Enabling encryption on a new volume

You can use the volume create command to enable encryption on a new volume.

About this task

Starting with ONTAP 9.2, you can enable encryption on a SnapLock volume.

Starting with ONTAP 9.4, if you enable "cc-mode" when you set up the Onboard Key Manager, volumes you create with the volume create command are automatically encrypted, whether or not you specify -encrypt true.

Starting with ONTAP 9.6, you can use aggregate-level encryption to assign keys to the containing aggregate for the volumes to be encrypted. Volumes you create in the aggregate are encrypted by default. You can use the -encrypt option to override the default when you create the volume.

Starting with ONTAP 9.7, newly created volumes are encrypted by default when you have the NVE license and onboard or external key management.

A volume encrypted with a unique key is called an NVE volume. A volume encrypted with an aggregate-level key is called an NAE volume (for NetApp Aggregate Encryption). Plaintext volumes are not supported in NAE aggregates.

Steps

  1. Create a new volume and specify whether encryption is enabled on the volume:
    To create... Use this command...
    An ONTAP 9.7 or later NAE volume volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name
    An ONTAP 9.6 NAE volume (assuming aggregate-level encryption is enabled) volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name
    An ONTAP 9.7 or later NVE volume volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name
    An ONTAP 9.6 or earlier NVE volume volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt true
    A plain text volume volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt false
    For complete command syntax, see the man page for the command.
    Example

    Starting with ONTAP 9.7 or later, the following command creates an NAE volume named vol1 on aggr1:

    cluster1::> volume create -vserver vs1 -volume vol1 -aggregate aggr1
    Example

    Using ONTAP 9.6, assuming aggregate-level encryption is enabled, the following command creates an NAE volume named vol1 on aggr1:

    cluster1::> volume create -vserver vs1 -volume vol1 -aggregate aggr1
    Example

    Starting with ONTAP 9.7 or later, the following command creates an NVE volume named vol2 on aggr1:

    cluster1::> volume create -vserver vs1 -volume vol2 -aggregate aggr1
    Example

    Using ONTAP 9.6 or earlier, the following command creates an NVE volume named vol2 on aggr1:

    cluster1::> volume create -vserver vs1 -volume vol2 -aggregate aggr1 -encrypt true
    Example

    The following command creates a plaintext volume named vol3 on aggr1:

    cluster1::> volume create -vserver vs1 -volume vol3 -aggregate aggr1 -encrypt false
  2. Verify that volumes are enabled for encryption: volume show -is-encrypted true
    For complete command syntax, see the man page for the command.
    Example

    The following command displays the encrypted volumes on cluster2:

    cluster2::> volume show -is-encrypted true
    
    Vserver  Volume  Aggregate  State  Type  Size  Available  Used
    -------  ------  ---------  -----  ----  -----  --------- ----
    vs1      vol1    aggr2     online    RW  200GB    160.0GB  20%               
    

Result

If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically "pushes" an encryption key to the server when you encrypt a volume.