Wednesday, 24 July 2019

NetApp Aggregate Encryption (NAE) in ONTAP 9.6: How to Configure


NetApp Aggregate Encryption (NAE) is one of the great new features of ONTAP 9.6. It means that if you have requirements that no un-encrypted media can leave site, you can now enable NAE and all the data on that aggregate is encrypted. So, you don’t need to pay extra for non-returnable disks (NRD) or NetApp Storage Encryption (NSE) disks. Also, it means you can benefit from cross-volume dedupe (aggregate level dedupe) which you couldn’t benefit from if you were using NVE (NetApp Volume Encryption.)

Configuration is very simple.

Firstly, we check the aggregates are not yet encrypted, and are NVE capable.


cluster1::> aggr show -fields encrypt-with-aggr-key,is-nve-capable
aggregate is-nve-capable encrypt-with-aggr-key
--------- -------------- ---------------------
N1_AGGR1  false          false
N2_AGGR1  false          false
aggr0_cluster1_01
          false          false
aggr0_cluster1_02
          false          false
4 entries were displayed.


NAE requires a Key Manager is configured. Here we enable the onboard key manager (OKM). You will need a 32-character passphrase.


cluster1::> security key-manager onboard enable

Enter the cluster-wide passphrase for onboard key management:

Re-enter the cluster-wide passphrase:
After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. To view the data, use the "security key-manager onboard show-backup" command.

cluster1::> security key-manager onboard show-backup


Modify the aggregate to enable NAE.


cluster1::> aggr modify -aggregate N1_AGGR1 -encrypt-with-aggr-key true

cluster1::> aggr show -fields encrypt-with-aggr-key,is-nve-capable
aggregate is-nve-capable encrypt-with-aggr-key
--------- -------------- ---------------------
N1_AGGR1  true           true
N2_AGGR1  true           false
aggr0_cluster1_01
          true           false
aggr0_cluster1_02
          true           false
4 entries were displayed.


APPENDIX: Manual Page entries for NAE.


cluster1::> man aggr modify
storage aggregate modify : Data ONTAP 9.6 : storage aggregate modify

...

[-encrypt-with-aggr-key {true|false}] - Enable Aggregate level Encryption
This parameter specifies that the volumes within the new aggregate can be encrypted with aggregate keys. If this parameter is set to true, the aggregate will support encryption with aggregate keys.

[-force-disable-encrypt-with-aggr-key [true]] - Force disable NAE. Skip aggregate snapshot check.
This parameter allows disabling NetApp Aggregate Encryption (NAE) on an aggregate if the user is certain there is no aggregate snapshot for that aggregate containing NAE volumes. If the parameter is set to true, aggregate snapshot check is skipped and NAE is disabled.


If you want to check for aggregate snapshots, use this command:


cluster1::> node run NODENAME snap list -A


Image: NVE vs NAE
 

No comments:

Post a Comment