Object Storage

Enable Data Encryption on Existing Object Data

jimb32

We have a SG appliance running 11.5. We have 2 load-balanced admin nodes and 8 storage nodes. We have the SG front-ended with an AFF-400. When we installed the SG we did not enable data encryption. We do have Volume Encryption enabled on the AFF. From what I read, if we enable data encryption on the SG now, it will only encrypt new data added to the SG and it will not encrypt any existing data. Is there a way to encrypt existing data? The ultimate goal is to have the data encrypted at rest.

1 ACCEPTED SOLUTION

Yes, StorageGRID supports the put-bucket-encryption API. No, encryption is only set on newly ingested objects. 

Example

         aws s3api put-bucket-encryption --bucket encryptme --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}' --profile encrypt --endpoint-url https://192.169.0.100 --no-verify-ssl

View solution in original post

4 REPLIES 4

aronk

FabricPool encrypts the data stored to the cloud tier.  From the FabricPool Best Practices TR:

Cloud tier

         All objects encrypted by NVE/NAE remain encrypted when moved to the cloud tier. Client-side encryption keys are owned by ONTAP. All objects not encrypted using NVE/NAE are automatically encrypted server-side using AES-256-GCM encryption. No additional encryption is necessary. Server-side encryption keys are owned by the respective object store. 

 

OliverSchubert
Hi,

according to TR-4598 page 40:

Security:
All data encrypted by ONTAP NVE/NAE remains encrypted when moved to the cloud tier. Client-side encryption keys are owned by ONTAP. All objects not encrypted using ONTAP NVE/NAE are automatically encrypted by StorageGRID using AES-256-GCM encryption. No additional encryption is necessary. NetApp recommends disabling stored object encryption in StorageGRID.


Best
Oliver

jimb32

Thanks aronk. That's a big help. One follow-on question. If we create a tenant account with a S3 bucket - can that be encrypted at the bucket level and if so, can it be encrypted after the data is added to the SG?

Yes, StorageGRID supports the put-bucket-encryption API. No, encryption is only set on newly ingested objects. 

Example

         aws s3api put-bucket-encryption --bucket encryptme --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}' --profile encrypt --endpoint-url https://192.169.0.100 --no-verify-ssl

Public