Skip to main content

Exciting new changes are coming to the Knowledge Base site soon!
Starting April 4, 2023, you will notice Support-Specific categorization and improvements to the search filters on the site. In May, we will be launching a new and enhanced Site UI and Navigation. To know more, read our Knowledge Article.

NetApp Knowledge Base

How to convert plain text volume to use NAE

Last Updated:

Applies to

  • ONTAP 9.6 and later
  • NetApp Aggregate Encryption (NAE)


  • This article describes how to convert plain text volumes to NAE volumes.
  • NAE was introduced in ONTAP 9.6 and uses shared keys at aggregate level to allow encryption of the volumes within that aggregate. 
  • You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication.


  • ONTAP 9.6 or later
  • Volume Encryption (VE) license
  • key manager (onboard or external)
  • Available space in the aggregate to convert the SVM-root from plain text to NAE volume

The following steps will guide you through converting plain text existing aggregates to NAE.

1. NAE aggregates do not support plain-text volumes; thus, it is necessary to convert plain-text volumes to NVE (NetApp Volume Encryption) first:

Encrypt in-place from plain-text volume to NVE​​​​​​


Encrypt to NVE by moving the volume to another aggregate

Note: You can volume move to the same aggregate as the destination

2. SVM root must also be encrypted before converting aggregate to NAE. Use volume move start to accomplish this.

•  Volume move the SVM root volumes to another data aggregate:
::> volume move start -volume <svm_root> -destination-aggregate <aggr_dest>

•  Volume move the SVM back to the original aggregate:::> volume move start -volume <svm_root> -destination-aggregate <aggr_src> -encrypt-with-aggr-key true

3. Convert the aggregate to NAE.

::> storage aggregate modify -aggregate aggr1 -encrypt-with-aggr-key true

4. Then, convert the rest of the volumes to NAE volumes. Run the volume move start command to convert each volume within aggregate from NVE to NAE.

::> volume move start -volume vol_with_nve -destination-aggregate aggr1 -encrypt-with-aggr-key true

[Job 92] Job is queued: Move "vol_with_nve" in Vserver "svm1" to aggregate "aggr1". Use the "volume move show -vserver svm1 -volume vol_with_nve" command to view the status of this operation.

•  Allow the volume move command to finish. This will take a varying amount of time depending upon the amount of data within the volume and the available resources of the cluster.

::> volume move show -vserver svm1 -volume vol_with_nve -fields state
vserver volume       state
------- ------------ -----
svm1    vol_with_nve done

5. This is optional, but one of the main benefits of NAE. On AFF aggregates, configure aggregate level inline deduplication settings for the volume.

::> volume efficiency modify -vserver svm1 -volume vol_with_nve -cross-volume-inline-dedupe true -cross-volume-background-dedupe true

6. To confirm all volumes are NAE:

::> volume show -fields encryption-type -aggregate aggr1
vserver volume           encryption-type
------- ------------     ---------------
svm1    vol_with_nve     aggregate
svm1    vol_without_nve  aggregate
2 entries were displayed.

Scan to view the article on your device