Release notes
Enable encryption on a new volume
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Data protection with the CLI
-
-
Collection of separate PDF docs
Creating your file...
You can use the volume create command to enable encryption on a new volume.
You can encrypt volumes using NetApp Volume Encryption (NVE) and, beginning with ONTAP 9.6, NetApp Aggregate Encryption (NAE). To learn more about NAE and NVE, refer to the volume encryption overview.
The procedure to enable encryption on a new volume in ONTAP varies based on the version of ONTAP you are using and your specific configuration:
-
Beginning with ONTAP 9.4, if you enable
cc-modewhen you set up the Onboard Key Manager, volumes you create with thevolume createcommand are automatically encrypted, whether or not you specify-encrypt true. -
In ONTAP 9.6 and earlier releases, you must use
-encrypt truewithvolume createcommands to enable encryption (provided you did not enablecc-mode). -
If you want to create an NAE volume in ONTAP 9.6, you must enable NAE at the aggregate level. Refer to Enable aggregate-level encryption with the VE license for more details on this task.
-
Beginning with ONTAP 9.7, newly created volumes are encrypted by default when you have the VE license and onboard or external key management. By default, new volumes created in an NAE aggregate will be of type NAE rather than NVE.
-
In ONTAP 9.7 and later releases, if you add
-encrypt trueto thevolume createcommand to create a volume in an NAE aggregate, the volume will have NVE encryption instead of NAE. All volumes in an NAE aggregate must be encrypted with either NVE or NAE.
-
|
Plaintext volumes are not supported in NAE aggregates. |
-
Create a new volume and specify whether encryption is enabled on the volume. If the new volume is in an NAE aggregate, by default the volume will be an NAE volume:
To create…
Use this command…
An NAE volume
volume create -vserver SVM_name -volume volume_name -aggregate aggregate_nameAn NVE volume
volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt true
In ONTAP 9.6 and earlier where NAE is not supported, -encrypt truespecifies that the volume should be encrypted with NVE. In ONTAP 9.7 and later where volumes are created in NAE aggregates,-encrypt trueoverrides the default encryption type of NAE to create an NVE volume instead.A plain text volume
volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt falseFor complete command syntax, refer to the command reference page for
volume create. -
Verify that volumes are enabled for encryption:
volume show -is-encrypted trueFor complete command syntax, see the command reference.
If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically "pushes" an encryption key to the server when you encrypt a volume.