WIXLIB

ONTAP 9NetApp Encryption Power GuideFebruary 2017 215-11633-D0doccomments@netapp.comUpdated for ONTAP 9.1

Table of Contents 3ContentsDeciding whether to use the NetApp Encryption Power Guide . 5Using NetApp Volume Encryption . 6NetApp Volume Encryption workflow . 7Configuring NVE . 7Determining whether your cluster version supports NVE . 7Installing the license . 8Enabling onboard key management . 9Encrypting volume data with NVE . 10Enabling encryption on a new volume . 10Enabling encryption on an existing volume . 10Managing NVE . 11Unencrypting volume data . 12Moving an encrypted volume . 12Changing the encryption key for a volume . 13Deleting an encrypted volume . 14Changing the onboard key management passphrase . 14Transitioning to onboard key management from external keymanagement . 15Backing up onboard key management information manually . 16Delegating authority to run the volume move command . 16NVE APIs . 17Using NetApp Storage Encryption . 18NetApp Storage Encryption workflow . 19Configuring external key management . 19Collecting network and security information . 20Installing SSL certificates on the cluster . 21Connecting to external key management servers . 22Creating authentication keys . 23Assigning a data authentication key to SEDs . 24Assigning a FIPS 140-2 authentication key to SEDs . 25Enabling cluster-wide FIPS-compliant mode for KMIP serverconnections . 26Configuring onboard key management . 27Enabling onboard key management . 27Viewing the keys generated by the Onboard Key Manager . 28Assigning a data authentication key to SEDs . 29Assigning a FIPS 140-2 authentication key to SEDs . 30Managing NSE . 31Replacing SSL certificates . 31Restoring authentication keys . 32Replacing an SED . 33

4 NetApp Encryption Power GuideMaking data on an SED inaccessible . 34Returning SEDs to service when authentication keys are lost . 39Returning SEDs to unprotected mode . 41Deleting an external key manager connection . 41Transitioning to external key management from onboard keymanagement . 42Transitioning to onboard key management from external keymanagement . 42Changing the onboard key management passphrase . 43Backing up onboard key management information manually . 44Where to find additional information . 45Copyright information . 46Trademark information . 47How to send comments about documentation and receive updatenotifications . 48Index . 49

5Deciding whether to use the NetApp EncryptionPower GuideNetApp offers both software- and hardware-based encryption technologies for ensuring that data atrest cannot be read if the storage medium is repurposed, returned, misplaced, or stolen. Software-based NetApp Volume Encryption (NVE) supports data encryption one volume at atime. Hardware-based NetApp Storage Encryption (NSE) supports full-disk encryption (FDE).You should use this guide if you want to work with encryption in the following way: You want to use best practices, not explore every available option. You do not want to read a lot of conceptual background. You want to use the ONTAP command-line interface (CLI), not OnCommand System Manager oran automated scripting tool.The encyption technologies are not supported by System Manager.If this guide is not suitable for your situation, you should see the following documentation instead: ONTAP 9 commands NetApp Documentation: OnCommand Workflow Automation (current releases)

6Using NetApp Volume EncryptionNetApp Volume Encryption (NVE) is a software-based technology for encrypting data at rest onevolume at a time. An encryption key accessible only to the storage system ensures that volume datacannot be read if the underlying device is repurposed, returned, misplaced, or stolen.Understanding NVEBoth data, including Snapshot copies, and metadata are encrypted. Access to the data is given by aunique XTS-AES-256 key, one per volume. An Onboard Key Manager secures the keys on the samesystem with your data.You can enable encryption on an existing volume (using the volume move command) or on a newvolume (using the volume create command). NVE supports the full range of storage efficiencyfeatures, including deduplication and compression.You can use NVE on any type of aggregate (HDD, SSD, hybrid, array LUN), with any RAID type,and in any supported ONTAP implementation, including ONTAP Select. You can also use NVE withNetApp Storage Encryption (NSE) to “double encrypt” data on NSE drives, provided that you use theNSE Onboard Key Manager option.Support detailsThe following table shows NVE support details.Resource or featureSupport detailsPlatformsAES-NI offload capability required: FAS 2620, FAS 2650, FAS 6290,FAS 80xx, FAS 8200, FAS 9000, AFF A200, AFF A300, AFF A700, orAFF A700S.ONTAPAll ONTAP implementations, except ONTAP Cloud.DevicesHDD, SSD, hybrid, array LUN.RAIDRAID0, RAID4, RAID-DP, RAID-TEC.VolumesData volumes only. You cannot encrypt data on a root volume, an SVMroot volume, or a MetroCluster metadata volume.Storage efficiencyDeduplication, compression, compaction, FlexClone. Clones use the samekey as the parent, even after splitting the clone from the parent. You arewarned to rekey the split clone.Replication For SnapMirror and SnapVault, the destination volume must have beenenabled for encryption.For MetroCluster configurations, keys and passphrases are replicatedto the partner site by the configuration replication service (CRS).ComplianceSnapLock is not supported.FlexGroupsFlexGroups are not supported.7-Mode transitionIntegration with the 7-Mode Transition Tool is not supported. Transitionan existing volume as you would currently, then use volume move toenable encryption on the volume.

Using NetApp Volume Encryption 7NetApp Volume Encryption workflowYou must install the NVE license and enable onboard key management before you can enable volumeencryption. You can enable encryption on a new volume or on an existing volume.Configuring NVEYou must install the NVE license and enable onboard key management before you can encrypt datawith NVE. Before installing the license, you should determine whether your ONTAP versionsupports NVE.Steps1. Determining whether your cluster version supports NVE on page 72. Installing the license on page 83. Enabling onboard key management on page 9Determining whether your cluster version supports NVEYou should determine whether your cluster version supports NVE before you install the license. Youcan use the version command to determine the cluster version.About this taskThe cluster version is the lowest version of ONTAP running on any node in the cluster.Step1. Determine whether your cluster version supports NVE:version -v

8 NetApp Encryption Power GuideNVE is not supported if the command output displays the text “no-DARE” (for “no Data At RestEncryption”).ExampleThe following command determines whether NVE is supported on cluster1.cluster1:: version -vNetApp Release 9.1.0: Tue May 10 19:30:23 UTC 2016 1no-DARE The text “1no-DARE” in the command output indicates that NVE is not supported on your clusterversion.Installing the licenseAn NVE license entitles you to use the feature on all nodes in the cluster. You must install the licensebefore you can encrypt data with NVE.Before you beginYou must be a cluster administrator to perform this task.About this taskYou should have received the NVE license key from your sales representative.Steps1. Install the NVE license for a node:system license add -license-code license keyExampleThe following command installs the license with the key AAAAAAAAAAAAAAAAAAAAAAAAAAAA.cluster1:: system license add -license-code AAAAAAAAAAAAAAAAAAAAAAAAAAAA2. Verify that the license is installed by displaying all the licenses on the cluster:system license showFor complete command syntax, see the man page for the command.ExampleThe following command displays all the licenses on cluster1:cluster1:: system license showThe NVE license package name is “VE”.

Using NetApp Volume Encryption 9Enabling onboard key managementThe Onboard Key Manager secures the keys that the cluster uses to access encrypted data. You mustenable Onboard Key Manager on each cluster that accesses an encrypted volume or a self-encryptingdisk (SED).Before you begin If you are using NSE with an external key management (KMIP) server, you must have deleted theexternal key manager database.Transitioning to onboard key management from external key management on page 42You must be a cluster administrator to perform this task.About this taskYou must run this command each time you add a node to the cluster.Steps1. Start the key manager setup wizard:security key-manager setupExampleThe following command starts the key manager setup wizard on cluster1:cluster1:: security key-manager setupWelcome to the key manager setup wizard, which will lead you throughthe steps to add boot information.Enter the following commands at any time"help" or "?" if you want to have a question clarified,"back" if you want to change your answers to previous questions, and"exit" if you want to quit the key manager setup wizard. Any changesyou made before typing "exit" will be applied.Restart the key manager setup wizard with "security key-managersetup". To accept a default or omit a question, do not enter a value.Would you like to use onboard key-management? {yes, no} [yes]:Enter the cluster-wide passphrase: 32.256 UTF8 characters long text Reenter the cluster-wide passphrase: 32.256 UTF8 characters long text 2. Enter yes at the prompt to configure onboard key management.3. Enter a passphrase between 32 and 256 characters at the passphrase prompt.4. Re-enter the passphrase at the passphrase confirmation prompt.After you finishCopy the passphrase to a secure location outside the storage system for future use.All key management information is automatically backed up to the replicated database (RDB) for thecluster. You should also back up the information manually for use in case of a disaster.Related tasksBacking up onboard key management information manually on page 16

10 NetApp Encryption Power GuideEncrypting volume data with NVEYou can enable encryption on a new volume or on an existing volume. You must have installed theNVE license and enabled onboard key management before you can enable volume encryption.Choices Enabling encryption on a new volume on page 10 Enabling encryption on an existing volume on page 10Enabling encryption on a new volumeYou can use the volume create command to enable encryption on a new volume.About this taskYou cannot enable encryption on a SnapLock volume.Steps1. Create a new volume and enable encryption on the volume:volume create -vserver SVM name -volume volume name -aggregateaggregate name -encrypt trueFor complete command syntax, see the man page for the command.ExampleThe following command creates a volume named vol1 on aggr1 and enables encryption on thevolume:cluster1:: volume create -vserver vs1 -volume vol1 -aggregate aggr1 encrypt trueThe Onboard Key Manager creates an encryption key for the volume. Any data you put on thevolume is encrypted.2. Verify that the volume is enabled for encryption:volume show -is-encrypted trueFor complete command syntax, see the man page for the command.ExampleThe following command displays the encrypted volumes on cluster1:cluster1:: volume show -is-encrypted trueEnabling encryption on an existing volumeYou can use the volume move start command to enable encryption on an existing volume. Youcan use the same aggregate or a different aggregate.Before you beginYou must be a cluster administrator to perform this task, or an SVM administrator to whom thecluster administrator has delegated authority.