Enable node root volume encryption


Beginning in ONTAP 9.8, you can use NetApp Volume Encryption to protect the root volume of your node.

What you’ll need
  • Your system must be using an HA configuration.

    Root volume encryption is not supported on single node configurations.

  • Your node root volume must already be created.

  • Your system must have an onboard key manager or an external key management server using the Key Management Interoperability Protocol (KMIP).

About this task

This procedure applies to the node root volume. It does not apply to SVM root volumes. SVM root volumes can be protected through aggregate-level encryption.

Once root volume encryption begins, it must complete. You cannot pause the operation. Once encryption is complete, you cannot assign a new key to the root volume and you cannot perform a secure-purge operation.

  1. Encrypt the root volume:

    volume encryption conversion start -vserver SVM_name -volume root_vol_name

  2. Verify the status of the conversion operation:

    volume encryption conversion show

  3. When the conversion operation is complete, verify that the volume is encrypted:

    volume show -fields

    The following shows example output for an encrypted volume.

    ::> volume show -vserver xyz  -volume vol0 -fields is-encrypted
    vserver    volume is-encrypted
    ---------- ------ ------------
    xyz        vol0   true