Configuring Hardware Encryption

You can configure hardware encryption on the storage policy copy.

When hardware encryption is enabled, software encrypted data is further encrypted. Therefore, we strongly recommend enabling one or the other – not both.

Note: Hardware encryption algorithm and key length is set by the hardware vendor. Most of the terms use AES-256 for FIPS compliance. NetApp can enable or disable hardware encryption. Any variance to algorithm or key length used is hardware vendor dependent.

Before You Begin

Before enabling hardware encryption, check your hardware specifications to verify that data encryption is supported.

Hardware encryption must be enabled only when the drives associated with the data path support encryption. If this option is enabled and the hardware does not support encryption, jobs running to the data path or drive will go Pending state.

Configure Hardware Encryption for a New Storage Policy Copy

When you create a new storage policy copy, you can enable hardware encryption for all data paths (with tape drives) by default , as follows:

  1. From the CommCell Browser, right-click the storage_policy, click All Tasks and then click Create New Copy.
  2. Type a name for the copy in the Copy Name box.
  3. Select a tape library from the Library list and select the appropriate MediaAgent, Drive Pool and Scratch Pool.
  4. Select the Hardware Encryption (Direct Media Access: Via Media Password) check box to enable the option.
  5. Click OK .

Configure Hardware Encryption for a Data Path

You can modify the hardware encryption options for each data path as follows:

  1. From the CommCell Browser, expand Policies > Storage Policies > storage_policy.
  2. Right-click the storage_policy_copy and click Properties.
  3. In the Copy Properties dialog box, on the Data Paths tab, select the appropriate data path, and then click Properties.
  4. In the Data Path Properties dialog box, select the Use Hardware Encryption check box to enable.

    Clear the checkbox to disable.

  5. A message appears that asks if the drives in the library supports data encryption, click Yes.
  6. If you want to encrypt the chunkmap trailers that contains the metadata of the chunks created for the backup data, select Enable Encryption on Chunkmap trailers. When this option is selected, Via Media Password and No Access options in the Direct Media Access (External Restore Tools) area are disabled.

    Note: If you enable chunkmap trailer encryption, the data cannot be restored by using the Media Explorer and the Tape catalog feature.

  7. If Enable Encryption on Chunkmap trailers option is not selected, choose whether to allow access for external restore tools by selecting one of the following options in the Direct Media Access (External Restore Tools) area:
    • To enable the encryption keys store on the media, select Via Media Password.
    • To disable the encryption keys store on the media, select No Access.
  8. Click OK and then click OK to close the Storage Policy Copy Properties dialog box.

    Note: When hardware encryption is enabled, decryption always occurs on hardware device.