NetApp Storage Subsystem Design: NetApp Storage Encryption

Part 5 of a 5-part series on choosing media for NetApp FAS storage


By Tushar Routh, Sr. Manager, Storage Products, NetApp


I want to wrap up this series with a discussion of NetApp Storage Encryption (NSE), which uses self-encrypting drives (SEDs) to enhance data security. With all the recent news about corporate and government espionage, there’s been a definite uptick of interest in security and encryption solutions.


Why have I saved NSE for last? Two reasons:


  • It builds on everything I’ve covered so far. Our self-encrypting drive portfolio includes both performance and high-capacity models, and we’ll be adding SSDs in the future as well.
  • We’re in the process of releasing several new self-encrypting drives.


Understanding NetApp Storage Encryption

NSE is the NetApp implementation of full-disk encryption (FDE) using self-encrypting drives (SEDs) from leading drive vendors. Because encryption and decryption take place on the drive itself after data is written by Data ONTAP or before it is read, NSE operates seamlessly with Data ONTAP features such as deduplication and compression. All data on a drive is automatically encrypted, so using NSE is an easy way to make sure that data at rest is protected while maximizing the ROI of your NetApp storage.


As you might expect, this technology is front and center for government, healthcare and financial organizations. The physical drives themselves are tamper proof, and NSE prevents unauthorized access to encrypted data at rest. It prevents someone from removing a drive or shelf of drives and mounting and accessing them elsewhere. In addition, it prevents unauthorized access when drives are returned after a drive failure and simplifies the disposal of drives.


Key management for NSE is provided by an external solution. NetApp has partnered with SafeNet to offer the SafeNet KeySecure Key Manager, available direct from NetApp and from our partners.


The NetApp NSE Portfolio

All FDE drives that NetApp sells adhere to the Trusted Computing Group (TCG) AES-256 encryption standard. We also require FIPS 140-2 certification, which is a standard requirement for the public sector.


NSE is supported across all current FAS/V platforms; the main consideration is that you can’t mix encrypting and non-encrypting drives in the same storage system.


Our drive portfolio includes a 600GB performance drive and a just-released 900GB performance drive as well as a 3TB LFF high-capacity option. A 4TB LFF option is set to release this month. We plan to offer a self-encrypting SSD in coming months, so ultimately – although a release date has not been set – we plan to support Flash Pools that are fully encrypted once we have a self-encrypting SSD in our portfolio.


Wrap Up

NSE is part of a broader portfolio of encryption products that NetApp offers to enhance data security. As mentioned above, we also offer SafeNet KeySecure for simplified key management. Other encryption options include:


  • SafeNet StorageSecure inline encryption appliances that support granular encryption at CIFS/NFS share, export or volume level and compartmentalize shared storage into cryptographic silos.
  • Brocade Encryption Switches and blades (BES) that encrypt data at rest on disk and tape in Fibre Channel environments.


I hope this blog series has given you a better understanding of all the available NetApp storage options and how to combine them to create a storage subsystem that’s tailored for your needs. If there’s something you’d like to hear more about, please let us know in the comments.


Here are links to all the previous posts In case you missed any of them:



Stay tuned in early October for a guest blog post from SafeNet that will expand upon NSE with KeySecure.