cDOT 9.1 , Netapp Volume encryption (NVE) and an external key management server.

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

cDOT 9.1 , Netapp Volume encryption (NVE) and an external key management server.

jordan slingerland-2
I am just beginning to research a possible deployment of a new 9.1 system hoping to utilize NVE with an external key management server.  It turns out the Onboard Key Manager does not appear to be FIPS compliant.

I am not very far down this rabbit hole yet, but the documents I am reading so far only mention the Onboard Key Manager for use with NVE in  9.1

Could anyone (a) confirm the NVE feature is able to work with an external key management server and (b) recommend any that i might research.

Thanks,

Jordan

 

_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|

Fwd: cDOT 9.1 , Netapp Volume encryption (NVE) and an external key management server.

jordan slingerland-2


Based on this slide from the netapp university and the following doc, it looks to me like NVE is OKM only.

Anyone have any information to support otherwise? 


https://library.netapp.com/ecm/ecm_download_file/ECMLP2572742

Inline image 2


On Wed, Feb 15, 2017 at 3:27 PM, Michael Bergman <[hidden email]> wrote:
Sorry could not resist: Are you the rabbit or the fox in this...?  :-)
/M


On 2017-02-15 21:22, jordan slingerland wrote:
I am just beginning to research a possible deployment of a new 9.1 system
hoping to utilize NVE with an external key management server. It turns out
the Onboard Key Manager does not appear to be FIPS compliant.

I am not very far down this rabbit hole yet, but the documents I am reading
so far only mention the Onboard Key Manager for use with NVE in 9.1

Could anyone (a) confirm the NVE feature is able to work with an external
key management server and (b) recommend any that i might research.

Thanks,
Jordan

--
Michael Bergman
Sr Systems Analyst / Storage Architect   [hidden email]
Engineering Hub Stockholm                Phone <a href="tel:%2B46%2010%207152945" value="+46107152945" target="_blank">+46 10 7152945
EMEA N, Operations North, IT Ops Kista   SMS/MMS <a href="tel:%2B46%2070%205480835" value="+46705480835" target="_blank">+46 70 5480835
Ericsson                                 Torshamnsg 33, 16480 Sthlm, Sweden
--
This communication is confidential. We only send and receive email on the
basis of the terms set out at www.ericsson.com/email_disclaimer



_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|

Fwd: cDOT 9.1 , Netapp Volume encryption (NVE) and an external key management server.

jordan slingerland-2
In reply to this post by jordan slingerland-2


Based on this slide from the netapp university and the following doc, it looks to me like NVE is OKM only.

Anyone have any information to support otherwise? 
On one of the slides here in the 9.1 new features document it says "Federal Internet processing standards 140...level 2 compliance, NSE systems and external KMIP server still required) 

I take that to have the unfortunate meaning that NVE cannot be used with an external key management server.

--Jordan




_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|

Re: cDOT 9.1 , Netapp Volume encryption (NVE) and an external key management server.

Sebastian Goetze

You are correct.

From the Power Guide:

NetApp Volume Encryption (NVE) is a software-based technology for encrypting data at rest one volume at a time. An encryption key accessible only to the storage system ensures that volume data cannot be read if the underlying device is repurposed, returned, misplaced, or stolen.

Both data, including Snapshot copies, and metadata are encrypted. Access to the data is given by a unique XTS-AES-256 key, one per volume. An Onboard Key Manager secures the keys on the same system with your data.

An external KMS would defeat that purpose...

And of course if you're paranoid you can combine NVE with NSE, but only, if you decide to use the internal KM (also) for NSE.



Sebastian


On 17/02/15 10:21 PM, jordan slingerland wrote:


Based on this slide from the netapp university and the following doc, it looks to me like NVE is OKM only.

Anyone have any information to support otherwise? 
On one of the slides here in the 9.1 new features document it says "Federal Internet processing standards 140...level 2 compliance, NSE systems and external KMIP server still required) 

I take that to have the unfortunate meaning that NVE cannot be used with an external key management server.

--Jordan





_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters


_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters