ONTAP Hardware

NVE with NSE

Sevenfold

Hello!

 

I have a few questions regarding the encryption solutions available with ONTAP 9.1. I have a customer that is interested in implementing "double encryption" of their data on the FAS2600 series filer(s). In order to get our products in line with this requirement, I was hoping to get the following questions answered:

 

With OKM, where are the encryption keys/passphrase data stored? On the filer hardware?

 

Does the OKM passphrase need to be entered upon a node reboot?

 

A couple pieces of NetApp documentation have conflicting information regarding changing of the OKM passphrase.This resource contains examples of prompts that state  that reconfiguring of the passphrasen cannot be done:

 

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-900%2Fsecurity__key-manager__setup.html

 

Whereas the NetApp Encryption Power Guide provides instructions to perform this procedure on page 42:

 

https://library.netapp.com/ecm/ecm_download_file/ECMLP2572742

 

Which piece of documentation is correct?

1 ACCEPTED SOLUTION

AlexDawson

With OKM, where are the encryption keys/passphrase data stored? On the filer hardware?

 

With OKM the keys are stored encrypted in the replicated databases which are stored on disk, and it is additionally stored encrypted in the compact flash (onboard USB key). ONTAP requests the key at startup, decrypts it, then unlocks the drives with it, before purging the key from volatile memory.

 

> Does the OKM passphrase need to be entered upon a node reboot?

 

No

 

Regarding the documentation difference - the PDF is for ONTAP 9.1, and the HTML link is for 9.0. Passphrase update is a new feature in 9.1 and is available in the documentation by changing "900" to "910" in the URL - http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-910%2Fsecurity__key-manager__setup.html

 

Hope this helps!

View solution in original post

2 REPLIES 2

AlexDawson

With OKM, where are the encryption keys/passphrase data stored? On the filer hardware?

 

With OKM the keys are stored encrypted in the replicated databases which are stored on disk, and it is additionally stored encrypted in the compact flash (onboard USB key). ONTAP requests the key at startup, decrypts it, then unlocks the drives with it, before purging the key from volatile memory.

 

> Does the OKM passphrase need to be entered upon a node reboot?

 

No

 

Regarding the documentation difference - the PDF is for ONTAP 9.1, and the HTML link is for 9.0. Passphrase update is a new feature in 9.1 and is available in the documentation by changing "900" to "910" in the URL - http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-910%2Fsecurity__key-manager__setup.html

 

Hope this helps!

View solution in original post

Sevenfold

Perfect! Thanks Alex!

Announcements
Register for Insight 2021 Digital

INSIGHT 2021 Digital: Meet the Specialists 2

On October 20-22, gear up for a fully digital, totally immersive virtual experience with a downright legendary lineup of world-renowned specialists. Tune in for visionary conversations, solution deep dives, technical sessions and more.

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public