HashiCorp Vault as an External Key Manager for NetApp Encryption

Introduction

All traditional solutions for a KMIP based external key manager are either hardware-based, costly, inflexible, or not scalable. HashiCorp’s Vault Enterprise on the other hand can be used as a flexible, very cost-effective, and scalable external key manager solution. It is certified by NetApp, supports the OASIS KMIP protocol, and integrates with any PKCS #11 compliant HSM.

NetApp Encryption

NetApp offers state of the art secure data management, file-shares, backup, recovery, replication and disaster recovery solutions to a large number of enterprises all around the globe. The NetApp ONTAP system, which is one of the most popular storage operating system in the world, offers FIPS compliant encryption technology that also supports the OASIS KMIP protocol.

NetApp Storage Encryption (NSE) is NetApp’s implementation of Full Disk Encryption while NetApp Volume Encryption (NVE) and NetApp Aggregate Encryption (NAE) are software-based, data-at-rest encryption solutions, available in NetApp ONTAP based systems. Although NetApp does offer an onboard key manager, most enterprises must use an external key manager for compliance reasons as the keys must be stored outside of the storage system.

Vault as an External Key Manager for NetApp

HashiCorp Vault is the de-facto standard for managing secrets in multi-cloud and hybrid enterprise environments. It is a simple, modern, scalable and highly automatable solution for management of all kinds of sensitive and secret data including passwords, keys, certificates, and encryption keys. One of the latest enterprise capabilities of Vault is a KMIP Secrets Engine which is the best solution for external key manager requirements for enterprise storage systems like NetApp ONTAP. Moreover, Vault can be integrated with an HSM for master key wrapping and auto unsealing.

Note: the KMIP and HSM features are Vault Enterprise features.

Certified: Vault is validated, supported and certified for use by NetApp. Vault complies with the OASIS KMIP standard.

Secure Multi-tenancy: Isolate different tenant environments for security and compliance. Different teams and departments can work independently of each other and have access to only their own keys and systems.

HSM Support: Vault supports integration with any HSM that supports PKCS #11. Most hardware-based KMIP Servers only support specific HSMs.

Flexibility: Most key managers are hardware devices and difficult to procure, manage and maintain. Vault gives you more flexibility as it is distributed as a binary and can be deployed on multiple Platforms.

Cost and Efficiency: One deployment of Vault can create multiple independent KMIP servers. Save time and cost as you don’t need to buy and manage hardware devices for each department.

Management: Vault is easy to manage and use, as it offers Web UI, CLI, and HTTP API interfaces.

High Availability: Built-in High Availability using Consul as the storage back-end. Using Consul also provides automated registration, tagging, and health checks for Vault services within Consul.

Disaster Recovery: Built-in multi-datacenter replication for horizontal scalability and disaster recovery use-cases.

Audit Logging: With Vault’s audit log, monitoring secret access across multiple environments and clouds is easy and automated.

Future-proof: Vault comes power packed with multiple integrations like AWS, Azure, GCP, Kubernetes, Databases, and more. One Central service for secret and certificate management, cryptographic and advanced data protection needs.

Deployment

Vault is deployed in a High Availability configuration on physical/virtualized cloud/on-premise environments. In an Enterprise setup, Vault uses Consul as a Storage Backend. Apart from Storage, Consul also offers automated registration, tagging and health checks for Vault services. One Vault instance acts as the Active server while the rest run as Performance Standbys in this enterprise setup. A Load Balancer is used to distribute traffic among the Vault nodes. In the case of integration with NetApp, Vault acts as one or more independent KMIP Servers. NetApp systems talk to Vault using the KMIP protocol.

A KMIP server can be set up on Vault in 3 steps as shown below:

1. Enable and configure the KMIP secrets engine

$ vault secrets enable kmip
$ vault write kmip/config listen_addrs=0.0.0.0:5696

2. Configure KMIP scope, permissions, to be used by the NetApp system

$ vault write -f kmip/scope/scope1
$ vault write kmip/scope/scope1/role/role1 operation_all=true

3. Generate a Certificate for authentication against KMIP server

$ vault write -f -field=certificate \
   kmip/scope/scope1/role/role1/credential/generate > kmip-cert.pem  
$ cat kmip-cert.pem

That’s it! Once KMIP is enabled and setup you can continue the setup on the NetApp system.

Note: all NetApp sample commands below are based on ONTAP version 9.6. For other versions and detailed information click here)

1. Installing certificates on the NetApp system

Install the SSL KMIP client certificates for the cluster:

cluster1::> security certificate install -vserver cluster1 -type client -subtype kmip-cert

You are prompted to enter the SSL KMIP public and private certificates.

Install the SSL public certificate for the root certificate authority (CA) of the KMIP server:

cluster1::> security certificate install -vserver cluster1 -type server-ca -subtype kmip-cert

2. Configure key manager connectivity on the NetApp System

Use A, B, or C below depending on your encryption requirements.

A. Enable external key manager for hardware based encryption:

clusterl::> security key-manager external enable -key-servers ks1.local:15696,10.0.0.10,[fd20:8b1e:b255:814e:32bd:f35c:832c:5a09]:1234 -client-cert AdminVserverClientCert -server-ca-certs AdminVserverServerCaCert

B. Enable external key manager for cluster-wide software based encryption:

clusterl::> security key-manager external enable -vserver cluster1 -key-servers ks1.local:15696,10.0.0.10,[fd20:8b1e:b255:814e:32bd:f35c:832c:5a09]:1234 -client-cert AdminVserverClientCert -server-ca-certs AdminVserverServerCaCert

C. Enable external key manager for SVM scoped software based encryption:

svm1l::> security key-manager external enable -vserver svm1 -key-servers keyserver.svm1.com -client-cert SVM1ClientCert -server-ca-certs SVM1ServerCaCert

Verify that all configured KMIP servers are connected

>security key-manager external show-status

Enabling encryption on aggregates and volumes

1. Create an aggregate with encryption enabled, NAE:

>storage aggregate create -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true

Volumes created on NAE enabled aggregates will be encrypted by default:

>volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name

2. Create a volume with encryption enabled, NVE:

>volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt true

HSM integration

Vault can be integrated with an HSM device (with PKCS #11 support) if required for master key wrapping and Vault unsealing. More details can be found here.

Summary

When using HashiCorp Vault Enterprise as an external key manager for NetApp Encryption, organizations can save money, time, and resources. Vault is fully software-based and scalable and offers multiple integrations including for public clouds. It offers great automation capabilities which reduce risks.

Resources and links

1. NetApp Storage Encryption
2. NetApp Volume Encryption and NetApp Aggregate Encryption
3. HashiCorp Vault landing page
4. Vault KMIP secrets engine
5. Vault and HSM Integration
6. Vault Reference Architecture
7. Vault Enterprise Offerings and OSS Comparison
8. White-paper on Unlocking the Cloud Operating Model: Security
9. NetApp ONTAP External Key Manager Configuration Guide