Skip to main content

Enable node root volume encryption

Contributors netapp-ahibbard netapp-thomi

Beginning with ONTAP 9.8, you can use NetApp Volume Encryption to protect the root volume of your node.

Note
About this task
This procedure applies to the node root volume. It does not apply to SVM root volumes. SVM root volumes can be protected through aggregate-level encryption and, beginning with ONTAP 9.14.1, NVE.

Once root volume encryption begins, it must complete. You cannot pause the operation. Once encryption is complete, you cannot assign a new key to the root volume and you cannot perform a secure-purge operation.

Before you begin
  • Your system must be using an HA configuration.

    Root volume encryption is not supported on single node configurations.

  • Your node root volume must already be created.

  • Your system must have an onboard key manager or an external key management server using the Key Management Interoperability Protocol (KMIP).

Steps
  1. Encrypt the root volume:

    volume encryption conversion start -vserver SVM_name -volume root_vol_name

  2. Verify the status of the conversion operation:

    volume encryption conversion show

  3. When the conversion operation is complete, verify that the volume is encrypted:

    volume show -fields

    The following shows example output for an encrypted volume.

    ::> volume show -vserver xyz  -volume vol0 -fields is-encrypted
    vserver    volume is-encrypted
    ---------- ------ ------------
    xyz        vol0   true