Skip to main content

Change the encryption key for a volume with the volume move start command

Contributors netapp-ahibbard netapp-thomi netapp-aherbin
PDFs

It is a security best practice to change the encryption key for a volume periodically. You can use the volume move start command to change the encryption key. You must use volume move start in ONTAP 9.2 and earlier. The moved volume can reside on the same aggregate or a different aggregate.

About this task

You cannot use volume move start to rekey a SnapLock or FlexGroup volume.

Before you begin

You must be a cluster administrator to perform this task. Alternately, you can be an SVM administrator to whom the cluster administrator has delegated authority. For more information, see delegate authority to run the volume move command.

Steps

  1. Move an existing volume and change the encryption key:

    volume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -generate-destination-key true

    For complete command syntax, see the man page for the command.

    The following command moves an existing volume named vol1 to the destination aggregate aggr2 and changes the encryption key:

    cluster1::> volume move start -vserver vs1 -volume vol1 -destination-aggregate aggr2 -generate-destination-key true

    A new encryption key is created for the volume. The data on the volume remains encrypted.

  2. Verify that the volume is enabled for encryption:

    volume show -is-encrypted true

    For complete command syntax, see the man page for the command.

    The following command displays the encrypted volumes on cluster1:

    cluster1::> volume show -is-encrypted true

Vserver  Volume  Aggregate  State  Type  Size  Available  Used
-------  ------  ---------  -----  ----  -----  --------- ----
vs1      vol1    aggr2     online    RW  200GB    160.0GB  20%