Enabling aggregate-level encryption with NVE license

Starting with ONTAP 9.7, newly created aggregates and volumes are encrypted by default when you have the NVE license and onboard or external key management. Starting with ONTAP 9.6, you can use aggregate-level encryption to assign keys to the containing aggregate for the volumes to be encrypted. Volumes you create in the aggregate are encrypted by default. You can override the default when you encrypt the volume.

Before you begin

You must be a cluster administrator to perform this task.

About this task

You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication. Aggregate-level deduplication is otherwise not supported by NVE.

An aggregate enabled for aggregate-level encryption is called an NAE volume (for NetApp Aggregate Encryption). Plain text volumes are not supported in NAE aggregates.

Procedure

  1. Enable or disable aggregate-level encryption:
    To... Use this command...
    Create an NAE aggregate with ONTAP 9.7 or later storage aggregate create -aggregate aggregate_name -node node_name
    Create an NAE aggregate with ONTAP 9.6 storage aggregate create -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true
    Convert a non-NAE aggregate to an NAE aggregate storage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true
    Convert an NAE aggregate to a non-NAE aggregate storage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key false
    For complete command syntax, see the man pages.

    The following command enables aggregate-level encryption on aggr1:

    • ONTAP 9.7 or later:
      cluster1::> storage aggregate create -aggregate aggr1
    • ONTAP 9.6 or earlier:
      cluster1::> storage aggregate create -aggregate aggr1 -encrypt-with-aggr-key true 
  2. Verify that the aggregate is enabled for encryption: storage aggregate show -fields encrypt-with-aggr-key
    For complete command syntax, see the man page.

    The following command verifies that aggr1 is enabled for encryption:

    cluster1::> storage aggregate show -fields encrypt-with-aggr-key 
    aggregate            encrypt-aggr-key
    -------------------- ----------------
    aggr0_vsim4          false
    aggr1                true
    2 entries were displayed.

After you finish

Run the volume create command to create the encrypted volumes.

If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically pushes an encryption key to the server when you encrypt a volume.