Skip to main content

Change the encryption key for a volume with the ONTAP volume move start command

Contributors netapp-lenida netapp-bhouser netapp-barbe netapp-aaron-holt netapp-ahibbard netapp-thomi netapp-aherbin
PDFs

It is a security best practice to change the encryption key for a volume periodically. You can use the volume move start command to change the encryption key. The moved volume can reside on the same aggregate or a different aggregate.

About this task

You cannot use volume move start to rekey a SnapLock or FlexGroup volume.

Before you begin

You must be a cluster administrator to perform this task.

Steps

  1. Move an existing volume and change the encryption key:

    volume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -generate-destination-key true

    Learn more about volume move start in the ONTAP command reference.

    The following command moves an existing volume named vol1 to the destination aggregate aggr2 and changes the encryption key:

    cluster1::> volume move start -vserver vs1 -volume vol1 -destination-aggregate aggr2 -generate-destination-key true

    A new encryption key is created for the volume. The data on the volume remains encrypted.

  2. Verify that the volume is enabled for encryption:

    volume show -is-encrypted true

    Learn more about volume show in the ONTAP command reference.

    The following command displays the encrypted volumes on cluster1:

    cluster1::> volume show -is-encrypted true

Vserver  Volume  Aggregate  State  Type  Size  Available  Used
-------  ------  ---------  -----  ----  -----  --------- ----
vs1      vol1    aggr2     online    RW  200GB    160.0GB  20%