Mailing List Archive: cDOT 9.1 , Netapp Volume encryption (NVE) and an external key management server.

You are correct.

From the Power Guide:

NetApp Volume Encryption (NVE) is a software-based technology for
encrypting data at rest one volume at a time. An _encryption key
accessible only to the storage system _ensures that volume data
cannot be read if the underlying device is _repurposed_, returned,
misplaced, or stolen.

Both data, including Snapshot copies, and metadata are encrypted.
Access to the data is given by a unique XTS-AES-256 key, one per
volume. An Onboard Key Manager _secures the keys on the same system
_with your data.

An external KMS would defeat that purpose...

And of course if you're paranoid you can combine NVE with NSE, but only,
if you decide to use the internal KM (also) for NSE.

Sebastian

On 17/02/15 10:21 PM, jordan slingerland wrote:
>
>
> Based on this slide from the netapp university and the following doc,
> it looks to me like NVE is OKM only.
>
> Anyone have any information to support otherwise?
>
>
> https://library.netapp.com/ecm/ecm_download_file/ECMLP2572742
> <https://library.netapp.com/ecm/ecm_download_file/ECMLP2572742>
>
> (my screenshot of university slide was blocked due to size)
>
> https://netapp.sabacloud.com/Saba/Web_spf/NA1PRD0047/common/leclassdetail/regdw000000003193830
> <https://netapp.sabacloud.com/Saba/Web_spf/NA1PRD0047/common/leclassdetail/regdw000000003193830>
> On one of the slides here in the 9.1 new features document it says
> "Federal Internet processing standards 140...level 2 compliance, NSE
> systems and external KMIP server still required)
>
> I take that to have the unfortunate meaning that NVE cannot be used
> with an external key management server.
>
> --Jordan
>
>
>
>
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters