Object Storage

Enable Data Encryption on Existing Object Data

jimb32
2,219 Views

We have a SG appliance running 11.5. We have 2 load-balanced admin nodes and 8 storage nodes. We have the SG front-ended with an AFF-400. When we installed the SG we did not enable data encryption. We do have Volume Encryption enabled on the AFF. From what I read, if we enable data encryption on the SG now, it will only encrypt new data added to the SG and it will not encrypt any existing data. Is there a way to encrypt existing data? The ultimate goal is to have the data encrypted at rest.

1 ACCEPTED SOLUTION

aronk
2,199 Views

Yes, StorageGRID supports the put-bucket-encryption API. No, encryption is only set on newly ingested objects. 

Example

         aws s3api put-bucket-encryption --bucket encryptme --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}' --profile encrypt --endpoint-url https://192.169.0.100 --no-verify-ssl

View solution in original post

4 REPLIES 4

aronk
2,216 Views

FabricPool encrypts the data stored to the cloud tier.  From the FabricPool Best Practices TR:

Cloud tier

         All objects encrypted by NVE/NAE remain encrypted when moved to the cloud tier. Client-side encryption keys are owned by ONTAP. All objects not encrypted using NVE/NAE are automatically encrypted server-side using AES-256-GCM encryption. No additional encryption is necessary. Server-side encryption keys are owned by the respective object store. 

 

OliverSchubert
2,212 Views
Hi,

according to TR-4598 page 40:

Security:
All data encrypted by ONTAP NVE/NAE remains encrypted when moved to the cloud tier. Client-side encryption keys are owned by ONTAP. All objects not encrypted using ONTAP NVE/NAE are automatically encrypted by StorageGRID using AES-256-GCM encryption. No additional encryption is necessary. NetApp recommends disabling stored object encryption in StorageGRID.


Best
Oliver

jimb32
2,210 Views

Thanks aronk. That's a big help. One follow-on question. If we create a tenant account with a S3 bucket - can that be encrypted at the bucket level and if so, can it be encrypted after the data is added to the SG?

aronk
2,200 Views

Yes, StorageGRID supports the put-bucket-encryption API. No, encryption is only set on newly ingested objects. 

Example

         aws s3api put-bucket-encryption --bucket encryptme --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}' --profile encrypt --endpoint-url https://192.169.0.100 --no-verify-ssl

Public