How to convert plain text volume to use NAE
- ONTAP 9.6 and later
- NetApp Aggregate Encryption (NAE)
- This article describes how to convert plain text volumes to NAE volumes.
- NAE was introduced in ONTAP 9.6 and uses shared keys at aggregate level to allow encryption of the volumes within that aggregate.
- You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication.
- ONTAP 9.6 or later
- Volume Encryption (VE) license
- key manager (onboard or external)
- Available space in the aggregate to convert the SVM-root from plain text to NAE volume
The following steps will guide you through converting plain text existing aggregates to NAE.
1. NAE aggregates do not support plain-text volumes; thus, it is necessary to convert plain-text volumes to NVE (NetApp Volume Encryption) first:
Encrypt in-place from plain-text volume to NVE
Encrypt to NVE by moving the volume to another aggregate
Note: You can volume move to the same aggregate as the destination
2. SVM root must also be encrypted before converting aggregate to NAE. Use
volume move start to accomplish this.
• Volume move the SVM root volumes to another data aggregate:
::> volume move start -volume <svm_root> -destination-aggregate <aggr_dest>
• Volume move the SVM back to the original aggregate:
::> volume move start -volume <svm_root> -destination-aggregate <aggr_src> -encrypt-with-aggr-key true
3. Convert the aggregate to NAE.
::> storage aggregate modify -aggregate aggr1 -encrypt-with-aggr-key true
4. Then, convert the rest of the volumes to NAE volumes. Run the
volume move start command to convert each volume within aggregate from NVE to NAE.
::> volume move start -volume vol_with_nve -destination-aggregate aggr1 -encrypt-with-aggr-key true
[Job 92] Job is queued: Move "vol_with_nve" in Vserver "svm1" to aggregate "aggr1". Use the "volume move show -vserver svm1 -volume vol_with_nve" command to view the status of this operation.
• Allow the volume move command to finish. This will take a varying amount of time depending upon the amount of data within the volume and the available resources of the cluster.
::> volume move show -vserver svm1 -volume vol_with_nve -fields state
vserver volume state
------- ------------ -----
svm1 vol_with_nve done
5. This is optional, but one of the main benefits of NAE. On AFF aggregates, configure aggregate level inline deduplication settings for the volume.
::> volume efficiency modify -vserver svm1 -volume vol_with_nve -cross-volume-inline-dedupe true -cross-volume-background-dedupe true
6. To confirm all volumes are NAE:
::> volume show -fields encryption-type -aggregate aggr1
vserver volume encryption-type
------- ------------ ---------------
svm1 vol_with_nve aggregate
svm1 vol_without_nve aggregate
2 entries were displayed.