Are encrypted blocks that are cold also encrypted when tiered?
Applies to
- ONTAP 9
- Encryption
- FabricPool
Answer
Security
FabricPool maintains AES-256-GCM encryption on the local tier, on the cloud tier, and over the wire when moving data between the tiers.
Local tier
- FabricPool supports NetApp Storage Encryption (NSE), NetApp Volume Encryption (NVE), and NetApp Aggregate Encryption (NAE).
- Neither NSE, NVE, nor NAE are required to use FabricPool.
Over the wire
- Objects moving between local and cloud tiers are encrypted by using TLS 1.2 using AES-256-GCM.
- Other encryption modes, such as CCM, are not supported. To some extent, encryption affects connectivity (latency) because object stores must use CPU cycles to decrypt the data.
- Communicating with object stores without TLS encryption is supported but is not recommended.
Cloud tier
- All objects encrypted by NVE/NAE remain encrypted when moved to the cloud tier.
- Client-side encryption keys are owned by ONTAP.
Additional Information
Refer to FabricPool Best Practices