Skip to main content
NetApp Knowledge Base

Are encrypted blocks that are cold also encrypted when tiered?

Last Updated:

Applies to

  • ONTAP 9
  • Encryption
  • FabricPool


FabricPool maintains AES-256-GCM encryption on the local tier, on the cloud tier, and over the wire when moving data between the tiers.

Local tier

  • FabricPool supports NetApp Storage Encryption (NSE), NetApp Volume Encryption (NVE), and NetApp Aggregate Encryption (NAE).
  • Neither NSE, NVE, nor NAE are required to use FabricPool.

Over the wire

  • Objects moving between local and cloud tiers are encrypted by using TLS 1.2 using AES-256-GCM.
  • Other encryption modes, such as CCM, are not supported. To some extent, encryption affects connectivity (latency) because object stores must use CPU cycles to decrypt the data.
  • Communicating with object stores without TLS encryption is supported but is not recommended.

Cloud tier

  • All objects encrypted by NVE/NAE remain encrypted when moved to the cloud tier.
  • Client-side encryption keys are owned by ONTAP.

Additional Information

Refer to FabricPool Best Practices

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.
Scan to view the article on your device