Enabling encryption on a new volume

You can use the volume create command to enable encryption on a new volume.

About this task

Starting with ONTAP 9.2, you can enable encryption on a SnapLock volume.

Starting with ONTAP 9.4, if you enable "cc-mode" when you set up the Onboard Key Manager, volumes you create with the volume create command are automatically encrypted, whether or not you specify -encrypt true.

Starting with ONTAP 9.6, you can use aggregate-level encryption to assign keys to the containing aggregate for the volumes to be encrypted. Volumes you create in the aggregate are encrypted by default. You can use the -encrypt option to override the default when you create the volume.

A volume encrypted with a unique key is called an NVE volume. A volume encrypted with an aggregate-level key is called an NAE volume (for NetApp Aggregate Encryption). Plaintext volumes are not supported in NAE aggregates.

Steps

  1. Create a new volume and specify whether encryption is enabled on the volume:
    To create... Use this command...
    An NAE volume (assuming aggregate-level encryption is enabled) volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name
    An NVE volume volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt true
    A plaintext volume volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt false
    For complete command syntax, see the man page for the command.
    Example

    Assuming aggregate-level encryption is enabled, the following command creates an NAE volume named vol1 on aggr1:

    cluster1::> volume create -vserver vs1 -volume vol1 -aggregate aggr1
    Example

    The following command creates an NVE volume named vol2 on aggr1:

    cluster1::> volume create -vserver vs1 -volume vol2 -aggregate aggr1 -encrypt true
    Example

    The following command creates a plaintext volume named vol3 on aggr1:

    cluster1::> volume create -vserver vs1 -volume vol3 -aggregate aggr1 -encrypt false
  2. Verify that volumes are enabled for encryption: volume show -is-encrypted true
    For complete command syntax, see the man page for the command.
    Example

    The following command displays the encrypted volumes on cluster2:

    cluster2::> volume show -is-encrypted true
    
    Vserver  Volume  Aggregate  State  Type  Size  Available  Used
    -------  ------  ---------  -----  ----  -----  --------- ----
    vs1      vol1    aggr2     online    RW  200GB    160.0GB  20%               
    

Result

If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically "pushes" an encryption key to the server when you encrypt a volume.