Skip to main content

Enable encryption on an existing volume

Contributors netapp-ahibbard netapp-thomi netapp-aherbin jmcmx netapp-lenida
PDFs

You can use either the volume move start or the volume encryption conversion start command to enable encryption on an existing volume.

About this task

  • Beginning with ONTAP 9.3, you can use the volume encryption conversion start command to enable encryption of an existing volume "in place," without having to move the volume to a different location. ALternatively, you can use the volume move start command.

  • For ONTAP 9.2 and earlier, you can use only the volume move start command to enable encryption by moving an existing volume.

Enable encryption on an existing volume with the volume encryption conversion start command

Beginning with ONTAP 9.3, you can use the volume encryption conversion start command to enable encryption of an existing volume "in place," without having to move the volume to a different location.

After you start a conversion operation, it must be completed. If you encounter a performance issue during the operation, you can run the volume encryption conversion pause command to pause the operation, and the volume encryption conversion resume command to resume the operation.

Note You cannot use volume encryption conversion start to convert a SnapLock volume.
Steps

  1. Enable encryption on an existing volume:

    volume encryption conversion start -vserver SVM_name -volume volume_name

    For the entire command syntax, see the man page for the command.

    The following command enables encryption on existing volume vol1:

    cluster1::> volume encryption conversion start -vserver vs1 -volume vol1

    The system creates an encryption key for the volume. The data on the volume is encrypted.

  2. Verify the status of the conversion operation:

    volume encryption conversion show

    For the entire command syntax, see the man page for the command.

    The following command displays the status of the conversion operation:

    cluster1::> volume encryption conversion show

Vserver   Volume   Start Time           Status
-------   ------   ------------------   ---------------------------
vs1       vol1     9/18/2017 17:51:41   Phase 2 of 2 is in progress.

  3. When the conversion operation is completed, verify that the volume is enabled for encryption:

    volume show -is-encrypted true

    For the entire command syntax, see the man page for the command.

    The following command displays the encrypted volumes on cluster1:

    cluster1::> volume show -is-encrypted true

Vserver  Volume  Aggregate  State  Type  Size  Available  Used
-------  ------  ---------  -----  ----  -----  --------- ----
vs1      vol1    aggr2     online    RW  200GB    160.0GB  20%
Result

If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically “pushes” an encryption key to the server when you encrypt a volume.

Enable encryption on an existing volume with the volume move start command

You can use the volume move start command to enable encryption by moving an existing volume. You must use volume move start in ONTAP 9.2 and earlier. You can use the same aggregate or a different aggregate.

About this task

  • Beginning with ONTAP 9.8, you can use volume move start to enable encryption on a SnapLock or FlexGroup volume.

  • Beginning with ONTAP 9.4, if you enable “cc-mode” when you set up the Onboard Key Manager, volumes you create with the volume move start command are automatically encrypted. You need not specify -encrypt-destination true.

  • Beginning with ONTAP 9.6, you can use aggregate-level encryption to assign keys to the containing aggregate for the volumes to be moved. A volume encrypted with a unique key is called an NVE volume (meaning it uses NetApp Volume Encryption). A volume encrypted with an aggregate-level key is called an NAE volume (for NetApp Aggregate Encryption). Plaintext volumes are not supported in NAE aggregates.

  • Beginning with ONTAP 9.14.1, you can encrypt an SVM root volume with NVE. For more information, see Configure NetApp Volume Encryption on an SVM root volume.

Before you begin

You must be a cluster administrator to perform this task, or an SVM administrator to whom the cluster administrator has delegated authority.

Delegating authority to run the volume move command

Steps

  1. Move an existing volume and specify whether encryption is enabled on the volume:

    To convert…​

    Use this command…​

    A plaintext volume to an NVE volume

    volume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -encrypt-destination true

    An NVE or plaintext volume to an NAE volume (assuming aggregate-level encryption is enabled on the destination)

    volume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -encrypt-with-aggr-key true

    An NAE volume to an NVE volume

    volume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -encrypt-with-aggr-key false

    An NAE volume to a plaintext volume

    volume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -encrypt-destination false -encrypt-with-aggr-key false

    An NVE volume to a plaintext volume

    volume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -encrypt-destination false

    For the entire command syntax, see the man page for the command.

    The following command converts a plaintext volume named vol1 to an NVE volume:

    cluster1::> volume move start -vserver vs1 -volume vol1 -destination-aggregate aggr2 -encrypt-destination true

    Assuming aggregate-level encryption is enabled on the destination, the following command converts an NVE or plaintext volume named vol1 to an NAE volume:

    cluster1::> volume move start -vserver vs1 -volume vol1 -destination-aggregate aggr2 -encrypt-with-aggr-key true

    The following command converts an NAE volume named vol2 to an NVE volume:

    cluster1::> volume move start -vserver vs1 -volume vol2 -destination-aggregate aggr2 -encrypt-with-aggr-key false

    The following command converts an NAE volume named vol2 to a plaintext volume:

    cluster1::> volume move start -vserver vs1 -volume vol2 -destination-aggregate aggr2 -encrypt-destination false -encrypt-with-aggr-key false

    The following command converts an NVE volume named vol2 to a plaintext volume:

    cluster1::> volume move start -vserver vs1 -volume vol2 -destination-aggregate aggr2 -encrypt-destination false

  2. View the encryption type of cluster volumes:

    volume show -fields encryption-type none|volume|aggregate

    The encryption-type field is available in ONTAP 9.6 and later.

    For the entire command syntax, see the man page for the command.

    The following command displays the encryption type of volumes in cluster2:

    cluster2::> volume show -fields encryption-type

vserver  volume  encryption-type
-------  ------  ---------------
vs1      vol1    none
vs2      vol2    volume
vs3      vol3    aggregate

  3. Verify that volumes are enabled for encryption:

    volume show -is-encrypted true

    For the entire command syntax, see the man page for the command.

    The following command displays the encrypted volumes on cluster2:

    cluster2::> volume show -is-encrypted true

Vserver  Volume  Aggregate  State  Type  Size  Available  Used
-------  ------  ---------  -----  ----  -----  --------- ----
vs1      vol1    aggr2     online    RW  200GB    160.0GB  20%
Result

If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically pushes an encryption key to the server when you encrypt a volume.