Information
Data-at-rest encryption is important to protect sensitive data in the event of a disk that is stolen, returned, or repurposed.
ONTAP 9 has two Federal Information Processing Standard (FIPS) 140-2-compliant data-at-rest encryption solutions:
- NetApp Storage Encryption (NSE) is a hardware solution that makes use of self-encrypting drives.
- NetApp Volume Encryption (NVE) is a software solution that enables encryption of any data volume on any drive type where it is enabled.
NSE and NVE can make use of either external key management or the onboard key manager (OKM). Use of NSE or NVE does not affect ONTAP storage efficiency features. However, NVE volumes are excluded from aggregate inline dedupe.
The OKM provides a self-contained encryption solution for data at rest with NSE or NVE.
NVE and OKM make use of the ONTAP CryptoMod. CryptoMod is now listed on the CMVP FIPS 140-2 validated modules list. See FIPS 140-2 Cert# 3072 (https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3072).
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To begin OKM configuration, use the security key-manager setup command, which is used to configure both key management methods supported by ONTAP: OKM and the Key Management Interoperability Protocol (KMIP). KMIP is the external key management option. For onboard key management, this configuration walks the operator or administrator through the passphrase setup and additional parameters for configuring OKM.