You are correct.

From the Power Guide:

NetApp Volume Encryption (NVE) is a software-based technology for encrypting data at rest one volume at a time. An encryption key accessible only to the storage system ensures that volume data cannot be read if the underlying device is repurposed, returned, misplaced, or stolen.

Both data, including Snapshot copies, and metadata are encrypted. Access to the data is given by a unique XTS-AES-256 key, one per volume. An Onboard Key Manager secures the keys on the same system with your data.

An external KMS would defeat that purpose...

And of course if you're paranoid you can combine NVE with NSE, but only, if you decide to use the internal KM (also) for NSE.

Sebastian

On 17/02/15 10:21 PM, jordan slingerland wrote:

Based on this slide from the netapp university and the following doc, it looks to me like NVE is OKM only.

Anyone have any information to support otherwise?

https://library.netapp.com/ecm/ecm_download_file/ECMLP2572742

(my screenshot of university slide was blocked due to size)

https://netapp.sabacloud.com/Saba/Web_spf/NA1PRD0047/common/leclassdetail/regdw000000003193830

On one of the slides here in the 9.1 new features document it says "Federal Internet processing standards 140...level 2 compliance, NSE systems and external KMIP server still required)

I take that to have the unfortunate meaning that NVE cannot be used with an external key management server.

--Jordan
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters