Skip to main content

Enable aggregate-level encryption with VE license

Contributors netapp-ahibbard netapp-thomi

Beginning with ONTAP 9.7, newly created aggregates and volumes are encrypted by default when you have the VE license and onboard or external key management. Beginning with ONTAP 9.6, you can use aggregate-level encryption to assign keys to the containing aggregate for the volumes to be encrypted.

About this task

You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication. Aggregate-level deduplication is otherwise not supported by NVE.

An aggregate enabled for aggregate-level encryption is called an NAE aggregate (for NetApp Aggregate Encryption). All volumes in an NAE aggregate must be encrypted with NAE or NVE encryption. With aggregate-level encryption, volumes you create in the aggregate are encrypted with NAE encryption by default. You can override the default to use NVE encryption instead.

Plain text volumes are not supported in NAE aggregates.

Before you begin

You must be a cluster administrator to perform this task.

Steps
  1. Enable or disable aggregate-level encryption:

    To…​

    Use this command…​

    Create an NAE aggregate with ONTAP 9.7 or later

    storage aggregate create -aggregate aggregate_name -node node_name

    Create an NAE aggregate with ONTAP 9.6

    storage aggregate create -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true

    Convert a non-NAE aggregate to an NAE aggregate

    storage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true

    Convert an NAE aggregate to a non-NAE aggregate

    storage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key false

    For complete command syntax, see the man pages.

    The following command enables aggregate-level encryption on aggr1:

    • ONTAP 9.7 or later:

      cluster1::> storage aggregate create -aggregate aggr1
    • ONTAP 9.6 or earlier:

      cluster1::> storage aggregate create -aggregate aggr1 -encrypt-with-aggr-key true
  2. Verify that the aggregate is enabled for encryption:

    storage aggregate show -fields encrypt-with-aggr-key

    For complete command syntax, see the man page.

    The following command verifies that aggr1 is enabled for encryption:

    cluster1::> storage aggregate show -fields encrypt-with-aggr-key
    aggregate            encrypt-aggr-key
    -------------------- ----------------
    aggr0_vsim4          false
    aggr1                true
    2 entries were displayed.
After you finish

Run the volume create command to create the encrypted volumes.

If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically “pushes” an encryption key to the server when you encrypt a volume.