Eric,

So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact.  Now, with ONTAP 9.x, you have options as to where you want to do your key management.  If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP.  If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.

One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted.  It is just with the default manufacturer key, and thus, not truly secure.

HTH


Regards,
André M. Clark

On Tue, Apr 04, 2017 at 18:43 Eric Peng <Eric Peng > wrote:

Last year, we acquired an all-flash FAS array (AFF8040) for POC.  While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this.  As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase.  Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.

 

Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now?  I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.

 

Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use?  Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.

 

Thanks,

 

Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691
epeng@esri.com | esri.com