56 IBM System Storage N series Hardware Guideencrypted data at rest on powered-off disk drives. That is, it prevents someone from removinga shelf or drive and mounting them on an unauthorized system. This security minimizes riskof unauthorized access to data if drives are stolen from a facility or compromised duringphysical movement of the storage array between facilities.Additionally, Self-encryption prevents unauthorized data access when drives are returned asspares or after drive failure. This security includes cryptographic shredding of data fornon-returnable disk (NRD), disk repurposing scenarios, and simplified disposal of the drivethrough disk destroy commands. These processes render a disk completely unusable. Thisgreatly simplifies the disposal of drives and eliminates the need for costly, time-consumingphysical drive shredding.Remember that all data on the drives is automatically encrypted. If you do not want to trackwhere the most sensitive data is or risk it being outside an encrypted volume, use NSE toensure that all data is encrypted.5.5.4 Effect of self-encryption on Data ONTAP featuresSelf-encryption operates below all Data ONTAP features such as SnapDrive, SnapMirror, andeven compression and deduplication. Interoperability with these features should betransparent. SnapVault and SnapMirror are both supported, but in order for data at thedestination to be encrypted, the target must be another self-encrypted system.The use of SnapLock prevents the inclusion of self-encryption. Therefore, simultaneousoperation of SnapLock and self-encryption is not possible. This limitation is being evaluatedfor a future release of Data ONTAP. MetroCluster is not currently supported because of thelack of support for the SAS interface. Support for MetroCluster is currently targeted for afuture release of Data ONTAP.5.5.5 Mixing drive typesIn Data ONTAP 8.1, all drives installed within the storage platform must be self-encryptingdrives. The mixing of encrypted with unencrypted drives or shelves across a stand-aloneplatform or high availability (HA) pair is not supported.5.5.6 managementKey managementThis section provides more detailed information about key management.Overview of KMIPKey Management Interoperability Protocol (KMIP) is an encryption key interoperabilitystandard created by a consortium of security and storage vendors (OASIS). Version 1.0 wasratified in September 2010, and participating vendors have later released compatibleproducts. KMIP seems to have replaced IEEE P1619.3, which was an earlier proposedstandard.With KMIP-compatible tools, organizations can manage their encryption keys from a singlepoint of control. This system improves security, simplifies complexity, and achieves regulationcompliance more quickly and easily. It is a huge improvement over the current approach ofusing many different encryption key management tools for many different business purposesand IT assets.