Do you need a TPM License Key to Enable NVE?

on
Question: Do you need a Trusted Platform Module (TPM) license key to enable NetApp Volume Encryption?
Answer: No. TPM is not required for NVE.

It’s easy to prove this. I have an ONTAP 9.5 system which only has the VE (Volume Encryption Key).


cluster1::> license show -package TPM,VE

Owner: cluster1-01
Package Type     Description
------- -------- ---------------------
VE      license  Volume Encryption License

Owner: cluster1-02
Package Type     Description
------- -------- ---------------------
VE      license  Volume Encryption License


And I created an NVE enabled volume without issue:


cluster1::> volume create -vserver SVM1 -aggregate cluster1_01_SSD_1 -volume NVE_TESTVOL -size 10G -encrypt true
[Job 183] Job succeeded: Successful


And view the encryption status and key:


cluster1::> volume show -encrypt true -fields encrypt,encryption-state,key-id
vserver volume   encrypt encryption-state key-id
------- -------- ------- ---------------- --------------------------------------------------------------------------------
SVM1    NVE_TESTVOL true    full             0000000000000000020000000000050072c1f19f51ae07aacfb40ee8ca9a2f2e0000000000000000


Image: Proving NVE without TPM

Further Information

NetApp Volume Encryption, The Nitty Gritty
https://blog.iops.ca/2016/11/30/netapp-volume-encryption-the-nitty-gritty/

TRUSTED PLATFORM MODULE (TPM) SUPPORTED PLATFORMS
https://www.dburkland.com/trusted-platform-module-tpm-supported-platforms/
https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1086023
Only these and newer ONTAP platforms have TPM modules integrated:
AFF A200, AFF A300, AFF A700, AFF A700s, FAS2620, FAS2650, FAS8200, FAS9000

In hwu.netapp.com you’ll see some of the older platforms without the TPM module do support NVE. Also, check out the KB below:
KB1082615 - Which platforms support NetApp Volume Encryption (NVE)

KB1086920 - FAQ: NetApp Volume Encryption and NetApp Aggregate Encryption

Comments

Post a Comment