported disks/shelf for FAS2552 in HWU.

 

Yeah, once you move the node-root volumes to NSE Drive, that could be the most challengeing part in this task.

You can remove those non-NSE disk (leave the bay empty) or replace those bay with NSE.

Rememeer, the technology of NSE is on disk, not on shelf.

 

If they are same size disks, you could use disk-replace command to replace the non-NSE with NSE.

so you might save yourself from the hassle of re-creating the node-root volume procedure.

 

View solution in original post

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public