WIXLIB

ONTAP 9NetApp Encryption Power GuideMarch 2021 215-11633 2021-03 en-usdoccomments@netapp.comUpdated for ONTAP 9.8

NetApp Encryption Power GuideContentsiiContentsDeciding whether to use the NetApp Encryption Power Guide. 4Configuring NetApp Volume Encryption. 5NetApp Volume Encryption workflow. 8Configuring NVE.8Determining whether your cluster version supports NVE.8Installing the license. 9Configuring external key management.9Enabling onboard key management in ONTAP 9.6 and later (NVE).13Enabling onboard key management in ONTAP 9.5 and earlier (NVE).15Enabling onboard key management in newly added nodes. 16Encrypting volume data with NVE.17Enabling aggregate-level encryption with NVE license .17Enabling encryption on a new volume. 18Enabling encryption on an existing volume with the volume encryption conversion start command. 20Enabling encryption on an existing volume with the volume move start command. 21Enabling node root volume encryption.22Configuring NetApp hardware-based encryption. 24Hardware-based encryption workflow.25Configuring external key management.25Collecting network information in ONTAP 9.2 and earlier.26Installing SSL certificates on the cluster. 27Enabling external key management in ONTAP 9.6 and later (HW-based). 27Enabling external key management in ONTAP 9.5 and earlier.28Creating authentication keys in ONTAP 9.6 and later.29Creating authentication keys in ONTAP 9.5 and earlier.30Assigning a data authentication key to a FIPS drive or SED (external key management).31Configuring onboard key management.32Enabling onboard key management in ONTAP 9.6 and later.32Enabling onboard key management in ONTAP 9.5 and earlier.34Assigning a data authentication key to a FIPS drive or SED (onboard key management).35Assigning a FIPS 140-2 authentication key to a FIPS drive.36Enabling cluster-wide FIPS-compliant mode for KMIP server connections. 37Managing NetApp encryption. 38Unencrypting volume data.38Moving an encrypted volume. 38Delegating authority to run the volume move command.39Changing the encryption key for a volume with the volume encryption rekey start command. 40Changing the encryption key for a volume with the volume move start command. 40Rotating authentication keys for NetApp Storage Encryption. 41Deleting an encrypted volume. 42Securely purging data on an encrypted volume.42

NetApp Encryption Power GuideContentsiiiSecurely purging data on an encrypted volume without a SnapMirror relationship. 43Securely purging data on an encrypted volume with an Asynchronous SnapMirror relationship. 44Scrubbing data on an encrypted volume with a Synchronous SnapMirror relationship. 45Changing the onboard key management passphrase. 46Backing up onboard key management information manually. 47Restoring onboard key management encryption keys. 48Restoring external key management encryption keys. 49Replacing SSL certificates.50Replacing a FIPS drive or SED. 51Making data on a FIPS drive or SED inaccessible. 52Sanitizing a FIPS drive or SED. 52Destroying a FIPS drive or SED.53Emergency shredding of data on an FIPS drive or SED.54Returning a FIPS drive or SED to service when authentication keys are lost. 56Returning a FIPS drive or SED to unprotected mode.57Deleting an external key manager connection. 58Modifying external key management server properties.58Transitioning to external key management from onboard key management.59Transitioning to onboard key management from external key management.60What happens when key management servers are not reachable during the boot process.60Disabling encryption by default with ONTAP 9.7 and later.61Where to find additional information. 63Copyright, trademark, and machine translation. 64Copyright. 64Trademark.64Machine translation. 64

NetApp Encryption Power GuideDeciding whether to use the NetApp Encryption Power GuideDeciding whether to use the NetApp Encryption PowerGuideNetApp offers both software- and hardware-based encryption technologies for ensuring that dataat rest cannot be read if the storage medium is repurposed, returned, misplaced, or stolen. Software-based encryption supports data encryption one volume at a time.Hardware-based encryption supports full-disk encryption (FDE) of data as it is written.You should use this guide if you want to work with encryption in the following way: You want to use best practices, not explore every available option.You do not want to read a lot of conceptual background.You want to use the ONTAP command-line interface (CLI), not ONTAP System Manager oran automated scripting tool.As of ONTAP 9.7, System Manager supports onboard key manager encryption. For moreinformation, see the System Manager documentation: https://docs.netapp.com/us-en/ontap/task security encrypt stored data sw.htmlhttps://docs.netapp.com/us-en/ontap/task security encrypt stored data hw.htmlIf this guide is not suitable for your situation, you should see the following documentation instead: ONTAP 9 commandsNetApp Documentation: OnCommand Workflow Automation (current releases)4

NetApp Encryption Power GuideConfiguring NetApp Volume EncryptionConfiguring NetApp Volume EncryptionNetApp Volume Encryption (NVE) is a software-based technology for encrypting data at rest onevolume at a time. An encryption key accessible only to the storage system ensures that volumedata cannot be read if the underlying device is repurposed, returned, misplaced, or stolen.Understanding NVEBoth data, including Snapshot copies, and metadata are encrypted. Access to the data is given by aunique XTS-AES-256 key, one per volume. An external key management server or Onboard KeyManager serves keys to nodes: The external key management server is a third-party system in your storage environment thatserves keys to nodes using the Key Management Interoperability Protocol (KMIP). It is a bestpractice to configure external key management servers on a different storage system from yourdata.The Onboard Key Manager is a built-in tool that serves keys to nodes from the same storagesystem as your data.Starting with ONTAP 9.7, aggregate and volume encryption is enabled by default if you have avolume encryption (VE) license and use an onboard or external key manager. Whenever anexternal or onboard key manager is configured there is a change in how data at rest encryption isconfigured for brand new aggregates and brand new volumes. Brand new aggregates will haveNetApp Aggregate Encryption (NAE) enabled by default. Brand new volumes that are not part ofan NAE aggregate will have NetApp Volume Encryption (NVE) enabled by default. If a datastorage virtual machine (SVM) is configured with its own key-manager using multi-tenant keymanagement in an aggregate with NAE, then the volume created for that SVM is automaticallyconfigured with NVE.You can enable encryption on a new or existing volume. NVE supports the full range of storageefficiency features, including deduplication and compression.Note: If you are using SnapLock, you can enable encryption only on new, empty SnapLockvolumes. You cannot enable encryption on an existing SnapLock volume.You can use NVE on any type of aggregate (HDD, SSD, hybrid, array LUN), with any RAID type,and in any supported ONTAP implementation, including ONTAP Select. You can also use NVEwith hardware-based encryption to “double encrypt” data on self-encrypting drives.Note: AFF A220, AFF A800, FAS2720, FAS2750, and later systems store core dumps on theirboot device. When NVE is enabled on these systems, the core dump is also encrypted.Aggregate-level encryptionOrdinarily, every encrypted volume is assigned a unique key. When the volume is deleted, the keyis deleted with it.Starting with ONTAP 9.6, you can use NetApp Aggregate Encryption (NAE) to assign keys to thecontaining aggregate for the volumes to be encrypted. When an encrypted volume is deleted, thekeys for the aggregate are preserved. The keys are deleted only after the last encrypted volume inthe aggregate is deleted.You must use aggregate-level encryption if you plan to perform inline or background aggregatelevel deduplication. Aggregate-level deduplication is otherwise not supported by NVE.Starting with ONTAP 9.7, aggregate and volume encryption is enabled by default if you have avolume encryption (VE) license and use an onboard or external key manager.5

NetApp Encryption Power GuideConfiguring NetApp Volume Encryption6NVE and NAE volumes can coexist on the same aggregate. Volumes encrypted under aggregatelevel encryption are NAE volumes by default. You can override the default when you encrypt thevolume.You can use the volume move command to convert an NVE volume to an NAE volume, and viceversa. You can replicate an NAE volume to an NVE volume.When to use external key management serversAlthough it is less expensive and typically more convenient to use the onboard key manager, youshould set up KMIP servers if any of the following are true: Your encryption key management solution must comply with Federal Information ProcessingStandards (FIPS) 140-2 or the OASIS KMIP standard.You need a multi-cluster solution, with centralized management of encryption keys.Your business requires the added security of storing authentication keys on a system or in alocation different from the data. Scope of external key managementThe scope of external key management determines whether key management servers secure all theSVMs in the cluster or selected SVMs only: You can use a cluster scope to configure external key management for all the SVMs in thecluster. The cluster administrator has access to every key stored on the servers.Starting with ONTAP 9.6, you can use an SVM scope to configure external key managementfor a named SVM in the cluster. That's best for multitenant environments in which each tenantuses a different SVM (or set of SVMs) to serve data. Only the SVM administrator for a giventenant has access to the keys for that tenant.You can use both scopes in the same cluster. If key management servers have been configured foran SVM, ONTAP uses only those servers to secure keys. Otherwise, ONTAP secures keys with thekey management servers configured for the cluster.Support detailsThe following table shows NVE support details:Resource or featureSupport detailsPlatformsAES-NI offload capability required. See the Hardware Universe (HWU) to verifythat NVE and NAE are supported for your platform.EncryptionStarting ONTAP 9.7, newly created aggregates and volumes are encrypted by defaultwhen you add a volume encryption (VE) and have an onboard or external keymanager configured.If you need to create an unencrypted aggregate, use the following command:storage aggregate create -encrypt-with-aggr-key falseIf you need to create a plain text volume, use the following command:volume create -encrypt falseEncryption is not enabled by default when: VE is not configuredKey manager is not configuredPlatform or software does not support encryptionHardware encryption is enabled