Eric,

Adding SafeNet to the environment is not disruptive.  However, as part of the installation process, a storage failover is part of the process as the installation engineer must verify that the controller is communicating properly with the external KMS.  If, during a power cycle, the node can’t communicate to the KMS then that node will not be able to connect to the storage and thus, no access to the data.  Now, this doesn’t mean that you are dead in the water (i.e. KMS is offline).  There is a way via the LOADER prompt and provided that you have the secure passphrase (another item that will be decided upon and secured externally during initial configuration) you can boot the system up and access the data.


Regards,
André M. Clark

On Tue, Apr 04, 2017 at 20:40 Eric Peng <Eric Peng > wrote:
Hi Andre,

Thanks for your quick response.  That confirms our intuitive understanding from reading the NetApp whitepapers that the SED disks were in fact encrypting the data when writing to disk, even though we have not yet turned on NSE on the controllers.  Because of potential, upcoming FIPS requirements (still being worked out), we would mostly involve an external key manager like SafeNet.  Do you know if later enabling external key management would be disruptive in nature, requiring a reboot of both HA controllers?

Thanks,
Eric Peng 


Sent from my Samsung Galaxy smartphone.



-------- Original message --------
From: "Andre M. Clark" <andre.m.clark@gmail.com>
Date: 4/4/17 5:28 PM (GMT-08:00)
To: Eric Peng <epeng@esri.com>, Toasters@teaparty.net
Cc: iststorage <iststorage@esri.com>
Subject: ONTAP 9 -- Full Disk Encryption (FDE)

Eric,

So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact.  Now, with ONTAP 9.x, you have options as to where you want to do your key management.  If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP.  If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.

One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted.  It is just with the default manufacturer key, and thus, not truly secure.

HTH


Regards,
André M. Clark

On Tue, Apr 04, 2017 at 18:43 Eric Peng <Eric Peng > wrote:

Last year, we acquired an all-flash FAS array (AFF8040) for POC.  While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this.  As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase.  Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.

 

Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now?  I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.

 

Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use?  Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.

 

Thanks,

 

Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691
epeng@esri.com | esri.com