Compliant Product - NetApp Volume Encryption (NVE) Appliances running ONTAP 9.7P13
Certificate Date: 2021.09.08CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11175-2021
Product Type: Encrypted Storage
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Full Drive Encryption - Authorization Acquisition Version 2.0 + Errata 20190201
collaborative Protection Profile for Full Drive Encryption - Encryption Engine Version 2.0 + Errata 20190201
CC Testing Lab: Leidos Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is NetApp Volume Encryption (NVE) Appliances running ONTAP 9.7P13. The TOE provides both authorization acquisition and encryption engine components in support of full drive encryption. The authorization acquisition component derives a Border Encryption Value (BEV) from an administrator-supplied authorization factor (namely, a passphrase) and provides it to the encryption engine, which uses it to unlock the Drive Encryption Key (DEK) used to encrypt data on disk storage devices.
The TOE comprises a range of disk storage appliances, consisting of storage controllers and one or more enclosures of disk storage devices, running ONTAP 9.7P13. Supported disk storage devices include hard disk drive (HDD), solid state drive (SSD) and non-volatile memory express (NVMe) flash drives.
The NetApp appliances included in the evaluated configuration are as follows:
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the TOE was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when configured as identified in the guidance documentation, satisfies all of the security functional requirements stated in the NetApp Volume Encryption (NVE) Appliances running ONTAP 9.7P13 Security Target. The evaluation was completed in August 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE includes NIST CAVP-validated cryptographic algorithms supporting cryptographic functions. The TOE provides key wrapping, key derivation, validation of the Border Encryption Value (BEV), and data encryption.
User Data Protection
The TOE performs full drive encryption, such that the drive contains no plaintext user data. The TOE performs user data encryption by default in the out-of-the-box configuration using 256 bit AES in XTS mode.
The TOE supports management functions for changing and erasing the DEK and initiating TOE firmware updates, using a command line interface.
Protection of the TSF
The TOE provides trusted firmware updates, protects keys and key material, and supports Compliant power saving states. The TOE runs a suite of self-tests during initial start-up (on power on).