Solved: OnTap Efficiencies & Microsoft bitlocker best practices

BenCoughtry · ‎2018-07-16

Hi All, if a customer is using MS Bitlocker on virtual machines to encrypt data at rest as well as in transit, what would be OnTap best practices regarding dedupe / compression / compaction, as well as NVE? I'm guessing NVE would not be needed however will bitlocker encryption reduce ontap space savings and basically waste controller CPU cycles? Curious of your thoughts on this.

Thanks!

AlexDawson · ‎2018-07-17

Yes - you typically can't dedupe or compress any encrypted data and having policies that attempt that do just waste a bit of CPU, but there is a baselining process which will disable compression pretty quickly, but dedupe will still try to run.

You can still store encrypted data of course, but for efficiency, they are best used to store the cleartext data and use NVE or NSE/FDE on the controller.

View solution in original post

AlexDawson · ‎2018-07-17

Yes - you typically can't dedupe or compress any encrypted data and having policies that attempt that do just waste a bit of CPU, but there is a baselining process which will disable compression pretty quickly, but dedupe will still try to run.

You can still store encrypted data of course, but for efficiency, they are best used to store the cleartext data and use NVE or NSE/FDE on the controller.

D_BEREZENKO · ‎2018-07-17

There is no reason for having both.

Each has its pros & cons:

BitLocker on one side is user-level, each user can protect it's data, so no other user (including admin) going to be able to access the data
- On another side, admin cannot access to the corporate data & there are no storage efficiencies
With NetApp, NVE encryption is done on the storage side, and there is nearly not noticeable performance impact.
- It is Volume-wide, which means if storage admin has access to that volume, he can clone it and access the data.
- With NVE you can benefit from offline dedup & compression storage efficiencies.