Skip to main content

Exciting new changes are coming to the Knowledge Base site soon!
Starting April 4, 2023, you will notice Support-Specific categorization and improvements to the search filters on the site. In May, we will be launching a new and enhanced Site UI and Navigation. To know more, read our Knowledge Article.

NetApp Knowledge Base

Is it possible to tune NetApp Volume Encryption conversion/rekey process?

Last Updated:

Applies to

  • NetApp Volume Encryption (NVE)
  • ONTAP 9


Article covers basic NetApp Volume Encryption (NVE) questions when using volume encryption conversion and volume encryption rekey commands to convert an existing volume from unencrypted to encrypted or rekey an existing encrypted volume.

Is it possible to change how many volume conversion jobs can be running per node?
  • There is no way to tune NVE conversion process. 
  • It is recommended to initiate no more than 4 conversion jobs per node at one time.
Is there a way to increase the priority of NVE conversion job?
  • There is no way to change priority of the NVE conversion process. ONTAP gives priority to data access operations over NVE process.
  • Decreasing workload on the storage system increases the priority of conversion job(s).

Note: It is recommended to have no more than four combined encryption conversions or encryption volume moves per node at the same time.

Two volume conversions and two volume encryption moves on a single node are within the recommendation, but four volume conversions and four volume encryption moves on a single node would not be recommended.

Additional Information

If you cannot wait for the conversion to complete, perform this process to use a volume move instead:

  1. Ensure conversion is in a paused state

::>volume encryption conversion show 

::*> volume encryption conversion show
Vserver    Volume       Start Time            Status
---------- ------------ --------------------- -----------------------
NAS        test         3/29/2022 12:53:47    Paused by user


  1. Once paused, perform a volume move to either the same aggregate or a new destination using "-encrypt-destination true"

::*> vol move start -volume test -vserver NAS -destination-aggregate aggr1_urithiru_01 -encrypt-destination true

Warning: Volume encryption operation is already in progress on volume "test". Volume move will use the new key to encrypt
         the destination.
Do you want to continue? {y|n}: y
[Job 2829] Job is queued: Move "test" in Vserver "NAS" to aggregate "aggr1_urithiru_01". Use the "volume move show -vserver NAS -volume test" command to view the status of this operation.


  1. When the move is complete, observe the move table AND conversion tables are empty. 

::*> volume encryption conversion show
There is no volume encryption conversion in progress.

::*> vol move show
This table is currently empty.

  1. The end result is an encrypted volume. 

::*> vol show test -fields encryption-state,encryption-type,key-id
vserver volume encryption-type encryption-state key-id                                                                       
------- ------ --------------- ---------------- --------------------------------------------------------------------------------
NAS     test   volume          full             000000000000000002000000000005005bd8884c3a197cedc9c1cf4975486e000000000000000000


Scan to view the article on your device