EnableEncryptionAtRest

You can use the EnableEncryptionAtRest method to enable the Advanced Encryption Standard (AES) 256-bit encryption at rest on the cluster so that the cluster can manage the encryption key used for the drives on each node. This feature is not enabled by default.

When you enable Encryption at Rest, the cluster automatically manages encryption keys internally for the drives on each node in the cluster. Nodes do not store the keys to unlock drives and the keys are never passed over the network. Two nodes participating in a cluster are required to access the key to disable encryption on a drive. The encryption management does not affect performance or efficiency on the cluster. If an encryption-enabled drive or node is removed from the cluster with the API, Encryption at Rest is disabled and the data is not secure erased. Data can be secure erased using the SecureEraseDrives API method.

Note: If you have a node type with a model number ending in "-NE", the EnableEncryptionAtRest method call will fail with a response of "Encryption not allowed. Cluster detected non-encryptable node".
Note: You should only enable or disable encryption when the cluster is running and in a healthy state. You can enable or disable encryption at your discretion and as often as you need.
Note: This process is asynchronous and returns a response before encryption is enabled. You can use the GetClusterInfo method to poll the system to see when the process has completed.

Parameters

This method has no input parameters.

Return values

This method has no return values.

Request example

Requests for this method are similar to the following example: 

{
   "method": "EnableEncryptionAtRest",
   "params": {},
   "id": 1
}

Response examples

This method returns a response similar to the following example from the EnableEncryptionAtRest method. There is no result to report. 

{
   "id": 1,
   "result": {}
}

While Encryption At Rest is being enabled on a cluster, GetClusterInfo returns a result describing the state of Encryption at Rest ("encryptionAtRestState") as "enabling". After Encryption At Rest is fully enabled, the returned state changes to "enabled".

{
   "id": 1,
      "result": {
         "clusterInfo": {
            "attributes": { },
               "encryptionAtRestState": "enabling",
            "ensemble": [
               "10.10.5.94",
               "10.10.5.107",
               "10.10.5.108"
            ],
            "mvip": "192.168.138.209",
            "mvipNodeID": 1,
            "name": "Marshall",
            "repCount": 2,
            "svip": "10.10.7.209",
            "svipNodeID": 1,
            "uniqueID": "91dt"
      }
   }
}
Parent topic: Cluster API methods
Related reference
SecureEraseDrives
GetClusterInfo
Copyright © 1994-2019, NetApp, Inc. All rights reserved.
Part number: 215-14525_2019-09_en-us
September 2019