NFS/CIFS Encryption

heightsnj
‎2019-04-17 12:05 PM
5,819 Views

In terms of end to end encryption over NFS/CIFS, I know there can have NetApp Volume Encryption which will happen on volumes. What about encryptions from VM clients and to the NetApp storage?

 

In NFS Datastore cases, we are using v3, and not using Kerboros( I know Kerbors can support AES). We also use NFS/CIFS share. So, what kind of encryptions suppored here if any, and how can they work out?

 

Thanks!

0 Kudos

paul_stejskal
NetApp
‎2019-04-18 07:45 AM
5,702 Views

SMB3 and NFS+krb5p are supported. I would recommend going to over 9.2 to get support otherwise AES-NI Intel CPU instruction sets won't be active in ONTAP and you won't see good performance at all.

0 Kudos

heightsnj
‎2019-04-18 08:49 AM
In response to paul_stejskal
5,688 Views

My question is what if we didn't implement KRB at all? Any encryption can be used, and how?

in SMB3 case, what requirements on NetApp storage and Window clients?

0 Kudos

paul_stejskal
NetApp
‎2019-04-18 09:42 AM
In response to heightsnj
5,675 Views

I don't believe it's possible to encrypt NFS streams outside of KRB5P.

 

For SMB3, there is SMB encryption built into the protocol and we support it. I'd check with Microsoft for details or search around enabling, but it is well documented.

 

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.cdot-famg-cifs/GUID-6F694E53-022A-453A-8AC9-6F2941794DA6.html

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.cdot-famg-cifs/GUID-EF158266-85EE-4648-8D0F-6F80F0E13DCA.html

https://whyistheinternetbroken.wordpress.com/2017/07/24/ontap92-krb5p/

https://www.netapp.com/us/media/tr-4616.pdf <--talks about KRB5P NFS with Active Directory

Securing your NetApp infrastructure: https://www.netapp.com/us/media/tr-4569.pdf