ONTAP Discussions

encryption for volume replication

FelixZhou
5,716 Views

we are on AFF 9.6P3, currently on configuration and set up staging. Just wondering what kind of encrption we should implement. we have uncrypted disks.

1) should we enable the aggregate level encryption or only use volume level?  will aggregate encryption affect any performa nce since all volumes will be software encrypted?

2) we will use snapmirror to replicate some tier one cifs volumes to our DR sites, i assume we will need encrption for replication. i heard the encryption is not enabled by default. Please share your experience.

3). we are handling hostital data, is the onboard key management good enough for us or should we pick a third pary one?

thanks

1 ACCEPTED SOLUTION

mjdalton1
5,708 Views

I just finished configuring  2ea peered 4node clusters here at my customers sites.

 

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-nve%2Fhome.html&cp=15_2

 

I configured aggr level encryption to insure all data was encrypted (customer's requirement). Once you enable aggr level, volumes are automatically encrypted. (Must enable at both locations)

 

It is true you need to enable any encryption. If using aggr-level encryption(recommended) I suggest doing it before you build out your SVM's. Something I didn't do at first. It was a painful process doing it after the fact. Fortunately I had aggr's with no data in them that I could encrypt and move data to. 

  1. Decide if you are using the Onboard Key Manager of your 3rd Party one. Onboard should be adequate, just make sue you use a very long key. Secure the key somewhere off of the storage system. 
  2. Encrypt Aggrs on All nodes at all sites.
  3. Will there be a performance impact. I can't speak to that yet. NetApp Support Pre-sales may be able to help answer this if you open a case with them. 

View solution in original post

5 REPLIES 5

mjdalton1
5,709 Views

I just finished configuring  2ea peered 4node clusters here at my customers sites.

 

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-nve%2Fhome.html&cp=15_2

 

I configured aggr level encryption to insure all data was encrypted (customer's requirement). Once you enable aggr level, volumes are automatically encrypted. (Must enable at both locations)

 

It is true you need to enable any encryption. If using aggr-level encryption(recommended) I suggest doing it before you build out your SVM's. Something I didn't do at first. It was a painful process doing it after the fact. Fortunately I had aggr's with no data in them that I could encrypt and move data to. 

  1. Decide if you are using the Onboard Key Manager of your 3rd Party one. Onboard should be adequate, just make sue you use a very long key. Secure the key somewhere off of the storage system. 
  2. Encrypt Aggrs on All nodes at all sites.
  3. Will there be a performance impact. I can't speak to that yet. NetApp Support Pre-sales may be able to help answer this if you open a case with them. 

SpindleNinja
5,707 Views

1)  Typically AGGR level these days.  Unless you have a reason to go each volume with a seperate key.   or just want to only do one volume. 

2)  Starting 9.6 in-flight encrpyption is the default for any *NEW* cluster peer relationships. 

FelixZhou
5,704 Views

thanks for yr reply.

2)  Starting 9.6 in-flight encrpyption is the default for any *NEW* cluster peer relationships. 

can you please provide more details on this? does it mean we don't have to implement any encryption (NVE or NAE),  the peering setup will have the volume encryption in place automatically?

thanks

SpindleNinja
5,702 Views

NVE/NAE is encntyption "at rest".  

Snapmirror encryption is "in flight".    

 

anything existing you'll have to configure to have it enabled.  NVE,  NAE and snapmirror.

  

 

 

 

 

TMACMD
5,641 Views

One extremely important thing to remember with AFF platforms:

If you choose to use NetApp Volume Encryption, you will NOT be able to take advantage of!

From the Docs:

Starting with ONTAP 9.6, you can use aggregate-level encryption to assign keys to the containing aggregate for the volumes to be encrypted. Volumes you create in the aggregate are encrypted by default. You can override the default when you encrypt the volume.

 

You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication. Aggregate-level deduplication is otherwise not supported by NVE.

An aggregate enabled for aggregate-level encryption is called an NAE volume (for NetApp Aggregate Encryption). Plaintext volumes are not supported in NAE aggregates.

Public