FAQ - NetApp Volume Encryption and NetApp Aggregate Encryption
Applies to
- ONTAP 9
- NetApp Volume Encryption (NVE)
- NetApp Aggregate Encryption (NAE)
Frequently Asked Questions
Overview
- What are the software-based encryption capabilities in ONTAP?
-
What are the software-based encryption capabilities in ONTAP?
- How does NetApp Volume Encryption (NVE) and NetApp Aggregate Encryption (NAE) encrypt data?
Requirements
- Which hardware platforms support software-based encryption (NVE and NAE)?
- Which hardware platforms support software-based encryption?
- How do I determine if my cluster version supports NVE and NAE?
-
For more information, visit product documentation: Determine whether your cluster version supports NVE
- Is NVE and NAE a licensed feature?
- How do I confirm ONTAP is running a version that prevents the use of encryption?
-
How do I confirm ONTAP is running a version that prevents the use of encryption?
- Which key managers are available with NVE and NAE?
-
For more information, visit product documentation: Understanding NVE
- Which external key managers are compatible with NVE and NAE?
-
How to determine which External Key Managers are supported by ONTAP
- Can a system using NSE with an external key manager also use NVE and NAE?
-
Can a system using NSE with an external key manager also use NVE and NAE?
- Do NVE and NAE require encryption on all volumes?
- Can I use NSE drives with NVE and NAE?
- Can NVE be used in a mixed platform cluster with platforms that do not support NVE?
-
Can NVE be used in a mixed platform cluster with platforms that do not support NVE?
Architecture
- What data is encrypted with NVE and NAE?
- What data is encrypted with NAE and NVE?
- Are ONTAP storage efficiencies maintained when software-based encryption (NVE or NAE) is in use?
- Are ONTAP storage efficiences maintained when software-based encryption is in use?
- Does NVE and NAE work with aggregate deduplication?
- Does NVE and NAE work with aggregate deduplication?
- What type of algorithms do NVE and NAE use for encrypting data?
- What type of algorithms do NVE and NAE use for encrypting data?
- Are Snapshot copies encrypted?
- What data is encrypted with NAE and NVE?
- Are FlexClone volumes encrypted?
- What data is encrypted with NAE and NVE?
- Can FlexClone volumes be encrypted with a different encryption key than the original volume?
- Can FlexClone volumes be encrypted with a different encryption key than the original volume?
- Are data volume encryption keys reused?
- Are data volume encryption keys reused?
- Can I assign a specific encryption key to a data volume?
- Can I assign a specific encryption key to a data volume?
- If I use NetApp SnapMirror to mirror my encrypted volume to a different cluster, is the same encryption key used at the destination?
- If I use NetApp SnapMirror to mirror my encrypted volume to a different cluster, is the same encryption key used at the destination?
- Does NVE and NAE encrypt data in flight?
- Does NVE and NAE encrypt data in flight?
- Does NVE encrypt data during transfer when using SnapMiror?
- Does NVE encrypt data during transfer when using SnapMirror?
- Are NetApp Volume Encryption keys replicated across clusters?
- Are NetApp Volume Encryption keys replicated across clusters?
- Where are NVE and NAE encryption keys stored?
- Where are NVE and NAE encryption keys stored?
- What is Trusted Platform Module (TPM)?
- What is Trusted Platform Module (TPM)?
- Does NetApp Volume Encryption have to be enabled on both source and destination volumes of a SnapMirror relationship?
- Does NetApp Volume Encryption have to be enabled on both source and destination volumes of a SnapMirror relationship?
- Are NetApp Volume Encryption and NetApp Aggregate Encryption FIPS 140-2 Validated?
- Are NetApp Volume Encryption and NetApp Aggregate Encryption FIPS 140-2 Validated?
- Is there a special procedure or mechanism to protect against data spillage from prior to enabling NVE or NAE?
- Is there a special procedure or mechanism to protect against data spillage from prior to enabling NVE or NAE?
- Can deleted files be non-disruptively purged from NVE volumes?
- Can deleted files be non-disruptively purged from NVE volumes?
- Does NVE support the use of external KMIP servers to store and secure encryption keys?
- Does NVE support the use of external KMIP servers to store and secure encryption keys?
Configuration
- How to encrypt a new data volume?
-
For more information, visit product documentation: Enable encryption on a new volume
- Can I encrypt existing data volumes?
-
For more information, visit product documentation: Enable encryption on an existing volume with the volume move start command
- Can I encrypt an existing data volume in place (without a volume move)?
-
For more information, visit product documentation: Enable encryption on an existing volume with the volume encryption conversion start command
- Can I encrypt an existing volume in place with NAE in ONTAP 9.6?
- How to realize aggregate deduplication space savings after moving NVE volumes to NAE volumes?
-
How do I realize aggregate deduplication space savings after moving NVE volumes to NAE volumes?
- How to unencrypt an NVE volume?
- How to unencrypt an NAE volume?
- How can I view the progress of the volume encryption conversion start command?
-
How can I view the progress of the volume encryption conversion start command?
- Can I do a volume move while an active NVE volume encryption start is running?
-
Can I do a volume move while an active NVE volume encryption start is running?
- If a volume encryption is paused and resumed, will the conversion continue where it left off?
-
If a volume encryption is paused and resumed, will the conversion continue where it left off?
- Is it possible to tune the volume encryption conversion process?
-
Is it possible to tune the volume encryption conversion process?
- Is there a maximum number of simultaneous volume encryption conversion processes that can be run at one time?
- Can I instantaneously delete an NVE volume encryption key without deleting the volume?
-
Can I instantaneously delete an NVE volume encryption key without deleting the volume?
- Can I instantaneously delete an NAE aggregate encryption key without deleting the NAE volumes?
-
Can I instantaneously delete an NAE aggregate encryption key without deleting the NAE volumes?
- Are any additional steps needed after an encrypted volume is created to ensure that the data is encrypted?
- Can an existing encrypted volume have the encryption key changed or rekeyed?
-
Can an existing encrypted volume have the encryption key changed or rekeyed?
- How can I know the last time a volume was rekeyed?
- Do I have to encrypt all of my data volumes when using NetApp Volume Encryption?
-
Do I have to encrypt all of my data volumes when using NetApp Volume Encryption?
- How can I confirm if a volume is encrypted?
- How do I transition from the onboard key manager to an external key manager, or conversely?
-
How do I transition from the onboard key manager to an external key manager, or conversely?
- How can I require a prompt for the OKM passphrase at controller reboot?
-
How can I require a prompt for the OKM passphrase at controller reboot?
- Why do I get error creating an NVE volume with -encrypt false when OKM initialized with -enable-cc-mode true?
- What are the circumstances where an external key manager is contacted by a node?
-
What are the circumstances where an external key manager is contacted by a node?
- How does ONTAP behave when the external key manager is not accessible?
-
How does ONTAP behave when the external key manager is not accessible?
- What happens with NVE and NAE volumes if the external key manager is not available during node giveback?
- Where can I download an NVE and NAE capable ONTAP image?
- What happens when I install an ONTAP non-NVE-capable release over an ONTAP release that is NVE-capable?
- How can I switch to an NVE or NAE-capable version of ONTAP from a non-NVE/NAE-capable version?
-
How can I switch to an NVE or NAE-capable version of ONTAP from a non-NVE/NAE-capable version?
- How can I enable NVE by default for newly created volumes?
Performance
- What is the performance impact of NVE and NAE?
- Do certain platforms perform better with NVE and NAE?
- Is there a performance difference between SSDs and HDDs while using NVE and NAE?
-
Is there a performance difference between SSDs and HDDs while using NVE and NAE?
- Is there a performance impact on non-encrypted volumes when using NVE or NAE?
-
Is there a performance impact on non-encrypted volumes when using NVE or NAE?
- How do I gauge the impact of enabling NVE or NAE on an existing system?
-
How do I gauge the impact of enabling NVE or NAE on an existing system?
Interoperability
- Can I use NVE and NAE with MetroCluster?
- Can I use NVE and NAE with ONTAP Select?
- Can I use NVE and NAE with NetApp FlexArray software?
- Can I use NVE and NAE with Cloud Volumes ONTAP?
- Is NVE and NAE supported for NetApp Flash Cache cards?
- Is data in NetApp Flash Pool intelligent caching encrypted by NVE and NAE?
-
Is data in NetApp Flash Pool intelligent caching encrypted by NVE and NAE?
- Are NetApp SnapLock software and NetApp ONTAP FlexGroup volumes compatible with NVE and NAE?
-
Are NetApp SnapLock software and NetApp ONTAP FlexGroup volumes compatible with NVE and NAE?
- What are the restrictions with FlexGroup volumes and NAE?
- Are external (KMIP) key managers compatible with NVE and NAE?
-
Are external (KMIP) key managers compatible with NVE and NAE?
- Are clustered key managers supported with ONTAP for NVE and NAE?
-
Are clustered key managers supported with ONTAP for NVE and NAE?
- Is NVE and NAE supported with backup applications?
- Does NVE and NAE support drive partitioning features such as ADP?
-
Does NVE and NAE support drive partitioning features such as ADP