Skip to main content
NetApp Knowledge Base

Is it possible to tune NetApp Volume Encryption conversion/rekey process?

Views:
1,113
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • NetApp Volume Encryption (NVE)
  • ONTAP 9

Answer

Article covers basic NetApp Volume Encryption (NVE) questions when using volume encryption conversion and volume encryption rekey commands to convert an existing volume from unencrypted to encrypted or rekey an existing encrypted volume.

Is it possible to change how many volume conversion jobs can be running per node?
  • There is no way to tune NVE conversion process. 
  • It is recommended to initiate no more than 4 conversion jobs per node at one time.
Is there a way to increase the priority of NVE conversion job?
  • There is no way to change priority of the NVE conversion process. ONTAP gives priority to data access operations over NVE process.
  • Decreasing workload on the storage system increases the priority of conversion job(s).

Note: It is recommended to have no more than four combined encryption conversions or encryption volume moves per node at the same time.
 
Example:

Two volume conversions and two volume encryption moves on a single node are within the recommendation, but four volume conversions and four volume encryption moves on a single node would not be recommended.

Additional Information

If you cannot wait for the conversion to complete, perform this process to use a volume move instead:

  1. Ensure conversion is in a paused state

::>volume encryption conversion show 

::*> volume encryption conversion show
Vserver    Volume       Start Time            Status
---------- ------------ --------------------- -----------------------
NAS        test         3/29/2022 12:53:47    Paused by user

 

  1. Once paused, perform a volume move to either the same aggregate or a new destination using "-encrypt-destination true"

::*> vol move start -volume test -vserver NAS -destination-aggregate aggr1_urithiru_01 -encrypt-destination true

Warning: Volume encryption operation is already in progress on volume "test". Volume move will use the new key to encrypt
         the destination.
Do you want to continue? {y|n}: y
[Job 2829] Job is queued: Move "test" in Vserver "NAS" to aggregate "aggr1_urithiru_01". Use the "volume move show -vserver NAS -volume test" command to view the status of this operation.

 

  1. When the move is complete, observe the move table AND conversion tables are empty. 

::*> volume encryption conversion show
There is no volume encryption conversion in progress.

::*> vol move show
This table is currently empty.

  1. The end result is an encrypted volume. 

::*> vol show test -fields encryption-state,encryption-type,key-id
vserver volume encryption-type encryption-state key-id                                                                       
------- ------ --------------- ---------------- --------------------------------------------------------------------------------
NAS     test   volume          full             000000000000000002000000000005005bd8884c3a197cedc9c1cf4975486e000000000000000000

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.