Skip to main content

Configuring Lenovo Volume Encryption

Lenovo Volume Encryption (LVE) is a software-based technology for encrypting data at rest one volume at a time. An encryption key accessible only to the storage system ensures that volume data cannot be read if the underlying device is repurposed, returned, misplaced, or stolen.

Understanding LVE

Both data, including Snapshot copies, and metadata are encrypted. Access to the data is given by a unique XTS-AES-256 key, one per volume. An external key management server or Onboard Key Manager serves keys to nodes:

  • The external key management server is a third-party system in your storage environment that serves keys to nodes using the Key Management Interoperability Protocol (KMIP). It is a best practice to configure external key management servers on a different storage system from your data.

  • The Onboard Key Manager is a built-in tool that serves keys to nodes from the same storage system as your data.

Starting with ONTAP 9.7, aggregate and volume encryption is enabled by default if you have a volume encryption (VE) license and use an onboard or external key manager. Whenever an external or onboard key manager is configured there is a change in how data at rest encryption is configured for brand new aggregates and brand new volumes. Brand new aggregates will have Lenovo Aggregate Encryption (LAE) enabled by default. Brand new volumes that are not part of an LAE aggregate will have Lenovo Volume Encryption (LVE) enabled by default. If a data storage virtual machine (SVM) is configured with its own key-manager using multi-tenant key management in an aggregate with LAE, then the volume created for that SVM is automatically configured with LVE.

You can enable encryption on a new or existing volume. LVE supports the full range of storage efficiency features, including deduplication and compression.
Note
If you are using SnapLock, you can enable encryption only on new, empty SnapLock volumes. You cannot enable encryption on an existing SnapLock volume.

You can use LVE on any type of aggregate (HDD, SSD, hybrid), with any RAID type, and in any supported ONTAP implementation. You can also use LVE with hardware-based encryption to “double encrypt” data on self-encrypting drives.

Note
Current all flash array (AFA) and Hybrid systems and their later systems store core dumps on their boot device. When LVE is enabled on these systems, the core dump is also encrypted.

Aggregate-level encryption

Ordinarily, every encrypted volume is assigned a unique key. When the volume is deleted, the key is deleted with it.

Starting with ONTAP 9.6, you can use Lenovo Aggregate Encryption (LAE) to assign keys to the containing aggregate for the volumes to be encrypted. When an encrypted volume is deleted, the keys for the aggregate are preserved. The keys are deleted only after the last encrypted volume in the aggregate is deleted.

You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication. Aggregate-level deduplication is otherwise not supported by LVE.

Starting with ONTAP 9.7, aggregate and volume encryption is enabled by default if you have a volume encryption (VE) license and use an onboard or external key manager.

LVE and LAE volumes can coexist on the same aggregate. Volumes encrypted under aggregate-level encryption are LAE volumes by default. You can override the default when you encrypt the volume.

You can use the volume move command to convert an LVE volume to an LAE volume, and vice versa. You can replicate an LAE volume to an LVE volume.

When to use external key management servers

Although it is less expensive and typically more convenient to use the onboard key manager, you should set up KMIP servers if any of the following are true:

  • Your encryption key management solution must comply with Federal Information Processing Standards (FIPS) 140-2 or the OASIS KMIP standard.

  • You need a multi-cluster solution, with centralized management of encryption keys.

  • Your business requires the added security of storing authentication keys on a system or in a location different from the data.

Scope of external key management

The scope of external key management determines whether key management servers secure all the SVMs in the cluster or selected SVMs only:

  • You can use a cluster scope to configure external key management for all the SVMs in the cluster. The cluster administrator has access to every key stored on the servers.

  • Starting with ONTAP 9.6, you can use an SVM scope to configure external key management for a named SVM in the cluster. That's best for multitenant environments in which each tenant uses a different SVM (or set of SVMs) to serve data. Only the SVM administrator for a given tenant has access to the keys for that tenant.

You can use both scopes in the same cluster. If key management servers have been configured for an SVM, ONTAP uses only those servers to secure keys. Otherwise, ONTAP secures keys with the key management servers configured for the cluster.

Support details

The following table shows LVE support details:

Resource or featureSupport details
PlatformsAES-NI offload capability required. See the Lenovo Press to verify that LVE and LAE are supported for your platform.
EncryptionStarting ONTAP 9.7, newly created aggregates and volumes are encrypted by default when you add a Volume Encryption (VE) and have an onboard or external key manager configured.

If you need to create an unencrypted aggregate, use the following command: storage aggregate create -encrypt-with-aggr-key false

If you need to create a plain text volume, use the following command: volume create -encrypt false

Encryption is not enabled by default when:
  • Volume Encryption (VE) is not configured
  • Key manager is not configured
  • Platform or software does not support encryption
  • Hardware encryption is enabled
ONTAPAll ONTAP implementations.
DevicesHDD, SSD, hybrid.
RAIDRAID4, RAID-DP, RAID-TEC.
VolumesData volumes, existing root volumes, and MetroCluster metadata volumes. You cannot encrypt data on an SVM root volume.
Aggregate-level encryptionStarting with ONTAP 9.6, LVE supports aggregate-level encryption (LAE):

  • You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication.

  • You cannot rekey an aggregate-level encryption volume.

  • Secure-purge is not supported on aggregate-level encryption volumes.

  • In addition to data volumes, LAE supports encryption of SVM root volumes and the MetroCluster metadata volume. LAE does not support encryption of the root volume.

SVM scopeStarting with ONTAP 9.6, LVE supports SVM scope for external key management only, not for Onboard Key Manager. MetroCluster is not supported.
Storage efficiencyDeduplication, compression, compaction, FlexClone. Clones use the same key as the parent, even after splitting the clone from the parent. You are warned to rekey the split clone.
Replication

  • For volume replication, the destination volume must have been enabled for encryption. Encryption can be configured for the source and unconfigured for the destination, and vice versa.

  • For SVM replication, the destination volume is automatically encrypted, unless the destination does not contain a node that supports volume encryption, in which case replication succeeds, but the destination volume is not encrypted.

  • For MetroCluster configurations, each cluster pulls external key management keys from its configured key servers. OKM keys are replicated to the partner site by the configuration replication service.

ComplianceSnapLock is supported in both Compliance and Enterprise modes, for new volumes only. You cannot enable encryption on an existing SnapLock volume.
FlexGroupsFlexGroups are supported. Destination aggregates must be of the same type as source aggregates, either volume-level or aggregate-level. Starting with ONTAP 9.5, in-place rekey of FlexGroup volumes is supported.
  • Lenovo Volume Encryption workflow
    You must configure key management services before you can enable volume encryption. You can enable encryption on a new volume or on an existing volume.
  • Configuring LVE
    You must install the Lenovo Volume Encryption (LVE) license and configure key management services before you can encrypt data with LVE. Before installing the license, you should determine whether your ONTAP version supports LVE.
  • Encrypting volume data with LVE
    Starting with ONTAP 9.7, aggregate and volume encryption is enabled by default when you have the LVE license and onboard or external key management. For ONTAP 9.6 and earlier, you can enable encryption on a new volume or on an existing volume. You must have installed the LVE license and enabled key management before you can enable volume encryption. LVE is FIPS-140-2 level 1 compliant.