ONTAP 9.3 Volume Encryption

Configuring NetApp Volume Encryption

NetApp Volume Encryption (NVE) is a software-based technology for encrypting data at rest one volume at a time. An encryption key accessible only to the storage system ensures that volume data cannot be read if the underlying device is re purposed, returned, misplaced, or stolen.

Both data, including Snapshot copies, and metadata are encrypted. Access to the data is given by a unique XTS-AES-256 key, one per volume. An external key management server or Onboard Key Manager serves keys to nodes:

• The external key management server is a third-party system in your storage environment that serves keys to nodes using the Key Management Interoperability Protocol (KMIP).
• The Onboard Key Manager is a built-in tool that serves keys to nodes from the same storage system as your data.

Configuring NVE

You must install the NVE license and configure key management services before you can encrypt data with NVE. Before installing the license, you should determine whether your ONTAP version supports NVE.

Determine whether your cluster version supports NVE:version -v

NVE is not supported if the command output displays the text "no-DARE" (for "no Data At Rest Encryption").

Check the VE license using license show command.

Then run the security key-manager setup command to setup the onboard or external key manager.

Select on board or external.

Type the passphrase.

List the key-manager backup using the following command.

> security key-manager backup show

To list the nodes key information.

Create a new volume with option -encrypt true. This will create a new volume with encryption.

To list the encrypted volumes, use the following command.