HashiCorp and NetApp: New Key Server Partnership
Daniel Tulledge
NetApp’s most security-conscious customers require an external key server to ensure that keys used for data-at-rest encryption are fully protected. Customers are demanding Oasis Key Management Interoperability Protocol (KMIP) compliant key managers that are fortified, scalable, and easy to implement and use. Many NetApp customers are adopting HashiCorp Vault as their preferred external key management standard. Now, NetApp and HashiCorp have partnered together to deliver a leading security solution that meets customers’ stringent requirements.
Multiple Encryption Choices
External key managers can be used to store encryption keys for NetApp’s software-based and hardware-based data-at-rest encryption methods, which are integrated into our industry-leading ONTAP® data management software.There are two types of software-based encryption, NetApp® Volume Encryption (NVE) and NetApp Aggregate Encryption (NAE). NVE and NAE protect data from theft if a disk is repurposed, sent in for Return Material Authorization, misplaced, or stolen. NVE and NAE allow you to encrypt your data while maintaining NetApp storage efficiencies such as deduplication and compression. With NAE, you can also maintain aggregate deduplication.
There are also two types of hardware-based encryption, NetApp Storage Encryption (NSE) and NVMe self-encrypting drives (SEDs). With NSE and NVMe SEDs, your data is always protected. They are independent of the file system and network, so no action is required by the operator when aggregates, volumes, shares, or LUNs are created or deleted.
You can further increase the security of your at-rest data by taking advantage of the industry’s first double encryption solution. Use two distinct layers by combining NSE or NVMe SEDs with NVE or NAE for an even more robust encryption solution.
HashiCorp Vault Enterprise 1.3 with NetApp ONTAP Based Systems
HashiCorp’s Vault Enterprise 1.3 is KMIP compliant, which is a requirement for ONTAP interoperability for key management. The entire NetApp portfolio of ONTAP based systems can use HashiCorp Vault as an external KMIP server: AFF all-flash systems, FAS hybrid-flash systems, ONTAP Select software-defined storage, and Cloud Volumes ONTAP (CVO) deployed in all the major public cloud providers. Vault delivers what customers require—a KMIP-compliant key manager that is secure, scalable, and easy to implement for ONTAP software-based and hardware-based data-at-rest encryption.
NetApp has recently completed Vault 1.3 validation testing with ONTAP 9.7, 9.6, and 9.3 to satisfy our customers’ requirements for using Vault as their preferred key server. See the NetApp Interoperability Matrix Tool (IMT) to stay up to date on the latest validations of Vault with ONTAP.
For more information about implementation of HashiCorp Vault with ONTAP, check out this HashiCorp Blog.
Daniel Tulledge
Dan is a Senior Technical Marketing Engineer for ONTAP Security for nearly two years at NetApp. He has focused on all aspects ONTAP hardening including encryption in flight and at rest, multifactor authentication, as well as addressing compliance issues with ONTAP such as requirements for the Payment Card Industry or the EU General Data Protection Regulation. He has thirty plus years of experience in the networking and security technology industry. Most recently, Dan worked for Cisco Systems Inc. for 17 years in senior technical marketing, product development, services operations architecture positions spanning a large breadth of Cisco technologies with emphasis on product security features, cyber security and trustworthy systems. Prior to Cisco, he worked at AlliedSignal, IBM, and CA.
