7 - Data Replication Encryption


When replicating data for disaster recovery, caching, or backup, you must protect that data during transport over the wire from one ONTAP cluster to another. Doing so prevents malicious man-in-themiddle attacks against sensitive data while it's in flight.

Starting with ONTAP 9.6, Cluster Peering Encryption provides TLS 1.2 AES-256 GCM encryption support for ONTAP data replication features such as SnapMirror, SnapVault, and FlexCache. Encryption is setup by way of a pre-shared key (PSK) between two cluster peers.

Customers who use technologies like NSE, NVE, and NAE to protect data at rest can also use end-to-end data encryption by upgrading to ONTAP 9.6 or later to use Cluster Peering Encryption.


Cluster peering encrypts all data between the cluster peers. For example, when using SnapMirror, all peering information as well as all SnapMirror relationships between the source and destination cluster peer are encrypted. You cannot send clear-text data between cluster peers with Cluster Peering Encryption enabled.

Starting with ONTAP 9.6, new cluster-peer relationships have encryption enabled by default. To enable encryption on cluster peer relationships that were created prior to an ONTAP 9.6, the source and destination cluster must be upgraded to 9.6. In addition, you must use the cluster peer modify command to change both the source and destination cluster peers to use Cluster Peering Encryption.

Converting an existing peer relationship to use Cluster Peering Encryption in 9.6 is shown in the following example:

On the Destination Cluster Peer
Cluster2::> cluster peer modify Cluster1 -auth-status-admin use-authentication -encryptionprotocol-proposed tls-psk
When prompted enter a passphrase.

On the Source Cluster Peer
Cluster1::> cluster peer modify Cluster2 -auth-status-admin use-authentication -encryptionprotocol-proposed tls-psk

When prompted enter the same passphrase you created in the previous step.

See Also