Skip to main content
NetApp Knowledge Base

Can AWS KMS support NetApp Volume Encryption?

  1. Last updated
  2. Save as PDF
Views:
284
Visibility:
Public
Votes:
0
Category:
cloud-volumes-ontap-cvo
Specialty:
cloud
Last Updated:

Applies to

Cloud Volumes ONTAP
AWS

Answer

From the NetApp Volume Encryption FAQ
 
  1. Are there any platform requirements?

Yes. NVE and NAE require that the controller CPU provide an offload called AES-NI. The controllers that have the required offload are FAS2620, FAS2650, FAS6280, FAS6290, FAS8020, FAS8040, FAS8060, FAS8080, FAS8200, FAS9000, AFF A200, AFF A300, AFF A700, AFF A700s, and all new controllers introduced with ONTAP 9.1 and later.

So the instance type selected for the CVO nodes must be able to support the required AES-NI.  

From the Amazon Elastic Compute Cloud (AmazonEC2) Cloud Computing Instances Powered by Intel document from Intel, these instance types include

  • Compute Optimized C5
  • General Purpose M5N, M5DN
  • Memory Optimized R5N, R5DN
  • Hight Memory 18TIB, 24TIB

However, for external key server implementation, CVO and ONTAP both require an external KM server that supports the Key Management Interoperability Protocol (KMIP).

AWS KMS does not natively support KMIP; so it can not be used an external key manager server for CVO.

Additional Information

The only supported external key manager solutions are listed on the NetApp Interoperability Matrix.
NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.