NetApp Aggregate Encryption (NAE) is one of the great new
features of ONTAP 9.6. It means that if you have requirements that no
un-encrypted media can leave site, you can now enable NAE and all the data on
that aggregate is encrypted. So, you don’t need to pay extra for non-returnable
disks (NRD) or NetApp Storage Encryption (NSE) disks. Also, it means you can
benefit from cross-volume dedupe (aggregate level dedupe) which you couldn’t
benefit from if you were using NVE (NetApp Volume Encryption.)
Configuration is very simple.
Firstly, we check the aggregates are not yet encrypted,
and are NVE capable.
cluster1::> aggr show -fields
encrypt-with-aggr-key,is-nve-capable
aggregate is-nve-capable
encrypt-with-aggr-key
--------- --------------
---------------------
N1_AGGR1
false false
N2_AGGR1
false false
aggr0_cluster1_01
false false
aggr0_cluster1_02
false false
4 entries were displayed.
NAE requires a Key Manager is configured. Here we enable
the onboard key manager (OKM). You will need a 32-character passphrase.
cluster1::> security key-manager
onboard enable
Enter the cluster-wide passphrase for
onboard key management:
Re-enter the cluster-wide passphrase:
After configuring onboard key management,
save the encrypted configuration data in a safe location so that you can use it
if you need to perform a manual recovery operation. To view the data, use the
"security key-manager onboard show-backup" command.
cluster1::> security key-manager
onboard show-backup
Modify the aggregate to enable NAE.
cluster1::> aggr modify -aggregate
N1_AGGR1 -encrypt-with-aggr-key true
cluster1::> aggr show -fields
encrypt-with-aggr-key,is-nve-capable
aggregate is-nve-capable
encrypt-with-aggr-key
--------- --------------
---------------------
N1_AGGR1
true true
N2_AGGR1
true false
aggr0_cluster1_01
true false
aggr0_cluster1_02
true false
4 entries were displayed.
APPENDIX: Manual Page entries for NAE.
cluster1::> man aggr modify
storage aggregate modify : Data ONTAP 9.6
: storage aggregate modify
...
[-encrypt-with-aggr-key {true|false}] -
Enable Aggregate level Encryption
This parameter specifies that the volumes
within the new aggregate can be encrypted with aggregate keys. If this
parameter is set to true, the aggregate will support encryption with aggregate
keys.
[-force-disable-encrypt-with-aggr-key
[true]] - Force disable NAE. Skip aggregate snapshot check.
This parameter allows disabling NetApp
Aggregate Encryption (NAE) on an aggregate if the user is certain there is no
aggregate snapshot for that aggregate containing NAE volumes. If the parameter
is set to true, aggregate snapshot check is skipped and NAE is disabled.
If you want to check for aggregate snapshots, use this
command:
cluster1::> node run NODENAME snap
list -A
Image: NVE vs NAE
Comments
Post a Comment