Last year, we acquired an all-flash FAS array (AFF8040) for POC. While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this. As it sometimes goes, POC is potentially turning into "production" and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase. Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.
Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now? I've only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of "how to enable FDE".
Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use? Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.
Thanks,
Eric Peng | Enterprise Storage Engineer Esri | 380 New York St. | Redlands, CA 92373 | USA T 909 793 2853 x3567 | M 909 367 1691 epeng@esri.commailto:epeng@esri.com | esri.comhttp://esri.com/
Eric,
So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact. Now, with ONTAP 9.x, you have options as to where you want to do your key management. If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP. If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.
One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted. It is just with the default manufacturer key, and thus, not truly secure.
HTH
Regards,
André M. Clark
On Tue, Apr 04, 2017 at 18:43 Eric Peng
< mailto:Eric Peng epeng@esri.com
wrote:
a, pre, code, a:link, body { word-wrap: break-word !important; }
<!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri",sans-serif;} a:link, span.MsoHyperlink {mso-style-priority:99; color:#0563C1; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal-compose; font-family:"Calibri",sans-serif; color:windowtext;} .MsoChpDefault {mso-style-type:export-only; font-family:"Calibri",sans-serif;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} -->
Last year, we acquired an all-flash FAS array (AFF8040) for POC. While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this. As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase. Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *
after
* data already exists on an array.
Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now? I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.
Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use? Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.
Thanks,
Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691
mailto:epeng@esri.com |
Hi Andre,
Thanks for your quick response. That confirms our intuitive understanding from reading the NetApp whitepapers that the SED disks were in fact encrypting the data when writing to disk, even though we have not yet turned on NSE on the controllers. Because of potential, upcoming FIPS requirements (still being worked out), we would mostly involve an external key manager like SafeNet. Do you know if later enabling external key management would be disruptive in nature, requiring a reboot of both HA controllers?
Thanks, Eric Peng
Sent from my Samsung Galaxy smartphone.
-------- Original message -------- From: "Andre M. Clark" andre.m.clark@gmail.com Date: 4/4/17 5:28 PM (GMT-08:00) To: Eric Peng epeng@esri.com, Toasters@teaparty.net Cc: iststorage iststorage@esri.com Subject: ONTAP 9 -- Full Disk Encryption (FDE)
Eric,
So if you already have the data on NSE drives there's no need to worry about the data if you want to enable the key management after the fact. Now, with ONTAP 9.x, you have options as to where you want to do your key management. If you don't have a FIPS requirement, you can enable the onboard key management directly in ONTAP. If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto's (SafeNet) KeySecure and continue.
One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted. It is just with the default manufacturer key, and thus, not truly secure.
HTH
Regards, Andr? M. Clark
On Tue, Apr 04, 2017 at 18:43 Eric Peng <Eric Peng <mailto:Eric%20Peng%20epeng@esri.com> > wrote: Last year, we acquired an all-flash FAS array (AFF8040) for POC. While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this. As it sometimes goes, POC is potentially turning into "production" and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase. Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.
Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now? I've only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of "how to enable FDE".
Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use? Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.
Thanks,
Eric Peng | Enterprise Storage Engineer Esri | 380 New York St. | Redlands, CA 92373 | USA T 909 793 2853 x3567 | M 909 367 1691 epeng@esri.commailto:epeng@esri.com | esri.comhttp://esri.com/
Eric,
Adding SafeNet to the environment is not disruptive. However, as part of the installation process, a storage failover is part of the process as the installation engineer must verify that the controller is communicating properly with the external KMS. If, during a power cycle, the node can’t communicate to the KMS then that node will not be able to connect to the storage and thus, no access to the data. Now, this doesn’t mean that you are dead in the water (i.e. KMS is offline). There is a way via the LOADER prompt
and provided that you have the secure passphrase
(another item that will be decided upon and secured externally during initial configuration) you can boot the system up and access the data.
Regards,
André M. Clark
On Tue, Apr 04, 2017 at 20:40 Eric Peng
< mailto:Eric Peng epeng@esri.com
wrote:
a, pre, code, a:link, body { word-wrap: break-word !important; }
Hi Andre,
Thanks for your quick response. That confirms our intuitive understanding from reading the NetApp whitepapers that the SED disks were in fact encrypting the data when writing to disk, even though we have not yet turned on NSE on the controllers. Because of potential, upcoming FIPS requirements (still being worked out), we would mostly involve an external key manager like SafeNet. Do you know if later enabling external key management would be disruptive in nature, requiring a reboot of both HA controllers?
Thanks,
Eric Peng
Sent from my Samsung Galaxy smartphone.
-------- Original message --------
From: "Andre M. Clark" andre.m.clark@gmail.com
Date: 4/4/17 5:28 PM (GMT-08:00)
To: Eric Peng epeng@esri.com, Toasters@teaparty.net
Cc: iststorage iststorage@esri.com
Subject: ONTAP 9 -- Full Disk Encryption (FDE)
Eric,
So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact. Now, with ONTAP 9.x, you have options as to where you want to do your key management. If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP. If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.
One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted. It is just with the default manufacturer key, and thus, not truly secure.
HTH
Regards,
André M. Clark
On Tue, Apr 04, 2017 at 18:43 Eric Peng < mailto:Eric Peng epeng@esri.com
wrote:
<!-- a, pre, code, a:link, body {word-wrap:break-word!important} -->
<!-- @font-face {font-family:"Cambria Math"} @font-face {font-family:Calibri} p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri",sans-serif} a:link, span.MsoHyperlink {color:#0563C1; text-decoration:underline} a:visited, span.MsoHyperlinkFollowed {color:#954F72; text-decoration:underline} span.EmailStyle17 {font-family:"Calibri",sans-serif; color:windowtext} .MsoChpDefault {font-family:"Calibri",sans-serif} @page WordSection1 {margin:1.0in 1.0in 1.0in 1.0in} div.WordSection1 {} -->
Last year, we acquired an all-flash FAS array (AFF8040) for POC. While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this. As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase. Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *
after
* data already exists on an array.
Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now? I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.
Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use? Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.
Thanks,
Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691
mailto:epeng@esri.com |
Andre,
Picking up on your earlier comment about manufacturer’s key not being truly secure, if a KMS is deployed after data creation, then would the already encrypted data need to be re-encrypted with the new key?
Francis Kim Cell: 415-606-2525 Direct: 510-644-1599 x334 fkim@berkcom.commailto:fkim@berkcom.com www.berkcom.comhttp://www.berkcom.com
On Apr 4, 2017, at 5:47 PM, Andre M. Clark <andre.m.clark@gmail.commailto:andre.m.clark@gmail.com> wrote:
Eric,
Adding SafeNet to the environment is not disruptive. However, as part of the installation process, a storage failover is part of the process as the installation engineer must verify that the controller is communicating properly with the external KMS. If, during a power cycle, the node can’t communicate to the KMS then that node will not be able to connect to the storage and thus, no access to the data. Now, this doesn’t mean that you are dead in the water (i.e. KMS is offline). There is a way via the LOADER prompt and provided that you have the secure passphrase (another item that will be decided upon and secured externally during initial configuration) you can boot the system up and access the data.
Regards, André M. Clark
On Tue, Apr 04, 2017 at 20:40 Eric Peng <Eric Peng <mailto:Eric%20Peng%20epeng@esri.com> > wrote: Hi Andre,
Thanks for your quick response. That confirms our intuitive understanding from reading the NetApp whitepapers that the SED disks were in fact encrypting the data when writing to disk, even though we have not yet turned on NSE on the controllers. Because of potential, upcoming FIPS requirements (still being worked out), we would mostly involve an external key manager like SafeNet. Do you know if later enabling external key management would be disruptive in nature, requiring a reboot of both HA controllers?
Thanks, Eric Peng
Sent from my Samsung Galaxy smartphone.
-------- Original message -------- From: "Andre M. Clark" <andre.m.clark@gmail.commailto:andre.m.clark@gmail.com> Date: 4/4/17 5:28 PM (GMT-08:00) To: Eric Peng <epeng@esri.commailto:epeng@esri.com>, Toasters@teaparty.netmailto:Toasters@teaparty.net Cc: iststorage <iststorage@esri.commailto:iststorage@esri.com> Subject: ONTAP 9 -- Full Disk Encryption (FDE)
Eric,
So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact. Now, with ONTAP 9.x, you have options as to where you want to do your key management. If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP. If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.
One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted. It is just with the default manufacturer key, and thus, not truly secure.
HTH
Regards, André M. Clark
On Tue, Apr 04, 2017 at 18:43 Eric Peng <Eric Peng <mailto:Eric%20Peng%20epeng@esri.com> > wrote: Last year, we acquired an all-flash FAS array (AFF8040) for POC. While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this. As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase. Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.
Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now? I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.
Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use? Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.
Thanks,
Eric Peng | Enterprise Storage Engineer Esri | 380 New York St. | Redlands, CA 92373 | USA T 909 793 2853 x3567 | M 909 367 1691 epeng@esri.commailto:epeng@esri.com | esri.comhttp://esri.com/
_______________________________________________ Toasters mailing list Toasters@teaparty.netmailto:Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Andre,
Thanks for your input about power-cycling the controllers (via failover process). That makes sense. After reviewing your comments and some additional NetApp literature, it looks like the NSE drives ship from the factory with key ID of 0x0 and are in an “unlocked” state (i.e., no requirement for key ID or passphrase) for data access. When we get to the point of setting up an external key management system (SafeNet) with these controllers, we’ll rekey these drives with our own key and provide a passphrase. By doing so, this effectively “locks” the drives for data access. Picking up on Francis’ question (below), do the drives then go through a process of re-encrypting the data (presumably they would)? If so, I’m presuming this is a rather seamless, background operation with little performance overhead involved?
Thanks,
Eric Peng | Enterprise Storage Engineer
From: Francis Kim [mailto:fkim@berkcom.com] Sent: Tuesday, April 04, 2017 7:24 PM To: Andre M. Clark andre.m.clark@gmail.com Cc: Eric Peng epeng@esri.com; Toasters@teaparty.net; iststorage iststorage@esri.com Subject: Re: ONTAP 9 -- Full Disk Encryption (FDE)
Andre,
Picking up on your earlier comment about manufacturer’s key not being truly secure, if a KMS is deployed after data creation, then would the already encrypted data need to be re-encrypted with the new key?
Francis Kim Cell:
415-606-2525 Direct:
510-644-1599 x334 fkim@berkcom.commailto:fkim@berkcom.com www.berkcom.comhttps://urldefense.proofpoint.com/v2/url?u=http-3A__www.berkcom.com&d=DwMGaQ&c=n6-cguzQvX_tUIrZOS_4Og&r=h6vm_U-QjJzaJVBWrJgENg&m=a1deFi0Sv-D81M3FtKG-KfJmGdE9shwuvAz89n_46u0&s=dLBxPTH5gkpwrFmPlzvQ2C85d-OttBMz7EC7i3O5saA&e=
On Apr 4, 2017, at 5:47 PM, Andre M. Clark <andre.m.clark@gmail.commailto:andre.m.clark@gmail.com> wrote:
Eric,
Adding SafeNet to the environment is not disruptive. However, as part of the installation process, a storage failover is part of the process as the installation engineer must verify that the controller is communicating properly with the external KMS. If, during a power cycle, the node can’t communicate to the KMS then that node will not be able to connect to the storage and thus, no access to the data. Now, this doesn’t mean that you are dead in the water (i.e. KMS is offline). There is a way via the LOADER prompt and provided that you have the secure passphrase (another item that will be decided upon and secured externally during initial configuration) you can boot the system up and access the data.
Regards, André M. Clark
On Tue, Apr 04, 2017 at 20:40 Eric Peng <Eric Peng mailto:Eric%20Peng%20%3cepeng@esri.com%3e > wrote:
Hi Andre,
Thanks for your quick response. That confirms our intuitive understanding from reading the NetApp whitepapers that the SED disks were in fact encrypting the data when writing to disk, even though we have not yet turned on NSE on the controllers. Because of potential, upcoming FIPS requirements (still being worked out), we would mostly involve an external key manager like SafeNet. Do you know if later enabling external key management would be disruptive in nature, requiring a reboot of both HA controllers?
Thanks, Eric Peng
Sent from my Samsung Galaxy smartphone.
-------- Original message -------- From: "Andre M. Clark" <andre.m.clark@gmail.commailto:andre.m.clark@gmail.com> Date: 4/4/17 5:28 PM (GMT-08:00) To: Eric Peng <epeng@esri.commailto:epeng@esri.com>, Toasters@teaparty.netmailto:Toasters@teaparty.net Cc: iststorage <iststorage@esri.commailto:iststorage@esri.com> Subject: ONTAP 9 -- Full Disk Encryption (FDE)
Eric,
So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact. Now, with ONTAP 9.x, you have options as to where you want to do your key management. If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP. If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.
One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted. It is just with the default manufacturer key, and thus, not truly secure.
HTH
Regards, André M. Clark
On Tue, Apr 04, 2017 at 18:43 Eric Peng <Eric Peng mailto:Eric%20Peng%20%3cepeng@esri.com%3e > wrote: Last year, we acquired an all-flash FAS array (AFF8040) for POC. While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this. As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase. Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *after* data already exists on an array.
Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now? I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.
Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use? Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.
Thanks,
Eric Peng | Enterprise Storage Engineer Esri | 380 New York St. | Redlands, CA 92373 | USA T 909 793 2853 x3567 | M 909 367 1691 epeng@esri.commailto:epeng@esri.com | esri.comhttp://esri.com/
_______________________________________________ Toasters mailing list Toasters@teaparty.netmailto:Toasters@teaparty.net https://urldefense.proofpoint.com/v2/url?u=http-3A__www.teaparty.net_mailman... https://urldefense.proofpoint.com/v2/url?u=http-3A__www.teaparty.net_mailman_listinfo_toasters&d=DwMGaQ&c=n6-cguzQvX_tUIrZOS_4Og&r=h6vm_U-QjJzaJVBWrJgENg&m=a1deFi0Sv-D81M3FtKG-KfJmGdE9shwuvAz89n_46u0&s=LrljalUh_611xNGhQT7GnJEb6kQcyRDMTyvKu0si95c&e=
Eric,
I just replied to Francis with an update that should clarify. The long and the short of it is that no “reencyrption” of the data is necessary. It is a transfer of the authentication keys to an external KMIP.
Regards,
André M. Clark
On Wed, Apr 05, 2017 at 14:28 Eric Peng
< mailto:Eric Peng epeng@esri.com
wrote:
a, pre, code, a:link, body { word-wrap: break-word !important; }
<!-- /* Font Definitions */ @font-face {font-family:Helvetica; panose-1:2 11 6 4 2 2 2 2 2 4;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:Garamond; panose-1:2 2 4 4 3 3 1 1 8 3;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman",serif;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} p.msonormal0, li.msonormal0, div.msonormal0 {mso-style-name:msonormal; mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman",serif;} span.apple-tab-span {mso-style-name:apple-tab-span;} span.apple-converted-space {mso-style-name:apple-converted-space;} span.EmailStyle20 {mso-style-type:personal-reply; font-family:"Calibri",sans-serif; color:windowtext;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} -->
Andre,
Thanks for your input about power-cycling the controllers (via failover process). That makes sense. After reviewing your comments and some additional NetApp literature, it looks like the NSE drives ship from the factory with key ID of 0x0 and are in an “unlocked” state (i.e., no requirement for key ID or passphrase) for data access. When we get to the point of setting up an external key management system (SafeNet) with these controllers, we’ll rekey these drives with our own key and provide a passphrase. By doing so, this effectively “locks” the drives for data access. Picking up on Francis’ question (below), do the drives then go through a process of re-encrypting the data (presumably they would)? If so, I’m presuming this is a rather seamless, background operation with little performance overhead involved?
Thanks,
Eric Peng | Enterprise Storage Engineer
From:
Francis Kim [mailto:fkim@berkcom.com]
Sent:
Tuesday, April 04, 2017 7:24 PM
To:
Andre M. Clark andre.m.clark@gmail.com
Cc:
Eric Peng epeng@esri.com; Toasters@teaparty.net; iststorage iststorage@esri.com
Subject:
Re: ONTAP 9 -- Full Disk Encryption (FDE)
Andre,
Picking up on your earlier comment about manufacturer’s key not being truly secure, if a KMS is deployed after data creation, then would the already encrypted data need to be re-encrypted with the new key?
Francis Kim
Cell:
415-606-2525
Direct:
510-644-1599 x334
mailto:fkim@berkcom.com
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.berkcom.com&d=Dw...
On Apr 4, 2017, at 5:47 PM, Andre M. Clark < mailto:andre.m.clark@gmail.com
wrote:
Eric,
Adding SafeNet to the environment is not disruptive. However, as part of the installation process, a storage failover is part of the process as the installation engineer must verify that the controller is communicating properly with the external KMS. If, during a power cycle, the node can’t communicate to the KMS then that node will not be able to connect to the storage and thus, no access to the data. Now, this doesn’t mean that you are dead in the water (i.e. KMS is offline). There is a way via the LOADER prompt
and provided that you have the secure passphrase
(another item that will be decided upon and secured externally during initial configuration) you can boot the system up and access the data.
Regards,
André M. Clark
On Tue, Apr 04, 2017 at 20:40 Eric Peng
<
mailto:Eric%20Peng%20%3cepeng@esri.com%3e
wrote:
Hi Andre,
Thanks for your quick response. That confirms our intuitive understanding from reading the NetApp whitepapers that the SED disks were in fact encrypting the data when writing to disk, even though we have not yet turned on NSE on the controllers. Because of potential, upcoming FIPS requirements (still being worked out), we would mostly involve an external key manager like SafeNet. Do you know if later enabling external key management would be disruptive in nature, requiring a reboot of both HA controllers?
Thanks,
Eric Peng
Sent from my Samsung Galaxy smartphone.
-------- Original message --------
From: "Andre M. Clark" <
mailto:andre.m.clark@gmail.com
Date: 4/4/17 5:28 PM (GMT-08:00)
To: Eric Peng <
mailto:epeng@esri.com
,
mailto:Toasters@teaparty.net
Cc: iststorage <
mailto:iststorage@esri.com
Subject: ONTAP 9 -- Full Disk Encryption (FDE)
Eric,
So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact. Now, with ONTAP 9.x, you have options as to where you want to do your key management. If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP. If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.
One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted. It is just with the default manufacturer key, and thus, not truly secure.
HTH
Regards,
André M. Clark
On Tue, Apr 04, 2017 at 18:43 Eric Peng <
mailto:Eric%20Peng%20%3cepeng@esri.com%3e
wrote:
Last year, we acquired an all-flash FAS array (AFF8040) for POC. While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this. As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase. Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *
after
* data already exists on an array.
Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now? I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.
Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use? Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.
Thanks,
Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691
mailto:epeng@esri.com |
_______________________________________________
Toasters mailing list
mailto:Toasters@teaparty.net https://urldefense.proofpoint.com/v2/url?u=http-3A__www.teaparty.net_mailman...
Francis,
Apologies for my delayed response as I have been quite busy today. I’m including an excerpt from NetApp documentation around the process to see if this may clear up any confusion as I wasn’t using exact terms.
Authentication Keys (AK) and changes to them do not affect the disk encryption keys
When a system is first brought up, the NSE disks are openly available to the system without need for authentication. The disks themselves automatically encrypt data written to them and decrypt it when read and maintain these disk encryption keys
(AKA media encryption keys)
within themselves. The controls are not yet set to protect a disk that leaves the system. The system may be operated in this unprotected mode indefinitely. The NSE disks simply act like other disks.
When the servers are made available and the required
SSL/TLS
certificates are properly installed, the setup of the connections between the
KMIP
servers and the cluster is made. Thereafter, authentication keys can be created and the controls in the disks set to protect the data. Then, if the disks are power-cycled, such as would happen if a disk is removed and placed on another system, that system cannot give the required
AK
(safely on an SSL-protected key server) to unlock access to the data.
Modifying authentication keys does not affect the encryption keys. Data that is written to the disks in the period before
KMIP
server setup and
AK
changes is still present. Once the controls are set, then all data on the disks is protected, whether it existed before or after the protections were applied.
I hope this clarifies what I mentioned in my earlier replies and apologies if I caused any confusion.
Regards,
André M. Clark
On Tue, Apr 04, 2017 at 22:23 Francis Kim
< mailto:Francis Kim fkim@berkcom.com
wrote:
a, pre, code, a:link, body { word-wrap: break-word !important; }
Andre,
Picking up on your earlier comment about manufacturer’s key not being truly secure, if a KMS is deployed after data creation, then would the already encrypted data need to be re-encrypted with the new key?
Francis Kim
Cell:
415-606-2525
Direct:
510-644-1599 x334
mailto:fkim@berkcom.com
On Apr 4, 2017, at 5:47 PM, Andre M. Clark < mailto:andre.m.clark@gmail.com
wrote:
Eric,
Adding SafeNet to the environment is not disruptive. However, as part of the installation process, a storage failover is part of the process as the installation engineer must verify that the controller is communicating properly with the external KMS. If, during a power cycle, the node can’t communicate to the KMS then that node will not be able to connect to the storage and thus, no access to the data. Now, this doesn’t mean that you are dead in the water (i.e. KMS is offline). There is a way via the LOADER prompt
and provided that you have the secure passphrase
(another item that will be decided upon and secured externally during initial configuration) you can boot the system up and access the data.
Regards,
André M. Clark
On Tue, Apr 04, 2017 at 20:40 Eric Peng
< mailto:Eric Peng epeng@esri.com
wrote:
Hi Andre,
Thanks for your quick response. That confirms our intuitive understanding from reading the NetApp whitepapers that the SED disks were in fact encrypting the data when writing to disk, even though we have not yet turned on NSE on the controllers. Because of potential, upcoming FIPS requirements (still being worked out), we would mostly involve an external key manager like SafeNet. Do you know if later enabling external key management would be disruptive in nature, requiring a reboot of both HA controllers?
Thanks,
Eric Peng
Sent from my Samsung Galaxy smartphone.
-------- Original message --------
From: "Andre M. Clark" < mailto:andre.m.clark@gmail.com
Date: 4/4/17 5:28 PM (GMT-08:00)
To: Eric Peng < mailto:epeng@esri.com
,
mailto:Toasters@teaparty.net
Cc: iststorage < mailto:iststorage@esri.com
Subject: ONTAP 9 -- Full Disk Encryption (FDE)
Eric,
So if you already have the data on NSE drives there’s no need to worry about the data if you want to enable the key management after the fact. Now, with ONTAP 9.x, you have options as to where you want to do your key management. If you don’t have a FIPS requirement, you can enable the onboard key management directly in ONTAP. If you do have FIPS requirements and/or want to have a centralized KMS, you can use Gemalto’s (SafeNet) KeySecure and continue.
One other thing to note, since you have the NSE drives, believe it or not, but your data is currently encrypted. It is just with the default manufacturer key, and thus, not truly secure.
HTH
Regards,
André M. Clark
On Tue, Apr 04, 2017 at 18:43 Eric Peng < mailto:Eric Peng epeng@esri.com
wrote:
Last year, we acquired an all-flash FAS array (AFF8040) for POC. While this array supports the FDE feature (via SafeNet), the POC requirements did not require us to enable this. As it sometimes goes, POC is potentially turning into “production” and we are currently taking a look at options to see if it makes sense to convert the POC into an actual purchase. Am hoping some of you may have a bit of experience with enabling FDE encryption on an array *
after
* data already exists on an array.
Basically, need to know if the existing data can safely remain on the disks if FDE feature is to be introduced now? I’ve only come across a piece of NetApp marketing literature that indicates this should be non-disruptive, while the technical whitepapers focus on the nuts and bolts of “how to enable FDE”.
Can anyone share definitively whether we must first enable FDE on an array that has SED disks, or whether it is actually safe to introduce FDE on the array after it has been put into use? Would like to avoid having to migrate off the data and re-configure the array/cluster if I can.
Thanks,
Eric Peng | Enterprise Storage Engineer
Esri | 380 New York St. | Redlands, CA 92373 | USA
T 909 793 2853 x3567 | M 909 367 1691
mailto:epeng@esri.com |
_______________________________________________
Toasters mailing list
mailto:Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters