Skip to main content

Enable encryption on a new volume in ONTAP

Contributors netapp-ahibbard netapp-aaron-holt netapp-thomi netapp-aherbin netapp-lenida
PDFs

You can use the volume create command to enable encryption on a new volume.

About this task

You can encrypt volumes using NetApp Volume Encryption (NVE) and, beginning with ONTAP 9.6, NetApp Aggregate Encryption (NAE). To learn more about NAE and NVE, refer to the volume encryption overview.

Learn more about the commands described in this procedure in the ONTAP command reference.

The procedure to enable encryption on a new volume in ONTAP varies based on the version of ONTAP you are using and your specific configuration:

  • Beginning with ONTAP 9.4, if you enable cc-mode when you set up the Onboard Key Manager, volumes you create with the volume create command are automatically encrypted, whether or not you specify -encrypt true.

  • In ONTAP 9.6 and earlier releases, you must use -encrypt true with volume create commands to enable encryption (provided you did not enable cc-mode).

  • If you want to create an NAE volume in ONTAP 9.6, you must enable NAE at the aggregate level. Refer to Enable aggregate-level encryption with the VE license for more details on this task.

  • Beginning with ONTAP 9.7, newly created volumes are encrypted by default when you have the VE license and onboard or external key management. By default, new volumes created in an NAE aggregate will be of type NAE rather than NVE.

    • In ONTAP 9.7 and later releases, if you add -encrypt true to the volume create command to create a volume in an NAE aggregate, the volume will have NVE encryption instead of NAE. All volumes in an NAE aggregate must be encrypted with either NVE or NAE.

Note Plaintext volumes are not supported in NAE aggregates.
Steps

  1. Create a new volume and specify whether encryption is enabled on the volume. If the new volume is in an NAE aggregate, by default the volume will be an NAE volume:

    To create…​

    Use this command…​

    An NAE volume

    volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name

    An NVE volume

    volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt true

    Note In ONTAP 9.6 and earlier where NAE is not supported, -encrypt true specifies that the volume should be encrypted with NVE. In ONTAP 9.7 and later where volumes are created in NAE aggregates, -encrypt true overrides the default encryption type of NAE to create an NVE volume instead.

    A plain text volume

    volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt false

    Learn more about volume create in the ONTAP command reference.

  2. Verify that volumes are enabled for encryption:

    volume show -is-encrypted true

    Learn more about volume show in the ONTAP command reference.

Result

If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically "pushes" an encryption key to the server when you encrypt a volume.