Skip to main content

Securely purge data on an encrypted volume with an Asynchronous SnapMirror relationship

Contributors netapp-thomi netapp-ahibbard

Beginning with ONTAP 9.8, you can use a secure purge to non-disruptively “scrub” data on NVE-enabled volumes with an Asynchronous SnapMirror relationship.

Before you begin
  • You must be a cluster administrator to perform this task.

  • Advanced privileges are required for this task.

About this task

Secure-purge may take from several minutes to many hours to complete, depending on the amount of data in the deleted files. You can use the volume encryption secure-purge show command to view the status of the operation. You can use the volume encryption secure-purge abort command to terminate the operation.

Note In order to do a secure purge on a SAN host, you must delete the entire LUN containing the files you want to purge, or you must be able to punch holes in the LUN for the blocks that belong to the files you want purge. If you cannot delete the LUN or your host operating system does not support punching holes in the LUN, you cannot perform a secure purge.
Steps
  1. On the storage system, switch to the advanced privilege level:

    set -privilege advanced

  2. Delete the files or the LUN you want to securely purge.

    • On a NAS client, delete the files you want to securely purge.

    • On a SAN host, delete the LUN you want to securely purge or punch holes in the LUN for the blocks that belong to the files you want to purge.

  3. Prepare the destination volume in the Asynchronous relationship to be securely purged:

    volume encryption secure-purge start -vserver SVM_name -volume volume_name -prepare true

    Repeat this step on each volume in your Asynchronous SnapMirror relationship.

  4. If the files you want to securely purge are in Snapshot copies, delete the Snapshot copies:

    snapshot delete -vserver SVM_name -volume volume_name -snapshot

  5. If the files you want to securely purge are in the base Snapshot copies, do the following:

    1. Create a Snapshot copy on the destination volume in the Asynchronous SnapMirror relationship:

      volume snapshot create -snapshot snapshot_name -vserver SVM_name -volume volume_name

    2. Update SnapMirror to move the base Snapshot copy forward:

      snapmirror update -source-snapshot snapshot_name -destination-path destination_path

      Repeat this step for each volume in the Asynchronous SnapMirror relationship.

    3. Repeat steps (a) and (b) equal to the number of base Snapshot copies plus one.

      For example, if you have two base Snapshot copies, you should repeat steps (a) and (b) three times.

    4. Verify that the base Snapshot copy is present:
      snapshot show -vserver SVM_name -volume volume_name

    5. Delete the base Snapshot copy:
      snapshot delete -vserver svm_name -volume volume_name -snapshot snapshot

  6. Securely purge the deleted files:

    volume encryption secure-purge start -vserver svm_name -volume volume_name

    Repeat this step on each volume in the Asynchronous SnapMirror relationship.

    The following command securely purges the deleted files on “vol1” on SVM “vs1”:

    cluster1::> volume encryption secure-purge start -vserver vs1 -volume vol1
  7. Verify the status of the secure purge operation:

    volume encryption secure-purge show