Chapter 5. Expansion units 55
ň° Requires DOT 8.1 minimum
ň° Only allowed with HA (dual node) systems
ň° Provides storage encryption capability (key manager interface)
5.5.2 SED overview
Storage Encryption is the implementation of full disk encryption (FDE) by using
self-encrypting drives from third-party vendors, such as Seagate and Hitachi. FDE refers to
encryption of all blocks in a disk drive, whether by software or hardware. NSE is encryption
that operates seamlessly with Data ONTAP features, such as storage efficiency. This is
possible because the encryption occurs below Data ONTAP as the data is being written to the
physical disk.
5.5.3 Threats mitigated by self-encryption
Self-encryption mitigates several threats. The primary threat model it addresses, per the
Trusted Computing Group (TCG) specification, is the prevention of unauthorized access to
encrypted data at rest on powered-off disk drives. That is, it prevents someone from removing
a shelf or drive and mounting them on an unauthorized system. This security minimizes risk
of unauthorized access to data if drives are stolen from a facility or compromised during
physical movement of the storage array between facilities.
Self-encryption also prevents unauthorized data access when drives are returned as spares
or after drive failure. This security includes cryptographic shredding of data for non-returnable
disk (NRD), disk repurposing scenarios, and simplified disposal of the drive through disk
destroy commands. These processes render a disk unusable. This greatly simplifies the
disposal of drives and eliminates the need for costly, time-consuming physical drive
shredding.
All data on the drives is automatically encrypted. If you do not want to track where the most
sensitive data is or risk it being outside an encrypted volume, use NSE to ensure that all data
is encrypted.
5.5.4 Effect of self-encryption on Data ONTAP features
Self-encryption operates below all Data ONTAP features, such as SnapDrive, SnapMirror,
and even compression and deduplication. Interoperability with these features should be
transparent. SnapVault and SnapMirror are supported, but for data at the destination to be
encrypted, the target must be another self-encrypted system.
The use of SnapLock prevents the inclusion of self-encryption. Therefore, simultaneous
operation of SnapLock and self-encryption is impossible. This limitation is being evaluated for
a future release of Data ONTAP. MetroCluster is not supported because of the lack of support
for the SAS interface. Support for MetroCluster is targeted for a future release of Data ONTAP.
5.5.5 Mixing drive types
In Data ONTAP 8.1, all drives that are installed within the storage platform must be
self-encrypting drives. The mixing of encrypted with unencrypted drives or shelves across a
stand-alone platform or high availability (HA) pair is not supported.
To Next Page
Loading...
