With the recent release of Data ONTAP 8.0.1, NetApp now offers full disk encryption to prevent unauthorized access to data at rest.
NetApp Storage Encryption (NSE) is a hardware solution that encrypts data at the drive-level with the Advanced Encryption Standard (AES) algorithm. Each FIPS 140-2 level 2 certified drive has a unique data encryption key (DEK), used to encrypt and decrypt data on the drive. These drive keys are then wrapped using an "authentication key" (AK) generated by Data ONTAP.
On boot, Data ONTAP requests the authentication key (AK) from the key manager. Upon successful retrieval, the AK is passed to the drive which allows the DEK to be unwrapped in order to access the disk.
NSE also operates below Data ONTAP features, so it’s completely transparent to Deduplication, Compression, etc. It's also worth noting that the performance impact is considered negligible (< 1%) with this solution.
As part of this solution, NetApp will initially support IBM’s Tivoli Key Lifecycle Management version 2 (TKLMv2) server and the SafeNet KeySecure k460 appliance for key management. It is expected that NetApp will expand support for other Key Management Interoperability Protocol (KMIP) compliant key managers in the future.