we are on AFF 9.6P3, currently on configuration and set up staging. Just wondering what kind of encrption we should implement. we have uncrypted disks.
1) should we enable the aggregate level encryption or only use volume level? will aggregate encryption affect any performa nce since all volumes will be software encrypted?
2) we will use snapmirror to replicate some tier one cifs volumes to our DR sites, i assume we will need encrption for replication. i heard the encryption is not enabled by default. Please share your experience.
3). we are handling hostital data, is the onboard key management good enough for us or should we pick a third pary one?
I configured aggr level encryption to insure all data was encrypted (customer's requirement). Once you enable aggr level, volumes are automatically encrypted. (Must enable at both locations)
It is true you need to enable any encryption. If using aggr-level encryption(recommended) I suggest doing it before you build out your SVM's. Something I didn't do at first. It was a painful process doing it after the fact. Fortunately I had aggr's with no data in them that I could encrypt and move data to.
Decide if you are using the Onboard Key Manager of your 3rd Party one. Onboard should be adequate, just make sue you use a very long key. Secure the key somewhere off of the storage system.
Encrypt Aggrs on All nodes at all sites.
Will there be a performance impact. I can't speak to that yet. NetApp Support Pre-sales may be able to help answer this if you open a case with them.
One extremely important thing to remember with AFF platforms:
If you choose to use NetApp Volume Encryption, you will NOT be able to take advantage of!
From the Docs:
Starting with ONTAP 9.6, you can use aggregate-level encryption to assign keys to the containing aggregate for the volumes to be encrypted. Volumes you create in the aggregate are encrypted by default. You can override the default when you encrypt the volume.
You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication. Aggregate-level deduplication is otherwise not supported by NVE.
An aggregate enabled for aggregate-level encryption is called an NAE volume (for NetApp Aggregate Encryption). Plaintext volumes are not supported in NAE aggregates.