Skip to main content

NetApp Stage KB

FAQ - NetApp Volume Encryption and NetApp Aggregate Encryption

  1. Last updated
  2. Save as PDF

Views:
2
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
CORE
Last Updated:

 

Applies to

  • ONTAP 9
  • NetApp Volume Encryption (NVE)
  • NetApp Aggregate Encryption (NAE)

Frequently Asked Questions

Overview
What are the software-based encryption capabilities in ONTAP?

What are the software-based encryption capabilities in ONTAP?

How does NetApp Volume Encryption (NVE) and NetApp Aggregate Encryption (NAE) encrypt data?

How does NVE and NAE encrypt data?

Requirements
Which hardware platforms support software-based encryption (NVE and NAE)?
Which hardware platforms support software-based encryption?
How do I determine if my cluster version supports NVE and NAE?

For more information, visit product documentation: Determine whether your cluster version supports NVE

Is NVE and NAE a licensed feature?

Are NVE and NAE licensed features?

How do I confirm ONTAP is running a version that prevents the use of encryption?

How do I confirm ONTAP is running a version that prevents the use of encryption?

Which key managers are available with NVE and NAE?

For more information, visit product documentation: Understanding NVE

Which external key managers are compatible with NVE and NAE?

How to determine which External Key Managers are supported by ONTAP

Can a system using NSE with an external key manager also use NVE and NAE?

Can a system using NSE with an external key manager also use NVE and NAE?

Do NVE and NAE require encryption on all volumes?

Do NVE and NAE require encryption on all volumes?

Can I use NSE drives with NVE and NAE?

Can I use NSE drives with NVE and NAE?

Can NVE be used in a mixed platform cluster with platforms that do not support NVE?

Can NVE be used in a mixed platform cluster with platforms that do not support NVE?

Architecture
What data is encrypted with NVE and NAE?
What data is encrypted with NAE and NVE?
Are ONTAP storage efficiencies maintained when software-based encryption (NVE or NAE) is in use?
Are ONTAP storage efficiences maintained when software-based encryption is in use?
Does NVE and NAE work with aggregate deduplication?
Does NVE and NAE work with aggregate deduplication?
What type of algorithms do NVE and NAE use for encrypting data?
What type of algorithms do NVE and NAE use for encrypting data?
Are Snapshot copies encrypted?
What data is encrypted with NAE and NVE?
Are FlexClone volumes encrypted?
What data is encrypted with NAE and NVE?
Can FlexClone volumes be encrypted with a different encryption key than the original volume?
Can FlexClone volumes be encrypted with a different encryption key than the original volume?
Are data volume encryption keys reused?
Are data volume encryption keys reused?
Can I assign a specific encryption key to a data volume?
Can I assign a specific encryption key to a data volume?
If I use NetApp SnapMirror to mirror my encrypted volume to a different cluster, is the same encryption key used at the destination?
If I use NetApp SnapMirror to mirror my encrypted volume to a different cluster, is the same encryption key used at the destination?
Does NVE and NAE encrypt data in flight?
Does NVE and NAE encrypt data in flight?
Does NVE encrypt data during transfer when using SnapMiror?
Does NVE encrypt data during transfer when using SnapMirror?
Are NetApp Volume Encryption keys replicated across clusters?
Are NetApp Volume Encryption keys replicated across clusters?
Where are NVE and NAE encryption keys stored?
Where are NVE and NAE encryption keys stored?
What is Trusted Platform Module (TPM)?
What is Trusted Platform Module (TPM)?
Does NetApp Volume Encryption have to be enabled on both source and destination volumes of a SnapMirror relationship?
Does NetApp Volume Encryption have to be enabled on both source and destination volumes of a SnapMirror relationship?
Are NetApp Volume Encryption and NetApp Aggregate Encryption FIPS 140-2 Validated?
Are NetApp Volume Encryption and NetApp Aggregate Encryption FIPS 140-2 Validated?
Is there a special procedure or mechanism to protect against data spillage from prior to enabling NVE or NAE?
Is there a special procedure or mechanism to protect against data spillage from prior to enabling NVE or NAE?
Can deleted files be non-disruptively purged from NVE volumes?
Can deleted files be non-disruptively purged from NVE volumes?
Does NVE support the use of external KMIP servers to store and secure encryption keys?
Does NVE support the use of external KMIP servers to store and secure encryption keys?
Configuration
How to encrypt a new data volume?

For more information, visit product documentation: Enable encryption on a new volume

Can I encrypt existing data volumes?

For more information, visit product documentation: Enable encryption on an existing volume with the volume move start command

Can I encrypt an existing data volume in place (without a volume move)?

For more information, visit product documentation: Enable encryption on an existing volume with the volume encryption conversion start command

Can I encrypt an existing volume in place with NAE in ONTAP 9.6?

How to convert plain text aggregate to NAE?

How to realize aggregate deduplication space savings after moving NVE volumes to NAE volumes?

How do I realize aggregate deduplication space savings after moving NVE volumes to NAE volumes?

How to unencrypt an NVE volume?

How do I unencrypt an NVE volume?

How to unencrypt an NAE volume?

How do I unencrypt an NAE volume?

How can I view the progress of the volume encryption conversion start command?

How can I view the progress of the volume encryption conversion start command?

Can I do a volume move while an active NVE volume encryption start is running?

Can I do a volume move while an active NVE volume encryption start is running?

If a volume encryption is paused and resumed, will the conversion continue where it left off?

If a volume encryption is paused and resumed, will the conversion continue where it left off?

Is it possible to tune the volume encryption conversion process?

Is it possible to tune the volume encryption conversion process?

Is there a maximum number of simultaneous volume encryption conversion processes that can be run at one time?

Is there a maximum number of simultaneous volume encryption conversion processes that can be run at one time?

Can I instantaneously delete an NVE volume encryption key without deleting the volume?

Can I instantaneously delete an NVE volume encryption key without deleting the volume?

Can I instantaneously delete an NAE aggregate encryption key without deleting the NAE volumes?

Can I instantaneously delete an NAE aggregate encryption key without deleting the NAE volumes? 

Are any additional steps needed after an encrypted volume is created to ensure that the data is encrypted?

Are any additional steps needed after an encrypted volume is created to ensure that the data is encrypted?

Can an existing encrypted volume have the encryption key changed or rekeyed?

Can an existing encrypted volume have the encryption key changed or rekeyed?

How can I know the last time a volume was rekeyed?

How can I know the last time a volume was rekeyed?

Do I have to encrypt all of my data volumes when using NetApp Volume Encryption?

Do I have to encrypt all of my data volumes when using NetApp Volume Encryption?

How can I confirm if a volume is encrypted?

How can I confirm if a volume is encrypted?

How do I transition from the onboard key manager to an external key manager, or conversely?

How do I transition from the onboard key manager to an external key manager, or conversely?

How can I require a prompt for the OKM passphrase at controller reboot?

How can I require a prompt for the OKM passphrase at controller reboot?

Why do I get error creating an NVE volume with -encrypt false when OKM initialized with -enable-cc-mode true?

Why do I get error creating an NVE volume with -encrypt false when OKM initialized with -enable-cc-mode true?

What are the circumstances where an external key manager is contacted by a node?

What are the circumstances where an external key manager is contacted by a node?

How does ONTAP behave when the external key manager is not accessible?

How does ONTAP behave when the external key manager is not accessible?

What happens with NVE and NAE volumes if the external key manager is not available during node giveback?

What happens with NVE and NAE volumes if the external key manager is not available during node giveback?

Where can I download an NVE and NAE capable ONTAP image?

Where can I download an NVE and NAE capable ONTAP image?

What happens when I install an ONTAP non-NVE-capable release over an ONTAP release that is NVE-capable?

What happens when I install an ONTAP non-NVE-capable release over an ONTAP release that is NVE-capable?

How can I switch to an NVE or NAE-capable version of ONTAP from a non-NVE/NAE-capable version?

How can I switch to an NVE or NAE-capable version of ONTAP from a non-NVE/NAE-capable version?

How can I enable NVE by default for newly created volumes?

How can I enable NVE by default for newly created volumes?

Performance
What is the performance impact of NVE and NAE?

What is the performance impact of NVE and NAE?

Do certain platforms perform better with NVE and NAE?

Do certain platforms perform better with NVE and NAE?

Is there a performance difference between SSDs and HDDs while using NVE and NAE?

Is there a performance difference between SSDs and HDDs while using NVE and NAE?

Is there a performance impact on non-encrypted volumes when using NVE or NAE?

Is there a performance impact on non-encrypted volumes when using NVE or NAE?

How do I gauge the impact of enabling NVE or NAE on an existing system?

How do I gauge the impact of enabling NVE or NAE on an existing system?

Interoperability
Can I use NVE and NAE with MetroCluster?

Can I use NVE and NAE with MetroCluster?

Can I use NVE and NAE with ONTAP Select?

Can I use NVE and NAE with ONTAP Select? 

Can I use NVE and NAE with NetApp FlexArray software?

Can I use NVE and NAE with NetApp FlexArray software?

Can I use NVE and NAE with Cloud Volumes ONTAP?

Can I use NVE and NAE with Cloud Volumes ONTAP?

Is NVE and NAE supported for NetApp Flash Cache cards?

Is NVE and NAE supported for NetApp Flash Cache cards?

Is data in NetApp Flash Pool intelligent caching encrypted by NVE and NAE?

Is data in NetApp Flash Pool intelligent caching encrypted by NVE and NAE?

Are NetApp SnapLock software and NetApp ONTAP FlexGroup volumes compatible with NVE and NAE?

Are NetApp SnapLock software and NetApp ONTAP FlexGroup volumes compatible with NVE and NAE?

What are the restrictions with FlexGroup volumes and NAE?

What are the restrictions with FlexGroup volumes and NAE?

Are external (KMIP) key managers compatible with NVE and NAE?

Are external (KMIP) key managers compatible with NVE and NAE?

Are clustered key managers supported with ONTAP for NVE and NAE?

Are clustered key managers supported with ONTAP for NVE and NAE?

Is NVE and NAE supported with backup applications?

Is NVE and NAE supported with backup applications?

Does NVE and NAE support drive partitioning features such as ADP?

Does NVE and NAE support drive partitioning features such as ADP

Additional Information

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.