Security Edit on GitHub

ONTAP Cloud supports data encryption and provides protection against viruses.

Data encryption in Azure

Azure Storage Service Encryption for data at rest is enabled by default for ONTAP Cloud data in Azure.

Customer-managed keys are not supported with ONTAP Cloud.

Data encryption in AWS

You can choose whether to encrypt data on ONTAP Cloud systems in AWS when you create a new working environment. If data encryption is needed, you can choose between AWS-managed encryption and ONTAP Cloud encryption.

Encryption using the AWS KMS

The AWS Key Management Service (KMS) is a managed service that gives you control of encryption keys without having to administer a key management infrastructure. If you choose AWS-managed encryption, Cloud Manager requests data keys using a customer master key (CMK).

If you want to use this encryption option, then you must ensure that the AWS KMS is set up appropriately. For details, see Setting up the AWS KMS.

For more information about the AWS KMS, refer to the following:

ONTAP Cloud encryption

You can protect your data from unauthorized access by using data-at-rest encryption provided by ONTAP Cloud. This optional feature encrypts and decrypts data using encryption keys that are stored on one or more key managers that are under your control.

Communication with key managers is always secure. ONTAP Cloud connects to key managers using a TLS connection and communicates using the Key Management Interoperability Protocol (KMIP).

ONTAP Cloud uses the XTS-AES algorithm, a mode of the Advanced Encryption Standard (AES), to protect data-at-rest. Before data is written to disk, it is encrypted using XTS-AES. When data is read from disk, the encrypted data is decrypted using XTS-AES before being sent to the requester.

If you use the NetApp Storage Encryption feature with a physical FAS system and enable encryption on an ONTAP Cloud system, any data that you replicate between those systems is decrypted before it is replicated and then re-encrypted after it is replicated.

You must set up and configure a key management infrastructure to use ONTAP Cloud encryption. For details, see Setting up ONTAP Cloud encryption.

How ONTAP Cloud encryption works with SafeNet key managers

Understanding how ONTAP Cloud encryption works with SafeNet key managers can help you set up and use the feature. The following graphic shows the steps and components involved in the encryption process when using SafeNet key managers:

This illustration shows how to set up and use ONTAP Cloud encryption. The following text describes this illustration.

  1. The Cloud Manager Admin sets up Cloud Manager as follows:

    1. Generates a certificate signing request (CSR), uses it to obtain a signed certificate from a certificate authority (CA), and then installs the signed certificate in Cloud Manager.

    2. Adds details about key managers and key manager CA certificates in Cloud Manager.

  2. Users launch ONTAP Cloud instances with encryption enabled (it cannot be enabled afterward).

    Cloud Manager sets up ONTAP Cloud by installing the key manager CA certificate, generating and installing a client certificate, configuring the KMIP client, and linking the system to one or more key managers.

    All data on the system is encrypted, except for the root aggregate, which does not contain user data.
  3. For each aggregate, ONTAP Cloud generates and sends an encryption key to key managers.

  4. Each time ONTAP Cloud boots, it authenticates with key managers to obtain encryption keys, which are then stored in cache and never displayed in cleartext.

    ONTAP Cloud communicates with key managers when it boots and when new aggregates are created. It does not communicate with key managers at any other time.
  5. Before data is written to disk, it is encrypted using XTS-AES.

    When data is read from disk, the encrypted data is decrypted using XTS-AES before being sent.

ONTAP virus scanning

You can use integrated antivirus functionality on ONTAP systems to protect data from being compromised by viruses or other malicious code.

ONTAP virus scanning, called Vscan, combines best-in-class third-party antivirus software with ONTAP features that give you the flexibility you need to control which files get scanned and when.

For information about the vendors, software, and versions supported by Vscan, see the NetApp Interoperability Matrix.

For information about how to configure and manage the antivirus functionality on ONTAP systems, see the ONTAP 9 Antivirus Configuration Guide.