NetApp Volumes always encrypts your data with volume-specific keys. Your data is always encrypted at rest.
With customer-managed encryption keys (CMEK), volume keys are wrapped using your keys stored in Cloud KMS. This feature gives you greater control over the encryption keys used and the added security of storing the keys on a system or in a location different from the data. NetApp Volumes supports Cloud KMS capabilities such as hardware security modules, External Key Manager, and the full key management lifecycle—generate, use, rotate, destroy.
NetApp Volumes supports one CMEK policy per region. A CMEK policy is attached to a storage pool and all volumes created in that pool use it. You can have a mix of storage pools with and without CMEK policies in a region. If you have pools without CMEK in a specific region, you can convert them to CMEK by using the migration action of a region's CMEK policy.
Using customer-managed encryption keys is optional.