Skip to main content
NetApp Knowledge Base

FAQ - NetApp Volume Encryption and NetApp Aggregate Encryption

Views:
54,074
Visibility:
Public
Votes:
96
Category:
ontap-9
Specialty:
CORE
Last Updated:

 

Applies to

  • ONTAP 9
  • NetApp Volume Encryption (NVE)
  • NetApp Aggregate Encryption (NAE)

Frequently Asked Questions

Overview
What are the software-based encryption capabilities in ONTAP?
NetApp Volume Encryption (NVE)
  • Per Volume, Software-based, data-at-rest encryption solution
  • Available starting with NetApp ONTAP 9.1
  • Allows ONTAP to encrypt data and to have that data stored on disk without requiring self-encrypting drives.
  • Allows customers to use storage efficiency features that would be lost if the customer decided to encrypt at the application layer.
  • Customers can use any existing disk with NVE, which also includes NetApp Storage Encryption (NSE) drives for double or layered encryption.
NetApp Aggregate Encryption (NAE)
  • An enhancement of the software-based NVE data-at-rest solution.
  • Available starting with ONTAP 9.6.
  • NAE enables use of aggregate deduplication for greater storage efficiency.
  • Allows ONTAP to encrypt data for each volume with the keys shared for the aggregate.

 

Note: NVE and NAE are the only options available for encrypting data in NetApp MetroCluster software and ONTAP Select.

What are the software-based encryption capabilities in ONTAP?

How does NetApp Volume Encryption (NVE) and NetApp Aggregate Encryption (NAE) encrypt data?
NVE and NAE is comprised of three Components:
  • Software Cryptographic Module (CryptoMod)
  • Performs the data encryption operations and generates encryption keys for the volumes (see Figure 1).

Figure 1) NVE and NAE encrypt/decrypt flow

1086920-1.png

  • Performs the data encryption at the RAID layer, which allows the storage efficiencies to work. After a read operation, data is unencrypted when the data leaves the RAID layer.
  • Encryption Keys
  • A unique XTS-AES-256 data encryption key is generated for each volume or aggregate for NVE and NAE respectively.
  • When using the onboard key manager (OKM), an encryption key hierarchy is used to encrypt and protect all volume or aggregate keys. These encryption keys are never displayed, shown, or reported in an unencrypted format.
  • Key Manager
  • Stores all encryption keys used by ONTAP
  • Can be the onboard key manager (OKM) or an external key manager that uses the OASIS Key Management Interoperability Protocol (KMIP).

 

Comparison with NetApp Storage Encryption
  • NSE requires all drives in an HA pair to be purpose-built, self-encrypting drives. These drives perform the data encryption themselves through a hardware-accelerated mechanism. Because of the hardware acceleration, NSE systems usually outperform NVE systems when encrypting data.
  • NSE drives are FIPS 140-2 level 2 validated, and the CryptoMod used by NVE and NAE are FIPS 140-2 level 1 validated. FIPS 140-2 level 1 is the highest attainable level for a software module.

Note: The software CryptoMod generates authentication keys for the self-encrypting drives

How does NVE and NAE encrypt data?

Requirements
Which hardware platforms support software-based encryption (NVE and NAE)?
  • All new hardware platforms introduced with ONTAP 9.1 and later support NetApp Volume Encryption (NVE).
  • ONTAP 9.6 and later support NetApp Aggregate Encryption (NAE) .
  • The following platforms introduced in prior versions of ONTAP also support NVE and NAE:
    • FAS2620
    • FAS2650
    • FAS6280
    • FAS6290
    • FAS8020
    • FAS8040
    • FAS8060
    • FAS8080
    • FAS8200
    • FAS9000
    • AFF A200
    • AFF A300
    • AFF A700
    • AFF A700s
Which hardware platforms support software-based encryption?
How do I determine if my cluster version supports NVE and NAE?

For more information, visit product documentation: Determine whether your cluster version supports NVE

Is NVE and NAE a licensed feature?

Although NetApp Volume Encryption (NVE) is included in ONTAP 9.x at no extra charge, it is a Global Trade Compliance (GTC) controlled item, meaning it must not be distributed to certain "block list" countries and entities.

For GTC to track all requests for NVE and properly control its distribution, a sales representative must be engaged and a license must be obtained through the quote tool. Since some existing systems can support NVE, sales personnel will need to fill out the required information to obtain a license for that cluster through the quote tool. The quote tool will send the request to GTC, and GTC will check if the destination for that license is allowed to utilize NVE. If NVE is allowed, the order will go through and the NVE license will be granted, similar to how other add-on licenses are granted for ONTAP today.

NVE distribution will also be controlled through specific builds of ONTAP.  When new systems are sold with ONTAP 9.1, if they are shipped to locations within GTC acceptable countries, then the NVE-enabled build of ONTAP 9.1 will be shipped and the NVE license key will be installed to enable the feature. For shipments to GTC blocked countries, the non-NVE-enabled build of ONTAP 9.1 will be shipped and it will not accept any form of NVE license keys (e.g., eval, site or perpetual).

If NVE is not allowed, the order will be kicked back to the sales representative, indicating that NVE cannot be sold into that country or to that entity.

Are NVE and NAE licensed features?

How do I confirm ONTAP is running a version that prevents the use of encryption?

How do I confirm ONTAP is running a version that prevents the use of encryption?

Which key managers are available with NVE and NAE?

For more information, visit product documentation: Understanding NVE

Which external key managers are compatible with NVE and NAE?
  1. Navigate IMT
  2. Log in using Support Site credentials
  3. Select Solution Search
  4. In the Solution Catalog section, type in Key

clipboard_eb1058c68410334f6ebdff7dc027d163d.png

  1. Click on Key Managers to add it as a selected solution
  2. Click View Refine Search Criteria >>
  3. Select appropriate ONTAP version
  4. Click blue clipboard_ef9a5348d9418a04254132e39aaed9492.pngsymbol to see which Key Manager and Key Manager software versions are supported

How to determine which External Key Managers are supported by ONTAP

Can a system using NSE with an external key manager also use NVE and NAE?
  • With ONTAP 9.3, the external key manager can be used for both the NetApp Storage Encryption (NSE) drives and NetApp Volume Encryption (NVE).
  • NAE is introduced in ONTAP 9.6.

Can a system using NSE with an external key manager also use NVE and NAE?

Do NVE and NAE require encryption on all volumes?
  • With NVE, you can choose which volumes are encrypted and which are not.
  • With an NAE aggregate, unencrypted volumes are not allowed.  All volumes on an NAE aggregate must be either NAE encrypted or NVE encrypted.

Do NVE and NAE require encryption on all volumes?

Can I use NSE drives with NVE and NAE?

Yes. NVE and NAE allow you to add a layer of encryption on top of what the NSE drives already provide.

Can I use NSE drives with NVE and NAE?

Can NVE be used in a mixed platform cluster with platforms that do not support NVE?
  • Yes, with the following limitations:
    • You can have mixed platforms per the Support Platform Mixing information available in the Interoperability Matrix Tool.
    • Both platforms in the high availability (HA) pair must be NVE and NAE capable.
    • The non-NVE-capable platforms in the cluster are not able to host encrypted volumes.

Can NVE be used in a mixed platform cluster with platforms that do not support NVE?

Architecture
What data is encrypted with NVE and NAE?
NVE and NAE
  • For both NVE and NAE, anything that is part of the data volume is encrypted, including NetApp Snapshot™ copies and clones.
  • NetApp FlexClone® volumes are encrypted with the same key as the original volume.

 

NVE
  • For NVE, data volumes, specifically NetApp FlexVol® volumes, metadata volumes (MDV) for MetroCluster, and existing controller root volumes (vol0) can be encrypted.
  • Storage virtual machine (SVM) root volumes can be encrypted with NVE starting with ONTAP 9.14.1.

 

NAE
  • For NAE, data volumes, storage virtual machine (SVM) root volumes, and Metadata Volume (MDV) for MetroCluster are encrypted.  Controller root volumes (vol0) are not encrypted with NAE.
What data is encrypted with NAE and NVE?
Are ONTAP storage efficiencies maintained when software-based encryption (NVE or NAE) is in use?
  • Yes. As depicted in Figure 1 below, the Cryptographic Module performs data encryption at the RAID layer.
  • This allows storage efficiencies to stay in place because they are performed before the encryption functions.

Figure 1) NVE and NAE encrypt/decrypt flow

1086920-1.png

Note: For aggregate-level deduplication, refer to Does NVE and NAE work with aggregate deduplication?

Are ONTAP storage efficiences maintained when software-based encryption is in use?
Does NVE and NAE work with aggregate deduplication?
  • NetApp Aggregate Encryption (NAE) volumes participate in aggregate deduplication savings.
  • NetApp Volume Encryption (NVE) volumes can exist in aggregated deduplicated aggregates, however the NVE volumes do not participate in the aggregate deduplication savings (the NVE volumes are ignored). 
Does NVE and NAE work with aggregate deduplication?
What type of algorithms do NVE and NAE use for encrypting data?
  • NVE and NAE data-at-rest encryption uses XTS-AES-256.
  • The keys required for XTS-AES-256 are generated using a NIST SP800-90A DRBG in CTR_DRBG mode with predictive resistance and health checks always on.
What type of algorithms do NVE and NAE use for encrypting data?
Are Snapshot copies encrypted?
NVE and NAE
  • For both NVE and NAE, anything that is part of the data volume is encrypted, including NetApp Snapshot™ copies and clones.
  • NetApp FlexClone® volumes are encrypted with the same key as the original volume.

 

NVE
  • For NVE, data volumes, specifically NetApp FlexVol® volumes, metadata volumes (MDV) for MetroCluster, and existing controller root volumes (vol0) can be encrypted.
  • Storage virtual machine (SVM) root volumes can be encrypted with NVE starting with ONTAP 9.14.1.

 

NAE
  • For NAE, data volumes, storage virtual machine (SVM) root volumes, and Metadata Volume (MDV) for MetroCluster are encrypted.  Controller root volumes (vol0) are not encrypted with NAE.
What data is encrypted with NAE and NVE?
Are FlexClone volumes encrypted?
NVE and NAE
  • For both NVE and NAE, anything that is part of the data volume is encrypted, including NetApp Snapshot™ copies and clones.
  • NetApp FlexClone® volumes are encrypted with the same key as the original volume.

 

NVE
  • For NVE, data volumes, specifically NetApp FlexVol® volumes, metadata volumes (MDV) for MetroCluster, and existing controller root volumes (vol0) can be encrypted.
  • Storage virtual machine (SVM) root volumes can be encrypted with NVE starting with ONTAP 9.14.1.

 

NAE
  • For NAE, data volumes, storage virtual machine (SVM) root volumes, and Metadata Volume (MDV) for MetroCluster are encrypted.  Controller root volumes (vol0) are not encrypted with NAE.
What data is encrypted with NAE and NVE?
Can FlexClone volumes be encrypted with a different encryption key than the original volume?
  • Yes. The FlexClone volume must first be split from the original volume.
  • A warning message tells the user to perform a volume move to give the split clone a new encryption key.
  • After the user performs the volume move, the split clone has a new encryption key.
Can FlexClone volumes be encrypted with a different encryption key than the original volume?
Are data volume encryption keys reused?
  • No. With NVE, each data volume key is unique to that volume.
  • With NAE, data volumes share unique aggregate data encryption keys.
Are data volume encryption keys reused?
Can I assign a specific encryption key to a data volume?
  • No. For NVE, encryption keys are automatically generated when the volume is created.
  • For NAE, encryption keys are automatically generated when the aggregate is created.
Can I assign a specific encryption key to a data volume?
If I use NetApp SnapMirror to mirror my encrypted volume to a different cluster, is the same encryption key used at the destination?
  • No. For NVE, the destination volume is its own volume and has its own unique key.
  • For NAE, the destination volume is its own volume and has its own unique aggregate keys.
If I use NetApp SnapMirror to mirror my encrypted volume to a different cluster, is the same encryption key used at the destination?
Does NVE and NAE encrypt data in flight?
  • No. NVE and NAE are specifically for data that is stored on disk.
  • Another feature, Cluster Peer Encryption (CPE) is introduced in ONTAP 9.6 to encrypt data in flight for SnapMirror, SnapVault, and FlexCache.
Does NVE and NAE encrypt data in flight?
Does NVE encrypt data during transfer when using SnapMiror?

No. NetApp SnapMirror® sits above the NetApp WAFL® layer, and thus the data sent by SnapMirror is not encrypted by NVE or NAE.

Does NVE encrypt data during transfer when using SnapMirror?
Are NetApp Volume Encryption keys replicated across clusters?
Are NetApp Volume Encryption keys replicated across clusters?
Where are NVE and NAE encryption keys stored?
  • With the onboard key manager, data volume encryption keys and aggregate keys are stored in the WAFL metadata, which is not accessible by the user, and the volume location database (VLDB).
  • With an external key manager, data volume encryption keys and aggregate keys are stored directly on the KMIP server.
Where are NVE and NAE encryption keys stored?
What is Trusted Platform Module (TPM)?
  • The Trusted Platform Module (TPM) is a chip on a FAS or AFF storage controller motherboard
  • Platforms with a TPM chip and TPM license will generate and seal the node key encryption key to protect the highest level of the OKM keying hierarchy in ONTAP 9.8
What is Trusted Platform Module (TPM)?
Does NetApp Volume Encryption have to be enabled on both source and destination volumes of a SnapMirror relationship?
  • No, the source volume and destination volume can have different encryption settings.
  • Source and destination volumes can be a mixture of NVE, NAE, or plaintext volumes.
Does NetApp Volume Encryption have to be enabled on both source and destination volumes of a SnapMirror relationship?
Are NetApp Volume Encryption and NetApp Aggregate Encryption FIPS 140-2 Validated?
  • NVE and NAE are FIPS 140-2 compliant.
  • The Cryptographic Module used by NetApp Volume Encryption (NVE), NetApp Aggregate Encryptoin (NAE), and Onboard Key Manager (OKM) is FIPS 140-2 level 1 validated.
Are NetApp Volume Encryption and NetApp Aggregate Encryption FIPS 140-2 Validated?
Is there a special procedure or mechanism to protect against data spillage from prior to enabling NVE or NAE?
  • No, sensitive data that was on a disk before NVE and NAE were enabled could still be present because of wear-leveling in solid-state drives (SSDs).
  • This problem is not unique to NetApp; any vendor using SSDs has this same problem.
Is there a special procedure or mechanism to protect against data spillage from prior to enabling NVE or NAE?
Can deleted files be non-disruptively purged from NVE volumes?
  • Use the secure purge command to non-disruptively scrub data on NVE-enabled volumes.
Can deleted files be non-disruptively purged from NVE volumes?
Does NVE support the use of external KMIP servers to store and secure encryption keys?
  • Yes, one or more KMIP servers can be used to store and secure keys that the cluster uses to access encrypted data.
  • Beginning with ONTAP 9.6, KMIP servers can be used to store and secure the keys a given SVM uses to access encrypted data.
Does NVE support the use of external KMIP servers to store and secure encryption keys?
Configuration
How to encrypt a new data volume?

For more information, visit product documentation: Enable encryption on a new volume

Can I encrypt existing data volumes?

For more information, visit product documentation: Enable encryption on an existing volume with the volume move start command

Can I encrypt an existing data volume in place (without a volume move)?

For more information, visit product documentation: Enable encryption on an existing volume with the volume encryption conversion start command

Can I encrypt an existing volume in place with NAE in ONTAP 9.6?
Prerequisites
  • ONTAP 9.6 or later
  • Volume Encryption (VE) license
  • key manager (onboard or external)
  • Available space in the aggregate to convert the SVM-root from plain text to NAE volume

The following steps will guide you through converting plain text existing aggregates to NAE.

1. NAE aggregates do not support plain-text volumes; thus, it is necessary to convert plain-text volumes to NVE (NetApp Volume Encryption) first:

Encrypt in-place from plain-text volume to NVE​​​​​​

OR

Encrypt to NVE by moving the volume to another aggregate

Note: You can volume move to the same aggregate as the destination

2. SVM root must also be encrypted before converting aggregate to NAE. Use volume move start to accomplish this.

•  Volume move the SVM root volumes to another data aggregate:
::> volume move start -volume <svm_root> -destination-aggregate <aggr_dest>

•  Volume move the SVM back to the original aggregate:::> volume move start -volume <svm_root> -destination-aggregate <aggr_src> -encrypt-with-aggr-key true

3. Convert the aggregate to NAE.

::> storage aggregate modify -aggregate aggr1 -encrypt-with-aggr-key true

4. Then, convert the rest of the volumes to NAE volumes. Run the volume move start command to convert each volume within aggregate from NVE to NAE.

::> volume move start -vserver svm1 -volume vol_with_nve -destination-aggregate aggr1 -encrypt-with-aggr-key true

[Job 92] Job is queued: Move "vol_with_nve" in Vserver "svm1" to aggregate "aggr1". Use the "volume move show -vserver svm1 -volume vol_with_nve" command to view the status of this operation.

•  Allow the volume move command to finish. This will take a varying amount of time depending upon the amount of data within the volume and the available resources of the cluster.

::> volume move show -vserver svm1 -volume vol_with_nve -fields state
vserver volume       state
------- ------------ -----
svm1    vol_with_nve done

5. This is optional, but one of the main benefits of NAE. On AFF aggregates, configure aggregate level inline deduplication settings for the volume.

::> volume efficiency modify -vserver svm1 -volume vol_with_nve -cross-volume-inline-dedupe true -cross-volume-background-dedupe true

6. To confirm all volumes are NAE:

::> volume show -fields encryption-type -aggregate aggr1
vserver volume           encryption-type
------- ------------     ---------------
svm1    vol_with_nve     aggregate
svm1    vol_without_nve  aggregate
2 entries were displayed.

How to convert plain text aggregate to NAE?

How to realize aggregate deduplication space savings after moving NVE volumes to NAE volumes?

1.  Set privilege level to advanced:

::> set adv

2.  Enable cross-volume-background-dedupe on all NAE volumes:

::*> volume efficiency modify -vserver <vserver_name> -volume <vol_name> -cross-volume-background-dedupe true

3.  Enable cross-volume-inline-dedupe on all NAE volumes:

::*> volume efficiency modify -vserver <vserver_name> -volume <vol_name> -cross-volume-inline-dedupe true

4.  Run volume-level background dedupe on all NAE volumes and wait for completion of all volumes:

::*> volume efficiency start -volume <vol_name> -vserver <vserver_name> -scan-old-data true -dedupe true

::*> volume efficiency show

5.  Run cross-volume background dedupe:

::*> storage aggregate efficiency cross-volume-dedupe start -aggregate <aggr_name> -scan-old-data true

::*> storage aggregate efficiency cross-volume-dedupe show

 

How do I realize aggregate deduplication space savings after moving NVE volumes to NAE volumes?

How to unencrypt an NVE volume?
  • Follow the Unencrypt volume data section of ONTAP documentation to unencrypt an NVE volume with the volume move start command

Note: NAE aggregates cannot contain unencrypted volumes, they can only contain NVE or NAE encrypted volumes. 

How do I unencrypt an NVE volume?

How to unencrypt an NAE volume?
  • Perform one of the following steps:
  1. Use another aggregate:
    1. Move the volumes to another non-NAE aggregate and convert them to plain text volumes. To do this, you would use the volume move commands with the parameter -encrypt-destination false -encrypt-with-aggr-key false.
  2. Use the same aggregate:
    • Assuming you have space in the existing NAE aggregate, move the volumes to convert them from NAE to NVE (which NAE aggregates do allow) in the same aggregate. To do this, use the volume move command with the parameter -encrypt-with-aggr-key false.
    • After all the volumes are all NVE and no NAE encrypted volumes exist, run the command to disable NAE on the aggregate aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key false.  Make sure that no aggregate Snapshot copies exist, or it will fail.
    • Move the NVE volumes to unencrypt them and convert from NVE to plain text with -encrypt-destination false.
  • See the following if unencrypting a SVM root or MDV CRS volume:

How to disable NAE aggregate-level encryption with an SVM root volume and MDV_CRS volume

How do I unencrypt an NAE volume?

How can I view the progress of the volume encryption conversion start command?

How can I view the progress of the volume encryption conversion start command?

Can I do a volume move while an active NVE volume encryption start is running?
  • Yes.  If volume encryption conversion show displays a 'running' status, a volume encryption conversion pause command must be issued and a volume move start with -encrypt-destination true will start the volume move with a new volume data encryption key.
  • If volume encryption conversion show displays the status in phase 2, a volume move start with -encrypt-destination true can be started without pausing.
  • All of this is also true for a volume move on an active volume encryption rekey start.

Can I do a volume move while an active NVE volume encryption start is running?

If a volume encryption is paused and resumed, will the conversion continue where it left off?

No. The conversion will start from the beginning. Starting with ONTAP 9.12.1, the conversion will continue where it left off.

If a volume encryption is paused and resumed, will the conversion continue where it left off?

Is it possible to tune the volume encryption conversion process?

Article covers basic NetApp Volume Encryption (NVE) questions when using volume encryption conversion and volume encryption rekey commands to convert an existing volume from unencrypted to encrypted or rekey an existing encrypted volume.

Is it possible to change how many volume conversion jobs can be running per node?
  • There is no way to tune NVE conversion process. 
  • It is recommended to initiate no more than 4 conversion jobs per node at one time.
Is there a way to increase the priority of NVE conversion job?
  • There is no way to change priority of the NVE conversion process. ONTAP gives priority to data access operations over NVE process.
  • Decreasing workload on the storage system increases the priority of conversion job(s).

Note: It is recommended to have no more than four combined encryption conversions or encryption volume moves per node at the same time.
 
Example:

Two volume conversions and two volume encryption moves on a single node are within the recommendation, but four volume conversions and four volume encryption moves on a single node would not be recommended.

Is it possible to tune the volume encryption conversion process?

Is there a maximum number of simultaneous volume encryption conversion processes that can be run at one time?

No, but it is it is recommended to have no more than 4 combined encryption conversions or encryption volume moves per node at the same time.

Is there a maximum number of simultaneous volume encryption conversion processes that can be run at one time?

Can I instantaneously delete an NVE volume encryption key without deleting the volume?
  • The volume encryption key is deleted with the volume until the volume's retention period expires.
  • The retention period is a standard ONTAP volume feature.
  • Until the retention period expires, the data remains encrypted on disk.

Can I instantaneously delete an NVE volume encryption key without deleting the volume?

Can I instantaneously delete an NAE aggregate encryption key without deleting the NAE volumes?
  • For an NAE volume, when the volume is deleted, nothing is done from the key perspective.
  • The aggregate keys will continue to exist until the point there exists at least one volume of any type (NVE or NAE) in the aggregate.
  • The aggregate keys are deleted upon last volume deletion after the retention period expires. If an NAE volume is created again, the aggregate keys are newly created again. These keys will be different than the set of keys that previously existed on this aggregate. 

Can I instantaneously delete an NAE aggregate encryption key without deleting the NAE volumes? 

Are any additional steps needed after an encrypted volume is created to ensure that the data is encrypted?
  • No. If the volume was created with encryption enabled, ONTAP makes sure that the data within that volume is encrypted
  • This can be verified with the volume show -is-encrypted true command:

cluster2::> volume show -is-encrypted true

Vserver  Volume  Aggregate  State  Type  Size  Available  Used
-------  ------  ---------  -----  ----  -----  --------- ----
vs1      vol1    aggr2     online    RW  200GB    160.0GB  20%

Are any additional steps needed after an encrypted volume is created to ensure that the data is encrypted?

Can an existing encrypted volume have the encryption key changed or rekeyed?
  • Yes for NVE
  • NAE does not support rekeying

Note: Rekeying is non-disruptive in nature and does not pose any risk of data loss.

Can an existing encrypted volume have the encryption key changed or rekeyed?

How can I know the last time a volume was rekeyed?

Starting with ONTAP 9.11.1, encryption key creation time is part of the volume show CLI command output for both NVE and NAE volumes.

How can I know the last time a volume was rekeyed?

Do I have to encrypt all of my data volumes when using NetApp Volume Encryption?

No. NetApp Volume Encryption (NVE) lets you choose which data volumes are encrypted.

Do I have to encrypt all of my data volumes when using NetApp Volume Encryption?

How can I confirm if a volume is encrypted?
  • The volume show command with the -is-encrypted true option will display a list of the currently encrypted volumes.
  • For 9.6 and later, the volume show command with -encryption-type <none|volume|aggregate> will list the volumes that are not encrypted, NetApp Volume Encryption (NVE) encrypted, or NetApp Aggregate Encryption (NAE) encrypted.

How can I confirm if a volume is encrypted?

How do I transition from the onboard key manager to an external key manager, or conversely?
  1. Perform one of the following steps for the appropriate encryption type:
    1. NetApp Storage Encryption (NSE):
      • Reset the authentication keys to the default manufacturer secure ID (MSID), 0x0.
    2. NetApp Volume Encryption (NVE): 
      • Unencrypt all volumes
    3. NetApp Aggregate Encryption (NAE):
      • Move all NAE or NVE volumes to a non-NAE aggregate as non-encrypted.
  2. If you're coming from OKM, delete the OKM configuration and create the external key manager configuration.
  3. If you're coming from the external key manager, delete the external key manager configuration and create the OKM configuration.
  4. Finally, set authentication keys for NSE drives and encrypt required volumes with NVE.

How do I transition from the onboard key manager to an external key manager, or conversely?

How can I require a prompt for the OKM passphrase at controller reboot?
  • You can opt to require the OKM passphrase by using the -enable-cc-mode true option with the security key-manager setup command.
  • This can be turned on prior to moving a controller and disk shelves and turned off after the move is complete.
  • Starting with ONTAP 9.6, the command is security key-manager onboard enable -cc-mode-enabled yes

How can I require a prompt for the OKM passphrase at controller reboot?

Why do I get error creating an NVE volume with -encrypt false when OKM initialized with -enable-cc-mode true?

When OKM is initialized with -enable-cc-mode true, you must encrypt new volumes.

Why do I get error creating an NVE volume with -encrypt false when OKM initialized with -enable-cc-mode true?

What are the circumstances where an external key manager is contacted by a node?

A node contacts the key manager when:

  • Booting
  • Creating a key for a new volume or rekey of an existing volume.
  • Deletion of a volume to remove the key.
  • At the request of one of the following commands:

security key-manager query

security key-manager restore

security key-manager show -status

What are the circumstances where an external key manager is contacted by a node?

How does ONTAP behave when the external key manager is not accessible?
  • When ONTAP is booting:
  • When creating a key:
    • The key is not created when creating a new volume or rekey of an existing volume.
  • When deleting a volume:
    • Delete will fail because the key cannot be deleted.
  • When running the following commands:

security key-manager query command: key IDs are shown if cache is filled

security key-manager restore command: command will fail

security key-manager show -status command: command will show unavailable

  • If there is no change in the storage when the key is stored in the cache, there is no effect (Such as creating volume or deleting volume).

How does ONTAP behave when the external key manager is not accessible?

What happens with NVE and NAE volumes if the external key manager is not available during node giveback?

The NVE and NAE volumes will be offline.

What happens with NVE and NAE volumes if the external key manager is not available during node giveback?

Where can I download an NVE and NAE capable ONTAP image?
  1. You can download an ONTAP image from the NetApp Support Site.
  2. Choose the ONTAP image that is labeled "With NetApp Volume Encryption"

Where can I download an NVE and NAE capable ONTAP image?

What happens when I install an ONTAP non-NVE-capable release over an ONTAP release that is NVE-capable?

If there are NVE volumes, the ONTAP installation will fail.

What happens when I install an ONTAP non-NVE-capable release over an ONTAP release that is NVE-capable?

How can I switch to an NVE or NAE-capable version of ONTAP from a non-NVE/NAE-capable version?

How can I switch to an NVE or NAE-capable version of ONTAP from a non-NVE/NAE-capable version?

How can I enable NVE by default for newly created volumes?
  • Starting with ONTAP 9.7, NAE and NVE are enabled by default if the following conditions are met:
    • A Volume Encryption license is in place
    • OKM or external key managers are configured
    • NSE is not used

Note: NAE volumes are created by default on NAE aggregates, and NVE volumes are created by default on non-NAE aggregates.

  • NVE and NAE can be disabled by default with the following command:

cluster1::*> options -option-name encryption.data_at_rest_encryption.disable_by_default on

How can I enable NVE by default for newly created volumes?

Performance
What is the performance impact of NVE and NAE?
  1. The performance impact of NVE and NAE will vary depending on multiple factors, including:
  • Hardware Platform
  • Disk type
  • System workload
  • Number of active encrypted data volumes
  • Expected/required IOPS
  1. Refer to How do I gauge the impact of enabling NVE or NAE on an existing system?  To gauge the impact of enabling NVE or NAE on an existing system

What is the performance impact of NVE and NAE?

Do certain platforms perform better with NVE and NAE?
  • Yes. Hardware platforms with higher core counts perform better with NVE.
    • For example, a NetApp FAS8080 is less affected than a FAS8040 for the same workload and the same number of active encrypted data volumes.
  • In certain situations, on the higher end, the performance impact of NVE is negligible or unobservable.

Do certain platforms perform better with NVE and NAE?

Is there a performance difference between SSDs and HDDs while using NVE and NAE?
  • SSDs are typically used because of the need for low latencies.
    • NVE and NAE extends the path length for each piece of data so that it can be noticed in certain workloads and operating conditions.
    • The number of IOPS at a given latency can be less when NVE and NAE runs on a NetApp All Flash FAS system, for example.
  • For volumes residing in HDDs, the bottleneck in that system is the disk, and there should be little to no impact with NVE and NAE.

Is there a performance difference between SSDs and HDDs while using NVE and NAE?

Is there a performance impact on non-encrypted volumes when using NVE or NAE?
  • The impact of NVE and NAE comes from extending the processing for the encrypted volumes.
  • Unencrypted volumes should remain unaffected while operating during normal conditions.

Is there a performance impact on non-encrypted volumes when using NVE or NAE?

How do I gauge the impact of enabling NVE or NAE on an existing system?
  1. Use the headroom capability on the system as is (no encryption) to note where the existing performance is.
  2. Add an NVE or NAE volume (or convert an existing volume) and use the headroom capability once more to see what changes.

Note: Remember that NVE is per volume; therefore, you can encrypt or create one at a time based on the headroom and impact.

How do I gauge the impact of enabling NVE or NAE on an existing system?

Interoperability
Can I use NVE and NAE with MetroCluster?

Yes. NVE and NAE are the only generally available data-at-rest encryption options for NetApp MetroCluster.

Can I use NVE and NAE with MetroCluster?

Can I use NVE and NAE with ONTAP Select?

Yes. NVE and NAE are the only generally available data-at-rest encryption option for NetApp ONTAP Select.

Can I use NVE and NAE with ONTAP Select? 

Can I use NVE and NAE with NetApp FlexArray software?

Can I use NVE and NAE with NetApp FlexArray software?

Can I use NVE and NAE with Cloud Volumes ONTAP?

Can I use NVE and NAE with Cloud Volumes ONTAP?

Is NVE and NAE supported for NetApp Flash Cache cards?

Yes. Data on the Flash Cache cards is encrypted by the same CryptoMod used by NVE and NAE.

Is NVE and NAE supported for NetApp Flash Cache cards?

Is data in NetApp Flash Pool intelligent caching encrypted by NVE and NAE?

Yes. Data in Flash Pool™ caches is encrypted by NVE and NAE.

Is data in NetApp Flash Pool intelligent caching encrypted by NVE and NAE?

Are NetApp SnapLock software and NetApp ONTAP FlexGroup volumes compatible with NVE and NAE?
  • Yes. Starting with ONTAP 9.2, SnapLock software and ONTAP FlexGroup volumes are supported.
  • Starting with ONTAP 9.8, existing SnapLock volumes can be encrypted with a volume move.
  • Existing SnapLock volumes cannot encrypted in place, or rekeyed in place.

Are NetApp SnapLock software and NetApp ONTAP FlexGroup volumes compatible with NVE and NAE?

What are the restrictions with FlexGroup volumes and NAE?

The following restrictions are for FG create, rekey/conversion, and expand:

FG create

  • Encrypted volume create operation will be allowed only if all the destination aggrs are of same encryption-type (NAE or non-NAE), Mix is not allowed.
  • Plain-text FG volume create is not allowed on NAE-aggrs.
  • NVE volume can be created on mix of NAE aggr and non-NAE.
  • If “-encrypt true” is specified, then all the constituent volumes will be of type NVE. Destination aggrs can be of mix of NAE aggr and non-NAE.
  • “-encrypt false” is not supported.
  • If nothing is specified, then it wil create NAE volumes on desitnation NAE aggrs.

FG rekey/conversion

  • If any of the constituent volume is of NAE type, then inplace rekey/conversion is not allowed. The constituent volumes of NAE type have to be converted to the volume type of NVE rest through vol-move. Only then rekey/conversion is allowed.

FG expand

  • Adding more members to the existing FG(NAE aggr) is allowed only if new dest aggregate is NAE. It will fail if new dest aggr is non-NAE.

What are the restrictions with FlexGroup volumes and NAE?

Are external (KMIP) key managers compatible with NVE and NAE?

Yes. Starting with ONTAP 9.3, external key managers are compatible with NVE.

Are external (KMIP) key managers compatible with NVE and NAE?

Are clustered key managers supported with ONTAP for NVE and NAE?

Yes. Starting with ONTAP 9.11.1, clustered key managers are supported for NVE, NAE, and NSE as well.

Are clustered key managers supported with ONTAP for NVE and NAE?

Is NVE and NAE supported with backup applications?

Yes. NVE and NAE are independent of the backup targets or solutions. The data presented to the backup solutions is not encrypted.

Is NVE and NAE supported with backup applications?

Does NVE and NAE support drive partitioning features such as ADP?

Yes. NVE and NAE are independent of the drive partitioning process as the encrypted volumes are established after partitioning is performed.

Does NVE and NAE support drive partitioning features such as ADP

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.