Enabling encryption on an existing volume with the volume encryption conversion start command

Starting with ONTAP 9.3, you can use the volume encryption conversion start command to enable encryption of an existing volume "in place," without having to move the volume to a different location.

About this task

Once you start a conversion operation, it must complete. If you encounter a performance issue during the operation, you can run the volume encryption conversion pause command to pause the operation, and the volume encryption conversion resume command to resume the operation.

Note: You cannot use volume encryption conversion start to convert a SnapLock volume.

Steps

  1. Enable encryption on an existing volume: volume encryption conversion start -vserver SVM_name -volume volume_name
    For complete command syntax, see the man page for the command.
    Example

    The following command enables encryption on the existing volume vol1:

    cluster1::> volume encryption conversion start -vserver vs1 -volume vol1
    The system creates an encryption key for the volume. The data on the volume is encrypted.
  2. Verify the status of the conversion operation: volume encryption conversion show
    For complete command syntax, see the man page for the command.
    Example

    The following command displays the status of the conversion operation:

    cluster1::> volume encryption conversion show
    
    Vserver   Volume   Start Time           Status
    -------   ------   ------------------   ---------------------------
    vs1       vol1     9/18/2017 17:51:41   Phase 2 of 2 is in progress.
  3. When the conversion operation is complete, verify that the volume is enabled for encryption: volume show -is-encrypted true
    For complete command syntax, see the man page for the command.
    Example

    The following command displays the encrypted volumes on cluster1:

    cluster1::> volume show -is-encrypted true
    
    Vserver  Volume  Aggregate  State  Type  Size  Available  Used
    -------  ------  ---------  -----  ----  -----  --------- ----
    vs1      vol1    aggr2     online    RW  200GB    160.0GB  20%               
    

Result

If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically "pushes" an encryption key to the server when you encrypt a volume.