Object Storage

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Object Storage

Ask a Question

Enable Data Encryption on Existing Object Data

jimb32
‎2022-04-26 07:31 AM
2,950 Views

We have a SG appliance running 11.5. We have 2 load-balanced admin nodes and 8 storage nodes. We have the SG front-ended with an AFF-400. When we installed the SG we did not enable data encryption. We do have Volume Encryption enabled on the AFF. From what I read, if we enable data encryption on the SG now, it will only encrypt new data added to the SG and it will not encrypt any existing data. Is there a way to encrypt existing data? The ultimate goal is to have the data encrypted at rest.

0 Kudos
View By:
1 ACCEPTED SOLUTION

aronk
NetApp
‎2022-04-26 08:17 AM
In response to jimb32
2,930 Views

Yes, StorageGRID supports the put-bucket-encryption API. No, encryption is only set on newly ingested objects. 

Example

         aws s3api put-bucket-encryption --bucket encryptme --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}' --profile encrypt --endpoint-url https://192.169.0.100 --no-verify-ssl

View solution in original post

4 REPLIES 4

aronk
NetApp
‎2022-04-26 07:46 AM
2,947 Views

FabricPool encrypts the data stored to the cloud tier.  From the FabricPool Best Practices TR:

Cloud tier

         All objects encrypted by NVE/NAE remain encrypted when moved to the cloud tier. Client-side encryption keys are owned by ONTAP. All objects not encrypted using NVE/NAE are automatically encrypted server-side using AES-256-GCM encryption. No additional encryption is necessary. Server-side encryption keys are owned by the respective object store. 

 

OliverSchubert
NetApp
‎2022-04-26 08:02 AM
2,943 Views
Hi,

according to TR-4598 page 40:

Security:
All data encrypted by ONTAP NVE/NAE remains encrypted when moved to the cloud tier. Client-side encryption keys are owned by ONTAP. All objects not encrypted using ONTAP NVE/NAE are automatically encrypted by StorageGRID using AES-256-GCM encryption. No additional encryption is necessary. NetApp recommends disabling stored object encryption in StorageGRID.


Best
Oliver

jimb32
‎2022-04-26 08:06 AM
2,941 Views

Thanks aronk. That's a big help. One follow-on question. If we create a tenant account with a S3 bucket - can that be encrypted at the bucket level and if so, can it be encrypted after the data is added to the SG?

0 Kudos

aronk
NetApp
‎2022-04-26 08:17 AM
In response to jimb32
2,931 Views

Yes, StorageGRID supports the put-bucket-encryption API. No, encryption is only set on newly ingested objects. 

Example

         aws s3api put-bucket-encryption --bucket encryptme --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}' --profile encrypt --endpoint-url https://192.169.0.100 --no-verify-ssl

Announcements
All Community Forums
Public