Skip to main content

Configure NetApp Volume Encryption on an SVM root volume

Contributors netapp-ahibbard netapp-aherbin
PDFs

Beginning with ONTAP 9.14.1, you can enable NetApp Volume Encryption (NVE) on a storage VM (SVM) root volume. With NVE, the root volume is encrypted with a unique key, enabling greater security on the SVM.

About this task

NVE on an SVM root volume can only be enabled after the SVM has been created.

Before you begin

  • The SVM root volume must not be on an aggregate encrypted with NetApp Aggregate Encryption (NAE).

  • You must have enabled encryption with the Onboard Key Manager or an external key manager.

  • You must be running ONTAP 9.14.1 or later.

  • To migrate an SVM containing a root volume encrypted with NVE, you must convert the SVM root volume to a plain text volume after the migration completes then re-encrypt the SVM root volume.

    • If the destination aggregate of the SVM migration uses NAE, the root volume inherits NAE by default.

  • If the SVM is in an SVM disaster recovery relationship:

    • Encryption settings on a mirrored SVM are not copied to the destination. If you enable NVE on the source or destination, you must separately enable NVE on the mirrored SVM root volume.

    • If all aggregates in the destination cluster use NAE, the SVM root volume will use NAE.

Steps

You can enable NVE on an SVM root volume with the ONTAP CLI or System Manager.

CLI

You can enable NVE on the SVM root volume in-place or by moving the volume between aggregates.

Encrypt the root volume in place

  1. Convert the root volume to an encrypted volume:

    volume encryption conversion start -vserver svm_name -volume volume

  2. Confirm the encryption succeeded. The volume show -encryption-type volume displays a list of all volumes using NVE.

Encrypt the SVM root volume by moving it

  1. Initiate a volume move:

    volume move start -vserver svm_name -volume volume -destination-aggregate aggregate -encrypt-with-aggr-key false -encrypt-destination true

    For more information about volume move, see Move a volume.

  2. Confirm the volume move operation succeeded with the volume move show command. The volume show -encryption-type volume displays a list of all volumes using NVE.

System Manager

  1. Navigate to Storage > Volumes.

  2. Next to the name of the SVM root volume you want to encrypt, select Menu options icon then Edit.

  3. Under the Storage and Optimization heading, select Enable encryption.

  4. Select Save.