Reducing Risk in OpenStack with NetApp Part 1: Encryption 

Welcome to part one of a series on reducing risk in OpenStack with NetApp.  Whether you are already running OpenStack, or are considering running it, the security of your data should always be at the forefront of your thoughts.  NetApp has many features that work in concert with our OpenStack drivers to give you piece of mind for your data.

Over the course of this series we will cover the following topics:

  • NetApp Volume Encryption (this post)
  • Protecting data against accidental deletes with snapshot copies
  • Using SnapMirror to do off-site data backups
  • Protecting against drive failures with Raid-DP/Helix
  • Having a professional to call when something goes wrong

There are two types of encryption you need to be concerned with: data at rest and data in flight. Data at rest involves how data is encrypted as it is stored on stable storage. Data in flight involves data as it is transmitted over networks. In this article, we will focus on data-at-rest encryption.

Data at rest encryption is a current requirement in most audit guidelines.  PCI and HIPAA have encryption at rest and in motion as a requirement, and SOX strongly recommends it.  NetApp lets you accomplish encryption at rest very easy, and use any type of disk.  NetApp Volume Encryption (NVE) is a software-based technology for encrypting data at rest one volume at a time. An encryption key that is accessible only to the storage system ensures that volume data cannot be read if the underlying drive is repurposed, returned, misplaced, or stolen. The individual volume-level granularity of NVE opens up the ability to securely crypto-shred individual datasets for targeted data sanitization in service provider or other shared workload environments.

With ONTAP 9.3 (released in January 2018), NVE has been enhanced further to offer both onboard and offboard KMIP-based (Key Management Interoperability Protocol) key management solutions, as well as support for encrypting existing volumes in place.  For more information on KMIP see the official information page at OASIS.

ONTAP

NetApp Volume Encryption

For OpenStack this means that the Cinder, Glance, and Nova volumes that are presented can all be encrypted with little to no performance overhead.

Using NVE is very easy.  The first thing you need, of course, is an ONTAP system.  The second thing you need to do is to request a free license for NVE from your account sales team.  We do this so that your NetApp account can be updated as a NVE user.  Once you have the license, installing it is a simple matter of running:

The quickest and easiest way to get started once you have the license is to leverage the onboard key manager.  However, if you are running ONTAP 9.3 or later, to fully secure your volumes we recommend using an external key manager so that your keys are not stored with your data.  To start the onboard key manager setup wizard, run:

The wizard will prompt you for a 32-256 character key.  Be sure you store this someplace safe, but not on the ONTAP system as you will need it for data recovery should something happen to your physical systems.  You will also want to make a manual backup of the key manager’s key.

Copy the output and store it somewhere safe and outside of the ONTAP system as well.

Using NVE with Cinder

Creating a volume that will be encrypted, your Cinder volume, for example, is very simple.  It’s actually only a small addition to your normal volume create command.

The important part of the command from an encryption point is -encrypt true.  Setting this flag tells ONTAP that everything in that volume should be encrypted as it’s written to disk.

Volume data encryption can be verified with a vol show command.

If you already have created volumes that you need to encrypt, there are two methods for changing that based on which version of ONTAP you are using.  Starting in 9.3 volumes can be converted to encrypted volumes in place, and without any disruption to end user operations.  In versions prior to 9.3, the volume can be encrypted using a vol move, which will need to have zero data access on the volume at the time of cutover, though no host configurations will have to be changed.

The full documentation for NVE setup can be found at here.

SolidFire

For SolidFire, cluster-level encryption can be setup from the web UI.  You do need an account with admin rights, to enable encryption follow these steps:

  1. Go to Cluster > Settings.
  2. Click Enable Encryption at Rest.

To disable encryption at rest, click Disable Encryption at Rest.

E-Series

E-Series systems encryption is either at the pool level or the volume group level.

When setting up a pool you can enable encryption by following these steps:

  1. Select Storage > Pools & Volume Groups.
  2. Click Create > Pool. The Create Pool dialog box appears.
  3. Type a name for the pool.
  4. (Optional) If you have more than one type of drive in your storage array, select the drive type that you want to use. The results table lists all the possible pools that you can create.
  5. Select the pool candidate that you want to use based on the following characteristics, and then click Create.

The pool candidates you will need are ‘Secure-Capable’ and ‘Enable Security?’

For Volume Groups:

  1. Select Storage > Pools & Volume Groups.
  2. Click Create > Volume group. The Create Volume Group dialog box appears.
  3. Type a name for the volume group.
  4. Select the RAID level that best meets your requirements for data storage and protection. The volume group candidate table appears and displays only the candidates that support the selected RAID level.
  5. (Optional) If you have more than one type of drive in your storage array, select the drive type that you want to use. The volume group candidate table appears and displays only the candidates that support the selected drive type and RAID level.
  6. Select the volume group candidate that you want to use based on the following characteristics, and then click Create.

The pool candidates you will need are ‘Secure-Capable’ and ‘Enable Security?’

Encryption Protects Data When It Leaves Your Hands

Widespread deployment of encryption ensures that any SSD or HDD in transit, returned to a vendor, lost, or stolen is encrypted and secure against unauthorized data access.  As always join us at thePub and our Slack Team to share feedback or ask questions.  You can get a copy of the NetApp power guide for NVE at, this link.  If you are ready for NVE contact your sales team to request a free license.  Check this document for SolidFire encryption.  Finally E-Series setup can be found here.  Don’t forget to check back for the next post in this series on snapshot copies.

David Blackwell on Linkedin
David Blackwell
Technical Marketing Engineer for OpenStack at NetApp
David is a twenty year IT veteran who has been an admin for just about every aspect of a DataCenter at one time or another. Currently he is the Technical Marketing Engineer for OpenStack at NetApp. When not working, or tinkering with new software at home, David spends most of his free time on his hobby of 3D printing.

Leave a Reply