Product : NetApp, NetApp HCI [HCI]/1.8 P1, x86
Feature : Data Encryption Options, Security, Data Services
Content Owner:  Herman Rutten
Hardware: Self-encrypting drives (SEDs)
Software: Element OS encryption
Hardware-based encryption: NetApp HCI allows encryption of all data stored within the cluster. Self-encrypting drives are available on H410S/H610S storage nodes, with FIPS-certified drives in H610S-2F storage nodes.

All drives in NetApp HCI storage nodes leverage AES 256-bit encryption at the drive level. Each drive has its own encryption key, which is created when the drive is first initialized. When you enable the encryption feature, a cluster-wide password is created, and chunks of the password are then distributed to all nodes in the cluster. No single node stores the entire password. The password is then used to password-protect all access to the drives and must then be supplied for every read and write operation to the drive.

Enabling the encryption-at-rest feature does not affect performance or efficiency on the cluster. Additionally, if an encryption-enabled drive or node is removed from the cluster with the API or web UI, Encryption-at-Rest will be disabled on the drives.

Software-based encryption: Element 12.2 introduces software encryption at rest, which can be enabled when creating a new storage cluster (and is enabled by default when creating a SolidFire Enterprise SDS storage cluster). The encryption feature encrypts all data stored on the SSDs in the storage nodes and causes only a very small (~2%) performance impact on client IO.