Skip to main content

Exciting new changes are coming to the Knowledge Base site soon!
Starting April 4, 2023, you will notice Support-Specific categorization and improvements to the search filters on the site. In May, we will be launching a new and enhanced Site UI and Navigation. To know more, read our Knowledge Article.

NetApp Knowledge Base

How to convert plain text volume to use NAE

  1. Last updated
  2. Save as PDF
Views:
787
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9.6 and later
  • NetApp Aggregate Encryption (NAE)

Description

  • This article describes how to convert plain text volumes to NAE volumes.
  • NAE was introduced in ONTAP 9.6 and uses shared keys at aggregate level to allow encryption of the volumes within that aggregate. 
  • You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication.

Procedure

Prerequisites
  • ONTAP 9.6 or later
  • Volume Encryption (VE) license
  • key manager (onboard or external)
  • Available space in the aggregate to convert the SVM-root from plain text to NAE volume

The following steps will guide you through converting plain text existing aggregates to NAE.

1. NAE aggregates do not support plain-text volumes; thus, it is necessary to convert plain-text volumes to NVE (NetApp Volume Encryption) first:

Encrypt in-place from plain-text volume to NVE​​​​​​

OR

Encrypt to NVE by moving the volume to another aggregate

Note: You can volume move to the same aggregate as the destination

2. SVM root must also be encrypted before converting aggregate to NAE. Use volume move start to accomplish this.

•  Volume move the SVM root volumes to another data aggregate:
::> volume move start -volume <svm_root> -destination-aggregate <aggr_dest>

•  Volume move the SVM back to the original aggregate:::> volume move start -volume <svm_root> -destination-aggregate <aggr_src> -encrypt-with-aggr-key true

3. Convert the aggregate to NAE.

::> storage aggregate modify -aggregate aggr1 -encrypt-with-aggr-key true

4. Then, convert the rest of the volumes to NAE volumes. Run the volume move start command to convert each volume within aggregate from NVE to NAE.

::> volume move start -volume vol_with_nve -destination-aggregate aggr1 -encrypt-with-aggr-key true

[Job 92] Job is queued: Move "vol_with_nve" in Vserver "svm1" to aggregate "aggr1". Use the "volume move show -vserver svm1 -volume vol_with_nve" command to view the status of this operation.

•  Allow the volume move command to finish. This will take a varying amount of time depending upon the amount of data within the volume and the available resources of the cluster.

::> volume move show -vserver svm1 -volume vol_with_nve -fields state
vserver volume       state
------- ------------ -----
svm1    vol_with_nve done

5. This is optional, but one of the main benefits of NAE. On AFF aggregates, configure aggregate level inline deduplication settings for the volume.

::> volume efficiency modify -vserver svm1 -volume vol_with_nve -cross-volume-inline-dedupe true -cross-volume-background-dedupe true

6. To confirm all volumes are NAE:

::> volume show -fields encryption-type -aggregate aggr1
vserver volume           encryption-type
------- ------------     ---------------
svm1    vol_with_nve     aggregate
svm1    vol_without_nve  aggregate
2 entries were displayed.

Additional Information

Scan to view the article on your device