#SnapMirror and volume encryption?

We have volume encryption enabled on our snapvault destination systems, at the volume level. The keys are stored on the storagesystem (default).
What excatly does this "protect" against? The data on the disks may be encrypted, but they can be accessed just as normal volumes as long as you have the controller attached...
I would much rather have a setup where the snapmirrored volumes were encrypted with the source key, so the data on the volumes could not be used on the destination (without the correct key), but is this possible?
We have this setup with our archive system (running ZFS) and it is pretty nice feature.... But can you do something similar on ONTAP? i.e. backup your encrypted volumes and ensure that the data cannot be read on the destination?

it only protects against someone stealing the drives (either from your datacenter, or when you send back broken disks to NetApp). If you enable CC mode it also protects you against someone stealing the whole storage system (unless he can keep it powered on the whole time 😉 )

it is only "data-at-rest" encryption (by design). WAFL needs to access the volume metadata during copying (for delta snapshots etc.) so WAFL will always have to have access to the volume. and if WAFL has access, the admin has too

To implement your use-case there are two options. 1) use a 3rd party backup tool that supports encryption and backup the source system with that instead of SnapMirror (e.g. Veeam + ONTAP S3 bucket). Or 2) remove all CIFS access from the backup destination and ensure that the admin accounts are hardened (MFA, Tamperproof Snapshots, etc.)

So even if we were to do a fabricpool setup and push all data to our storage grid, where we could encrypt the bucket, there would still be access to the data from ontap... hmmm to be honenst I rather like the way ZFS can lock down the destination. This ensures that the sender feels more secure by sending backup data to a 3rd party... with NetApp you really need to trust the 3rd party backup provider... I haven't been looking into how Commvault or NetBackup can do their backups, but I think Veeam will strugle to backup LUNs from a destination target only.... Veeam makes most sense if you do the backup directly at the source. anyway, thanks for verifying this... I hope there is an RFE on this, because it would be very nice if it was possible just to lock down the destinations with a key only to be used in case of a restore...

Pretty sure there won't be an RFE, because as I have explained, ONTAP needs to be able to read the volume on the destination

otherwise it probably couldn't do vaults/breaks/resyncs etc. reliably

I mean it all comes down to your threat/trust model.

OK, for what it's worth I will try to request this. I am aware that it may require a major change in how snapmirror works, to where it is mostly the source who controlls the destination... but it would be a nice feature to offer. Most customers have a trust nobody policy these days? 😉

from our experience, most customers either have on-premises secondary system or use s3 backup (or mirror into our datacenter which they apparently trust 😉 )

it would also be a nightmare for service providers because you could never update your destination system to a newer major ONTAP version unless all your customers send you their keys so that you can take the volumes online. I think this alone will make it almost impossible