Encryption of data in transit

Amazon FSx for NetApp ONTAP supports Kerberos-based encryption over the SMB and NFS protocols as well as automatic nitro-based encryption of data in transit from supported Amazon EC2 instances.

Encrypting data in transit with SMB

Encryption of data in transit is supported on file shares that are mapped on a compute instance that supports SMB protocol 3.0 or newer. This includes all Microsoft Windows versions from Windows Server 2012 and later, and Windows 8 and later. When enabled, FSx for ONTAP automatically encrypts data in transit using SMB encryption as you access your file system without the need for you to modify your applications.

FSx for ONTAP SMB supports 128 or 256 bit encryption, depending on the client session request. For descriptions of the different encryption levels, see the Set the SMB server minimum authentication security level section of Manage SMB with the CLI in the NetApp ONTAP Documentation Center. Note that the client determines the encryption algorithm. Both NTLM and Kerberos authentication work with both 128 and 256 bit encryption. The FSx for ONTAP SMB Server accepts all standard Windows client requests, and the granular controls are handled by Microsoft Group Policy or Registry settings.

You use the NetApp ONTAP CLI to manage the encryption in transit settings on FSx for ONTAP SVMs and volumes. To access the NetApp ONTAP CLI, establish an SSH session on the SVM on which you are making encryption in transit settings, as described in Managing SVMs using the NetApp ONTAP CLI.

Enable SMB encryption of data in transit

By default, when you create an SVM, SMB encryption is turned off. You can either enable SMB encryption required on individual shares, or on an SVM, which turns it on for all shares on that SVM.

Note

When SMB encryption required is enabled on an SVM or share, SMB clients that do not support encryption cannot connect to that SVM or share.

To require SMB encryption for incoming SMB traffic on an SVM

Use the following procedure to require SMB encryption on a SVM using the NetApp ONTAP CLI.

1. Establish a secure shell (SSH) connection to the SVM's management endpoint as described in Managing SVMs using the NetApp ONTAP CLI.

2. Use the following NetApp ONTAP CLI command to require SMB encryption for incoming SMB traffic to the SVM.

   vserver cifs security modify -vserver vserver_name -is-smb-encryption-required true

3. To stop requiring SMB encryption for incoming SMB traffic, use the following command.

   vserver cifs security modify -vserver vserver_name -is-smb-encryption-required false

4. To see the current is-smb-encryption-required setting on an SVM, use the following NetApp ONTAP CLI command:

   vserver cifs security show -vserver vs1 -fields is-smb-encryption-required
            
   vserver  is-smb-encryption-required
   -------- -------------------------
   vs1      true

For more information about managing SMB encryption on an SVM, see Configuring required SMB encryption on SMB servers for data transfers over SMB in the NetApp ONTAP Documentation Center.

To enable SMB encryption on a volume

Use the following procedure to enable SMB encryption on a share using the NetApp ONTAP CLI.

1. Establish a secure shell (SSH) connection to the SVM's management endpoint as described in Managing SVMs using the NetApp ONTAP CLI.

2. Use the following NetApp ONTAP CLI command to create a new SMB share and require SMB encryption when accessing this share.

   vserver cifs share create -vserver vserver_name -share-name share_name -path share_path -share-properties encrypt-data

   For more information, see vserver cifs share create in the NetApp ONTAP CLI Command man pages.

3. To require SMB encryption on an existing SMB share, use the following command.

   vserver cifs share properties add -vserver vserver_name -share-name share_name -share-properties encrypt-data

   For more information, see vserver cifs share create in the NetApp ONTAP CLI Command man pages.

4. To turn off SMB encryption on an existing SMB share, use the following command.

   vserver cifs share properties remove -vserver vserver_name -share-name share_name -share-properties encrypt-data

   For more information, see vserver cifs share properties remove in the NetApp ONTAP CLI Command man pages.

5. To see the current is-smb-encryption-required setting on an SMB share, use the following NetApp ONTAP CLI command:

   vserver cifs share properties show -vserver vserver_name -share-name share_name -fields share-properties

   If one of the properties returned by the command is the encrypt-data property, then that property specifies that SMB encryption must be used when accessing this share.

   For more information, see vserver cifs share properties show in the NetApp ONTAP CLI Command man pages.

Encrypting data in transit with NFS

Encryption of data in transit using Kerberos is supported for NFSv3 and NFSv4 protocols. To enable encryption in transit using Kerberos for the NFS protocol, see Using Kerberos with NFS for strong security in the NetApp ONTAP Documentation Center.

Encrypting data in transit with AWS Nitro System

Data in transit is encrypted automatically when accessed from supported Amazon EC2 instances. For more information about which EC2 instances support nitro-based encryption in transit, see Encryption in transit in the Amazon EC2 User Guide for Linux Instances.

Keep in mind that the instances should be in the same AWS Region as well as in the same VPC or peered VPCS for nitro-based encryption to be enabled. Data that passes through a virtual network device or service (such as a transit gateway) is not encrypted automatically.

Nitro-based in-transit encryption is available for file systems created after November 28, 2022 in the following AWS Regions:

• US East (N. Virginia)

• US East (Ohio)

• US West (Oregon)

• Europe (Ireland)

For more information about the AWS Regions where FSx for ONTAP is available, see Amazon FSx for NetApp ONTAP Pricing.

Note

For more information about the performance specifications for FSx for ONTAP file systems, see Impact of throughput capacity on performance.