ONTAP 9 -- Full Disk Encryption (FDE)

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ONTAP 9 -- Full Disk Encryption (FDE)

Eric Peng

Last year, we acquired an all-flash FAS array (AFF8040) for POC.  While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this.  As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase.  Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.

 

Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now?  I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.

 

Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use?  Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.

 

Thanks,

 

Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691

[hidden email] | esri.com

 


_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ONTAP 9 -- Full Disk Encryption (FDE)

André M. Clark
Eric,

So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact.  Now, with ONTAP 9.x, you have options as to where you want to do your key management.  If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP.  If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.

One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted.  It is just with the default manufacturer key, and thus, not truly secure.

HTH


Regards,
André M. Clark

On Tue, Apr 04, 2017 at 18:43 Eric Peng <">Eric Peng > wrote:

Last year, we acquired an all-flash FAS array (AFF8040) for POC.  While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this.  As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase.  Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.

 

Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now?  I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.

 

Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use?  Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.

 

Thanks,

 

Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691

[hidden email] | esri.com

 



_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: ONTAP 9 -- Full Disk Encryption (FDE)

Eric Peng
Hi Andre,

Thanks for your quick response.  That confirms our intuitive understanding from reading the NetApp whitepapers that the SED disks were in fact encrypting the data when writing to disk, even though we have not yet turned on NSE on the controllers.  Because of potential, upcoming FIPS requirements (still being worked out), we would mostly involve an external key manager like SafeNet.  Do you know if later enabling external key management would be disruptive in nature, requiring a reboot of both HA controllers?

Thanks,
Eric Peng 


Sent from my Samsung Galaxy smartphone.



-------- Original message --------
From: "Andre M. Clark" <[hidden email]>
Date: 4/4/17 5:28 PM (GMT-08:00)
To: Eric Peng <[hidden email]>, [hidden email]
Cc: iststorage <[hidden email]>
Subject: ONTAP 9 -- Full Disk Encryption (FDE)

Eric,

So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact.  Now, with ONTAP 9.x, you have options as to where you want to do your key management.  If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP.  If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.

One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted.  It is just with the default manufacturer key, and thus, not truly secure.

HTH


Regards,
André M. Clark

On Tue, Apr 04, 2017 at 18:43 Eric Peng <[hidden email]> wrote:

Last year, we acquired an all-flash FAS array (AFF8040) for POC.  While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this.  As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase.  Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.

 

Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now?  I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.

 

Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use?  Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.

 

Thanks,

 

Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691

[hidden email] | esri.com

 



_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: ONTAP 9 -- Full Disk Encryption (FDE)

André M. Clark
Eric,

Adding SafeNet to the environment is not disruptive.  However, as part of the installation process, a storage failover is part of the process as the installation engineer must verify that the controller is communicating properly with the external KMS.  If, during a power cycle, the node can’t communicate to the KMS then that node will not be able to connect to the storage and thus, no access to the data.  Now, this doesn’t mean that you are dead in the water (i.e. KMS is offline).  There is a way via the LOADER prompt and provided that you have the secure passphrase (another item that will be decided upon and secured externally during initial configuration) you can boot the system up and access the data.


Regards,
André M. Clark

On Tue, Apr 04, 2017 at 20:40 Eric Peng <">Eric Peng > wrote:
Hi Andre,

Thanks for your quick response.  That confirms our intuitive understanding from reading the NetApp whitepapers that the SED disks were in fact encrypting the data when writing to disk, even though we have not yet turned on NSE on the controllers.  Because of potential, upcoming FIPS requirements (still being worked out), we would mostly involve an external key manager like SafeNet.  Do you know if later enabling external key management would be disruptive in nature, requiring a reboot of both HA controllers?

Thanks,
Eric Peng 


Sent from my Samsung Galaxy smartphone.



-------- Original message --------
From: "Andre M. Clark" <[hidden email]>
Date: 4/4/17 5:28 PM (GMT-08:00)
To: Eric Peng <[hidden email]>, [hidden email]
Cc: iststorage <[hidden email]>
Subject: ONTAP 9 -- Full Disk Encryption (FDE)

Eric,

So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact.  Now, with ONTAP 9.x, you have options as to where you want to do your key management.  If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP.  If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.

One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted.  It is just with the default manufacturer key, and thus, not truly secure.

HTH


Regards,
André M. Clark

On Tue, Apr 04, 2017 at 18:43 Eric Peng <[hidden email]> wrote:

Last year, we acquired an all-flash FAS array (AFF8040) for POC.  While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this.  As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase.  Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.

 

Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now?  I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.

 

Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use?  Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.

 

Thanks,

 

Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691

[hidden email] | esri.com

 




_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ONTAP 9 -- Full Disk Encryption (FDE)

Francis Kim
Andre,

Picking up on your earlier comment about manufacturer’s key not being truly secure, if a KMS is deployed after data creation, then would the already encrypted data need to be re-encrypted with the new key?

Francis Kim
Cell: 415-606-2525
Direct: 510-644-1599 x334 

On Apr 4, 2017, at 5:47 PM, Andre M. Clark <[hidden email]> wrote:

Eric,

Adding SafeNet to the environment is not disruptive.  However, as part of the installation process, a storage failover is part of the process as the installation engineer must verify that the controller is communicating properly with the external KMS.  If, during a power cycle, the node can’t communicate to the KMS then that node will not be able to connect to the storage and thus, no access to the data.  Now, this doesn’t mean that you are dead in the water (i.e. KMS is offline).  There is a way via the LOADER prompt and provided that you have the secure passphrase (another item that will be decided upon and secured externally during initial configuration) you can boot the system up and access the data.


Regards,
André M. Clark

On Tue, Apr 04, 2017 at 20:40 Eric Peng <[hidden email]> wrote:
Hi Andre,

Thanks for your quick response.  That confirms our intuitive understanding from reading the NetApp whitepapers that the SED disks were in fact encrypting the data when writing to disk, even though we have not yet turned on NSE on the controllers.  Because of potential, upcoming FIPS requirements (still being worked out), we would mostly involve an external key manager like SafeNet.  Do you know if later enabling external key management would be disruptive in nature, requiring a reboot of both HA controllers?

Thanks,
Eric Peng 


Sent from my Samsung Galaxy smartphone.



-------- Original message --------
From: "Andre M. Clark" <[hidden email]>
Date: 4/4/17 5:28 PM (GMT-08:00)
Cc: iststorage <[hidden email]>
Subject: ONTAP 9 -- Full Disk Encryption (FDE)

Eric,

So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact.  Now, with ONTAP 9.x, you have options as to where you want to do your key management.  If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP.  If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.

One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted.  It is just with the default manufacturer key, and thus, not truly secure.

HTH


Regards,
André M. Clark

On Tue, Apr 04, 2017 at 18:43 Eric Peng <[hidden email]> wrote:
Last year, we acquired an all-flash FAS array (AFF8040) for POC.  While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this.  As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase.  Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.


 

Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now?  I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.


 

Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use?  Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.


 

Thanks,


 

Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691 

[hidden email] | esri.com


 



_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters


_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: ONTAP 9 -- Full Disk Encryption (FDE)

Eric Peng

Andre,

 

Thanks for your input about power-cycling the controllers (via failover process).  That makes sense.  After reviewing your comments and some additional NetApp literature, it looks like the NSE drives ship from the factory with key ID of 0x0 and are in an “unlocked” state (i.e., no requirement for key ID or passphrase) for data access.  When we get to the point of setting up an external key management system (SafeNet) with these controllers, we’ll rekey these drives with our own key and provide a passphrase.  By doing so, this effectively “locks” the drives for data access.  Picking up on Francis’ question (below), do the drives then go through a process of re-encrypting the data (presumably they would)?  If so, I’m presuming this is a rather seamless, background operation with little performance overhead involved?

 

Thanks,

 

Eric Peng | Enterprise Storage Engineer

 

From: Francis Kim [mailto:[hidden email]]
Sent: Tuesday, April 04, 2017 7:24 PM
To: Andre M. Clark <[hidden email]>
Cc: Eric Peng <[hidden email]>; [hidden email]; iststorage <[hidden email]>
Subject: Re: ONTAP 9 -- Full Disk Encryption (FDE)

 

Andre,

 

Picking up on your earlier comment about manufacturer’s key not being truly secure, if a KMS is deployed after data creation, then would the already encrypted data need to be re-encrypted with the new key?

 

Francis Kim

Cell:

 

415-606-2525

Direct:

 

510-644-1599 x334 

 

On Apr 4, 2017, at 5:47 PM, Andre M. Clark <[hidden email]> wrote:

 

Eric,

 

Adding SafeNet to the environment is not disruptive.  However, as part of the installation process, a storage failover is part of the process as the installation engineer must verify that the controller is communicating properly with the external KMS.  If, during a power cycle, the node can’t communicate to the KMS then that node will not be able to connect to the storage and thus, no access to the data.  Now, this doesn’t mean that you are dead in the water (i.e. KMS is offline).  There is a way via the LOADER prompt and provided that you have the secure passphrase (another item that will be decided upon and secured externally during initial configuration) you can boot the system up and access the data.

 

Regards,

André M. Clark

 

On Tue, Apr 04, 2017 at 20:40 Eric Peng <[hidden email]> wrote:

Hi Andre,

 

Thanks for your quick response.  That confirms our intuitive understanding from reading the NetApp whitepapers that the SED disks were in fact encrypting the data when writing to disk, even though we have not yet turned on NSE on the controllers.  Because of potential, upcoming FIPS requirements (still being worked out), we would mostly involve an external key manager like SafeNet.  Do you know if later enabling external key management would be disruptive in nature, requiring a reboot of both HA controllers?

 

Thanks,

Eric Peng 

 

 

Sent from my Samsung Galaxy smartphone.

 

 

 

-------- Original message --------

From: "Andre M. Clark" <[hidden email]>

Date: 4/4/17 5:28 PM (GMT-08:00)

To: Eric Peng <[hidden email]>, [hidden email]

Cc: iststorage <[hidden email]>

Subject: ONTAP 9 -- Full Disk Encryption (FDE)

 

Eric,

 

So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact.  Now, with ONTAP 9.x, you have options as to where you want to do your key management.  If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP.  If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.

 

One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted.  It is just with the default manufacturer key, and thus, not truly secure.

 

HTH

 

Regards,

André M. Clark

 

On Tue, Apr 04, 2017 at 18:43 Eric Peng <[hidden email]> wrote:

Last year, we acquired an all-flash FAS array (AFF8040) for POC.  While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this.  As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase.  Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.

 

 

 

 

Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now?  I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.

 

 

 

 

Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use?  Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.

 

 

 

 

Thanks,

 

 

 

 

Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691 

[hidden email] | esri.com

 

 

 

 

 


_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters

 


_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ONTAP 9 -- Full Disk Encryption (FDE)

André M. Clark
In reply to this post by Francis Kim
Francis,

Apologies for my delayed response as I have been quite busy today.  I’m including an excerpt from NetApp documentation around the process to see if this may clear up any confusion as I wasn’t using exact terms.

Authentication Keys (AK) and changes to them do not affect the disk encryption keys
When a system is first brought up, the NSE disks are openly available to the system without need for authentication. The disks themselves automatically encrypt data written to them and decrypt it when read and maintain these disk encryption keys (AKA media encryption keys) within themselves. The controls are not yet set to protect a disk that leaves the system. The system may be operated in this unprotected mode indefinitely. The NSE disks simply act like other disks.

When the servers are made available and the required SSL/TLS certificates are properly installed, the setup of the connections between the KMIP servers and the cluster is made. Thereafter, authentication keys can be created and the controls in the disks set to protect the data. Then, if the disks are power-cycled, such as would happen if a disk is removed and placed on another system, that system cannot give the required AK (safely on an SSL-protected key server) to unlock access to the data.

Modifying authentication keys does not affect the encryption keys. Data that is written to the disks in the period before KMIP server setup and AK changes is still present. Once the controls are set, then all data on the disks is protected, whether it existed before or after the protections were applied.


I hope this clarifies what I mentioned in my earlier replies and apologies if I caused any confusion.

Regards,
André M. Clark

On Tue, Apr 04, 2017 at 22:23 Francis Kim <">Francis Kim > wrote:
Andre,

Picking up on your earlier comment about manufacturer’s key not being truly secure, if a KMS is deployed after data creation, then would the already encrypted data need to be re-encrypted with the new key?

Francis Kim
Cell: 415-606-2525
Direct: 510-644-1599 x334 

On Apr 4, 2017, at 5:47 PM, Andre M. Clark <[hidden email]> wrote:

Eric,

Adding SafeNet to the environment is not disruptive.  However, as part of the installation process, a storage failover is part of the process as the installation engineer must verify that the controller is communicating properly with the external KMS.  If, during a power cycle, the node can’t communicate to the KMS then that node will not be able to connect to the storage and thus, no access to the data.  Now, this doesn’t mean that you are dead in the water (i.e. KMS is offline).  There is a way via the LOADER prompt and provided that you have the secure passphrase (another item that will be decided upon and secured externally during initial configuration) you can boot the system up and access the data.


Regards,
André M. Clark

On Tue, Apr 04, 2017 at 20:40 Eric Peng <[hidden email]> wrote:
Hi Andre,

Thanks for your quick response.  That confirms our intuitive understanding from reading the NetApp whitepapers that the SED disks were in fact encrypting the data when writing to disk, even though we have not yet turned on NSE on the controllers.  Because of potential, upcoming FIPS requirements (still being worked out), we would mostly involve an external key manager like SafeNet.  Do you know if later enabling external key management would be disruptive in nature, requiring a reboot of both HA controllers?

Thanks,
Eric Peng 


Sent from my Samsung Galaxy smartphone.



-------- Original message --------
From: "Andre M. Clark" <[hidden email]>
Date: 4/4/17 5:28 PM (GMT-08:00)
Cc: iststorage <[hidden email]>
Subject: ONTAP 9 -- Full Disk Encryption (FDE)

Eric,

So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact.  Now, with ONTAP 9.x, you have options as to where you want to do your key management.  If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP.  If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.

One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted.  It is just with the default manufacturer key, and thus, not truly secure.

HTH


Regards,
André M. Clark

On Tue, Apr 04, 2017 at 18:43 Eric Peng <[hidden email]> wrote:
Last year, we acquired an all-flash FAS array (AFF8040) for POC.  While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this.  As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase.  Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.


 

Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now?  I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.


 

Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use?  Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.


 

Thanks,


 

Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691 

[hidden email] | esri.com


 



_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters



_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: ONTAP 9 -- Full Disk Encryption (FDE)

André M. Clark
In reply to this post by Eric Peng
Eric,

I just replied to Francis with an update that should clarify.  The long and the short of it is that no “reencyrption” of the data is necessary.  It is a transfer of the authentication keys to an external KMIP.


Regards,
André M. Clark

On Wed, Apr 05, 2017 at 14:28 Eric Peng <">Eric Peng > wrote:

Andre,

 

Thanks for your input about power-cycling the controllers (via failover process).  That makes sense.  After reviewing your comments and some additional NetApp literature, it looks like the NSE drives ship from the factory with key ID of 0x0 and are in an “unlocked” state (i.e., no requirement for key ID or passphrase) for data access.  When we get to the point of setting up an external key management system (SafeNet) with these controllers, we’ll rekey these drives with our own key and provide a passphrase.  By doing so, this effectively “locks” the drives for data access.  Picking up on Francis’ question (below), do the drives then go through a process of re-encrypting the data (presumably they would)?  If so, I’m presuming this is a rather seamless, background operation with little performance overhead involved?

 

Thanks,

 

Eric Peng | Enterprise Storage Engineer

 

From: Francis Kim [mailto:[hidden email]]
Sent: Tuesday, April 04, 2017 7:24 PM
To: Andre M. Clark <[hidden email]>
Cc: Eric Peng <[hidden email]>; [hidden email]; iststorage <[hidden email]>
Subject: Re: ONTAP 9 -- Full Disk Encryption (FDE)

 

Andre,

 

Picking up on your earlier comment about manufacturer’s key not being truly secure, if a KMS is deployed after data creation, then would the already encrypted data need to be re-encrypted with the new key?

 

Francis Kim

Cell:

 

415-606-2525

Direct:

 

510-644-1599 x334 

 

On Apr 4, 2017, at 5:47 PM, Andre M. Clark <[hidden email]> wrote:

 

Eric,

 

Adding SafeNet to the environment is not disruptive.  However, as part of the installation process, a storage failover is part of the process as the installation engineer must verify that the controller is communicating properly with the external KMS.  If, during a power cycle, the node can’t communicate to the KMS then that node will not be able to connect to the storage and thus, no access to the data.  Now, this doesn’t mean that you are dead in the water (i.e. KMS is offline).  There is a way via the LOADER prompt and provided that you have the secure passphrase (another item that will be decided upon and secured externally during initial configuration) you can boot the system up and access the data.

 

Regards,

André M. Clark

 

On Tue, Apr 04, 2017 at 20:40 Eric Peng <[hidden email]> wrote:

Hi Andre,

 

Thanks for your quick response.  That confirms our intuitive understanding from reading the NetApp whitepapers that the SED disks were in fact encrypting the data when writing to disk, even though we have not yet turned on NSE on the controllers.  Because of potential, upcoming FIPS requirements (still being worked out), we would mostly involve an external key manager like SafeNet.  Do you know if later enabling external key management would be disruptive in nature, requiring a reboot of both HA controllers?

 

Thanks,

Eric Peng 

 

 

Sent from my Samsung Galaxy smartphone.

 

 

 

-------- Original message --------

From: "Andre M. Clark" <[hidden email]>

Date: 4/4/17 5:28 PM (GMT-08:00)

To: Eric Peng <[hidden email]>, [hidden email]

Cc: iststorage <[hidden email]>

Subject: ONTAP 9 -- Full Disk Encryption (FDE)

 

Eric,

 

So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact.  Now, with ONTAP 9.x, you have options as to where you want to do your key management.  If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP.  If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.

 

One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted.  It is just with the default manufacturer key, and thus, not truly secure.

 

HTH

 

Regards,

André M. Clark

 

On Tue, Apr 04, 2017 at 18:43 Eric Peng <[hidden email]> wrote:

Last year, we acquired an all-flash FAS array (AFF8040) for POC.  While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this.  As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase.  Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.

 

 

 

 

Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now?  I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.

 

 

 

 

Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use?  Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.

 

 

 

 

Thanks,

 

 

 

 

Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691 

[hidden email] | esri.com

 

 

 

 

 


_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters

 



_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Loading...