You can choose whether to encrypt data on ONTAP Cloud systems when you create a new working environment. If data encryption is needed, you can choose between ONTAP Cloud encryption and Amazon EBS encryption.
You can protect your data from unauthorized access by using data-at-rest encryption provided by ONTAP Cloud. This optional feature encrypts and decrypts data using encryption keys that are stored on one or more key managers that are under your control.
Communication with key managers is always secure. ONTAP Cloud connects to key managers using a TLS connection and communicates using the Key Management Interoperability Protocol (KMIP).
ONTAP Cloud uses the XTS-AES algorithm, a mode of the Advanced Encryption Standard (AES), to protect data-at-rest. Before data is written to disk, it is encrypted using XTS-AES. When data is read from disk, the encrypted data is decrypted using XTS-AES before being sent to the requester.
If you use the NetApp Storage Encryption feature with a physical FAS system and enable encryption on an ONTAP Cloud system, any data that you replicate between those systems is decrypted before it is replicated and then re-encrypted after it is replicated.
You must set up a key management infrastructure to use ONTAP Cloud encryption and Cloud Manager must be configured as an intermediate CA.
Amazon EBS encryption also protects your data-at-rest. However, AWS handles key management for you. This is a good option if you want added security, but do not need to control your own key management infrastructure. Refer to AWS documentation for more information.