Change the encryption key for a volume with the volume move start command

Contributors

It is a security best practice to change the encryption key for a volume periodically. You can use the volume move start command to change the encryption key. You must use volume move start in ONTAP 9.2 and earlier. The moved volume can reside on the same aggregate or a different aggregate.

What you’ll need

You must be a cluster administrator to perform this task, or an SVM administrator to whom the cluster administrator has delegated authority.

About this task

You cannot use volume move start to rekey a SnapLock or FlexGroup volume.

Steps
  1. Move an existing volume and change the encryption key:

    volume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -generate-destination-key true

    For complete command syntax, see the man page for the command.

    The following command moves an existing volume named vol1 to the destination aggregate aggr2 and changes the encryption key:

    cluster1::> volume move start -vserver vs1 -volume vol1 -destination-aggregate aggr2 -generate-destination-key true

    A new encryption key is created for the volume. The data on the volume remains encrypted.

  2. Verify that the volume is enabled for encryption:

    volume show -is-encrypted true

    For complete command syntax, see the man page for the command.

    The following command displays the encrypted volumes on cluster1:

    cluster1::> volume show -is-encrypted true
    
    Vserver  Volume  Aggregate  State  Type  Size  Available  Used
    -------  ------  ---------  -----  ----  -----  --------- ----
    vs1      vol1    aggr2     online    RW  200GB    160.0GB  20%