Skip to main content
NetApp Knowledge Base

Does ONTAP support encryption while allowing seamless file server usage

  1. Last updated
    May 9, 2025
  2. Save as PDF
Views:
32
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:
5/9/2025, 1:46:32 AM

Applies to

  • ONTAP 9
  • NFS (Network File System) protocol
  • SMB3 (Server Message Block version 3) protocol
  • NetApp Volume Encryption (NVE)
  • NetApp Aggregate Encryption (NAE)
  • IPsec (Internet Protocol Security)

Answer

  • ONTAP supports encryption at multiple layers while maintaining seamless file server usage.
  • The supported encryption methods and their applicability depend on the access protocol and deployment configuration:
    • File Access Protocol Layer
      • NFS Protocol:
        • NFS does not natively support encryption at the protocol layer.
        • For encryption, consider using network-level encryption (e.g., IPsec) or storage-level encryption (e.g., NVE/NAE).
      • SMB3 Protocol:
        • SMB3 natively supports encryption.
        • Encryption can be enabled for incoming SMB traffic either at the CIFS server level or at the individual file share level.
        • By default, SMB encryption is not required.
    • Storage Layer
      • NetApp Volume Encryption (NVE):
        • Encrypts data at the volume level.
        • Does not require self-encrypting drives (SEDs).
        • Transparent to clients, ensuring seamless file server usage.
      • NetApp Aggregate Encryption (NAE):
        • Encrypts data at the aggregate level.
        • Provides encryption for all volumes within the aggregate.
        • Also transparent to clients.
      • Network Transfer Layer

IPsec:

  • Secures data-in-motion by encrypting network traffic.
  • Requires configuration on both ONTAP and client systems.
  • Suitable for environments where protocol-level encryption (e.g., SMB3 encryption) is unavailable or insufficient.

Additional Information

To verify if encryption is enabled:
  • For SMB3: Check the share or CIFS server configuration for encryption settings.
  • For NVE/NAE: Use the volume show -fields encryption or aggregate show -fields encryption command.
  • For IPsec: Verify the IPsec policy configuration on both ONTAP and the client system.

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.