ONTAP Hardware

Can I enable Drive encryption online?

KKChan
4,416 Views

Hi all,

 

My user has a FAS2650 running ESXi 6.0 in production environment. They want to apply drive encryption to the unit. I did check that all the drives are capable for encryption.

 

My queries are:

 

1. Can I follow the configuration guide to enable the drive encryption while the storage is running?

2. If yes, what will be the service impact during the enablement?

3. Any experience on how long to enable the encryption on a 1.8TB drive? 

4. User plan to use Snapvault to mirror the snapshot of VM to another FAS storage. The Snapvault image on the other FAS storage should have no encryptio, right?

 

 

1 ACCEPTED SOLUTION

robinpeter
4,410 Views

1, Yes you can enable while storage is online. (make sure *ALL* disks support NSE)

2, Nope.

3, The enitre process might take less then 5 - 10 min.. (including key generation, if you are using onboard key managment.)

4, Its a disk (if its NSE-Drives, it is hardware based encryption) and it apply only to the controller you enable encryption.

 

The configuration guide should have everything you need.

 

robin.

View solution in original post

3 REPLIES 3

robinpeter
4,411 Views

1, Yes you can enable while storage is online. (make sure *ALL* disks support NSE)

2, Nope.

3, The enitre process might take less then 5 - 10 min.. (including key generation, if you are using onboard key managment.)

4, Its a disk (if its NSE-Drives, it is hardware based encryption) and it apply only to the controller you enable encryption.

 

The configuration guide should have everything you need.

 

robin.

KKChan
4,360 Views

Hi Robin,

 

Thanks for your reply. I follow the guide and enable the onboard key manager to obtain the key. I notice that there are 2 different keys in the list, do I need to assign both key to each of the disk or I can use one of the key for both controller disks?

 

 

robinpeter
4,352 Views

Yeah, "security key-manager setup" command will generate two keys.

you can choose and assign any one of the key for "data-key" and the other for "fips-key", even you can use the exact same key for both of them.

or you can just use one key for "data-key" and don't even assign anything for "fips-key"

 

Its totally depends on your organization's encryption requirements, ill recommend you read the guide, I believe it have some details regarding this.

 

Also be aware about the procudure of how to replace the NSE Disks after a disk failure.

 

robin.

Public