NetApp Snapshot Directory
This section describes SecFS support for NetApp .snapshot directory over NFS. It contains the following topics:
Overview
The NetApp snapshot directory contains ONTAP snapshot data entries for a specific live volume. Each snapshot is a read-only volume that is automatically mounted over NFS.
A snapshot copy is a read-only image of a traditional, or FlexVol volume, or an aggregate, that captures the state of the file system at a specific point in time.
Data ONTAP maintains a configurable snapshot copy schedule that creates and deletes snapshot copies automatically for each volume.
Accessing snapshots
By default, every volume contains a directory named .snapshot through which users can access previous versions of files. Users can gain access to snapshot copies depending on the file-sharing protocol used, NFS or CIFS. You can also prevent access to snapshot copies.
Snapshot files carry the same read permissions as the original file. A user who has permission to read a file in the volume, can also read that file in a snapshot copy. A user without read permission to the volume cannot read that file in a snapshot copy.
Note
Snapshot copies do not have write permissions.
Snapshot directories only display at the mount point, although they actually exists in every directory in the tree. This means that the .snapshot directory is accessible by name in each directory, but is only seen in the output of the ls command at the mount point. The snapshots are stamped with the date and time.
Enabling Snapshots
The NetApp storage administrator, or the OnTap device, must configure this feature. No configuration is required through CTE. CTE guards the client directory mounting the OnTap data volume over NFS.
Note
The NetApp documentation is located here: https://nt-ap.com/2vEnEeJ
Dataxform Considerations
You cannot transform snapshot directory entries with Dataxform with a new key, because the snapshots are read only. You must keep previous keys and alter the running security policy accordingly to maintain access to the older snapshot entries alongside any new snapshots taken with the new key.
Also, any snapshots that get created during the data transform process (this may take a long time) have to be discarded/deleted as it may contain a mix of data blocks encrypted with both old and new keys.
Best Practices
Maintaining keys for access to older snapshots can be tedious and cumbersome. Therefore, the simplest and safest practice is to delete all old snapshots once the data is transformed with a new key.
This allows for all new snapshots to be readable with the new key while old keys can be discarded, unless used in other security policies.
