Enable encryption on a new volume
You can use the volume create
command to enable encryption on a new volume.
You can encrypt volumes using NetApp Volume Encryption (NVE) and, beginning with ONTAP 9.6, NetApp Aggregate Encryption (NAE). To learn more about NAE and NVE, refer to the volume encryption overview.
Learn more about the commands described in this procedure in the ONTAP command reference.
The procedure to enable encryption on a new volume in ONTAP varies based on the version of ONTAP you are using and your specific configuration:
-
Beginning with ONTAP 9.4, if you enable
cc-mode
when you set up the Onboard Key Manager, volumes you create with thevolume create
command are automatically encrypted, whether or not you specify-encrypt true
. -
In ONTAP 9.6 and earlier releases, you must use
-encrypt true
withvolume create
commands to enable encryption (provided you did not enablecc-mode
). -
If you want to create an NAE volume in ONTAP 9.6, you must enable NAE at the aggregate level. Refer to Enable aggregate-level encryption with the VE license for more details on this task.
-
Beginning with ONTAP 9.7, newly created volumes are encrypted by default when you have the VE license and onboard or external key management. By default, new volumes created in an NAE aggregate will be of type NAE rather than NVE.
-
In ONTAP 9.7 and later releases, if you add
-encrypt true
to thevolume create
command to create a volume in an NAE aggregate, the volume will have NVE encryption instead of NAE. All volumes in an NAE aggregate must be encrypted with either NVE or NAE.
-
Plaintext volumes are not supported in NAE aggregates. |
-
Create a new volume and specify whether encryption is enabled on the volume. If the new volume is in an NAE aggregate, by default the volume will be an NAE volume:
To create…
Use this command…
An NAE volume
volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name
An NVE volume
volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt true
In ONTAP 9.6 and earlier where NAE is not supported, -encrypt true
specifies that the volume should be encrypted with NVE. In ONTAP 9.7 and later where volumes are created in NAE aggregates,-encrypt true
overrides the default encryption type of NAE to create an NVE volume instead.A plain text volume
volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt false
Learn more about the
volume create
command in the ONTAP command reference. -
Verify that volumes are enabled for encryption:
volume show -is-encrypted true
For complete command syntax, see the ONTAP command reference.
If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically "pushes" an encryption key to the server when you encrypt a volume.