You are correct.

From the Power Guide:

NetApp Volume Encryption (NVE) is a software-based technology for encrypting data at rest one volume at a time. An _encryption key accessible only to the storage system _ensures that volume data cannot be read if the underlying device is _repurposed_, returned, misplaced, or stolen.

Both data, including Snapshot copies, and metadata are encrypted. Access to the data is given by a unique XTS-AES-256 key, one per volume. An Onboard Key Manager _secures the keys on the same system _with your data.

An external KMS would defeat that purpose...

And of course if you're paranoid you can combine NVE with NSE, but only, if you decide to use the internal KM (also) for NSE.

Sebastian

On 17/02/15 10:21 PM, jordan slingerland wrote:

Based on this slide from the netapp university and the following doc, it looks to me like NVE is OKM only.

Anyone have any information to support otherwise?

https://library.netapp.com/ecm/ecm_download_file/ECMLP2572742 https://library.netapp.com/ecm/ecm_download_file/ECMLP2572742

(my screenshot of university slide was blocked due to size)

https://netapp.sabacloud.com/Saba/Web_spf/NA1PRD0047/common/leclassdetail/re... https://netapp.sabacloud.com/Saba/Web_spf/NA1PRD0047/common/leclassdetail/regdw000000003193830 On one of the slides here in the 9.1 new features document it says "Federal Internet processing standards 140...level 2 compliance, NSE systems and external KMIP server still required)

I take that to have the unfortunate meaning that NVE cannot be used with an external key management server.

--Jordan

---

Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters