ONTAP Discussions

Real example on using Safenet/KeySecure to encrypt NetApp data

I have read a document about what Safenet/Keysecure is in general. However, still not so clear on how to use it in real life. Can anybody please show me some real administration tasks and configurations, how data will get encrypted by using KeySecure?


Re: Real example on using Safenet/KeySecure to encrypt NetApp data

Hi !

Thank you for your question.

SafeNet and NetApp have partnered for many years to provide full lifecycle key management to NetApp NSE and Encryption and Key Management for NetApp NAS customers.

High-level points about how SafeNet supports the NetApp NSE products are:

  • Supports the entire suite of storage efficiency technologies from NetApp, including deduplication, compression, and array-based AV scanning
  • Supports the SafeNet KeySecure encryption-key appliance, strengthening and simplifying long-term key management.
  • Helps you comply with FISMA, HIPAA, PCI, Basel II, SB 1386, and E.U. Data Protection Directive 95/46/EC regulations using FIPS 140-2 validated hardware
  • KeySecure complies with the OASIS KMIP standard, offering compatibility with other  encryption devices and end points

Some basic administrative topics covered below.

Options for creating grouping of keys for purposes of automation and management

A user directory contains a list of users that may access the keys on your Key Server, and a list of groups to which those users belong.

The Key Server can use one of two user directories:

A local user directory, where users and groups are defined only on the local device and are not available to any other KeySecure.

A central server running the Lightweight Directory Access Protocol (LDAP), which enables all devices to access, the same set of users and groups. If you have several KeySecures in use, LDAP can greatly simplify user and group administration.

The Key Server can either use local user or group authentication or LDAP authentication.

Types of key polices

An authorization policy enables you to limit how a user group may use a key. On the KeySecure you implement an authorization policy when establishing a key’s group permissions. The policies are applied to a key separately for each group; groups that share a key do not necessarily share the same authorization policy.

Rate Limits: The number of operations (per hour) that members of the group can perform. The default is unlimited operations. If a user attempts to perform an operation and has exceeded the rate limit, an error is returned and the connection is closed.

Time Limits: The hours or days in which members of the group can perform operations. The default is unlimited access. If a member of a restricted group attempts to use the key outside of the designated time, an error is returned and the connection is closed.

Key lifecycle management tasks supported/automated

KeySecure simplifies the management of encryption keys across the entire lifecycle including secure key generation, storage and backup, key distribution and key deactivation and deletion.  KeySecure makes automated, policy driven operations easy for tasks such as key expiry and key rotation.

The Key Management Interoperability Protocol (KMIP) is used to transmit key management requests from clients to the KeySecure.

KMIP clients are able to submit the following requests.

  • Activate
  • AddAttribute
  • Create
  • CreateKeyPair
  • DeleteAttribute
  • Destroy
  • Get
  • GetAttributes
  • GetAttributeList
  • Locate
  • ModifyAttribute
  • Query
  • Register
  • Revoke

The KeySecure currently supports the following managed objects: certificates, private keys, public keys, templates, secret data, and symmetric keys.

Administrative Interfaces

Management Console - The management console is a graphic user interface that enables you to perform remote administration using a web browser. The web browser used to connect to the Management Console must be capable of high-grade 128-bit encryption.

Command Line Interface - The command line interface (CLI) enables you to perform administrative functions either at the KeySecure serial console or remotely using SSH.

Links to NetApp resources for SafeNet solutions can be found at:





SafeNet resources for KeySecure can be found at;



Re: Real example on using Safenet/KeySecure to encrypt NetApp data

Hi David,

Could you please forward manuals,like user's guides on 2 Administrative Interfaces: Management Console and Command Line Interfaces?

Cloud Volumes ONTAP
Review Banner
All Community Forums