#Data At Rest Encryption/FIPS 140-2 Considerations

Hello all,

Currently going through applying the STIG for our AFF-A150/A220s, had a couple questions that I would love some assistance with:

1. What considerations (if any) should be considered when configuring an AFF-A220/A150 for cryptographic mechanisms via enabling FIPS 140-2?

2. Would the following requirement be met by configuring NVE/NAE?
   "Validate that a data authentication key has been assigned using the command 'storage encryption disk show'. If any disk has a mode other than full or the data key ID is missing, this is a finding"

3. Will performance be effected both during the enablement of data at rest encryption and beyond? We use some of our NetApps for NFS for vCenter data stores and leadership is wary of performance issues.

4. When configuring delay after failed login attempts, the STIG specifies a 15 minute lockout, however it seems like I'm only able to configure the lockout between 1-60 seconds. Tried putting in 900 seconds but syntax failed. Any ideas?

#2 is only valid you have disks that support encryption. Not all do

Most people do not see any performance degradation after encryption is enabled. I’ve heard that there’s a 1-5% hit.

The updated stig for ONTAP removed #4. ONTAP only allows granularity at a number of days, not minutes. I’ve been asking for this to be fixed only for forever