How do I unencrypt an NAE volume?
Applies to
- ONTAP 9
- NetApp Volume Encryption (NVE)
- NetApp Aggregate Encryption (NAE)
Answer
Use one of the following methods:
1. Use another aggregate:
A. Move the volumes to another non-NAE aggregate and convert them to plain text volumes:
::> volume move start -vserver <vserver_name> -volume <volume_name> -destination-aggregate <aggr_name> -encrypt-destination false -encrypt-with-aggr-key false
2. Use the same aggregate:
A. Assuming you have space in the existing NAE aggregate, move the volumes to convert them from NAE to NVE (which NAE aggregates do allow) in the same aggregate:
::> volume move start -vserver <vserver_name> -volume <volume_name> -destination-aggregate <aggr_name> -encrypt-destination true -encrypt-with-aggr-key false
B. Verify all the volumes on the aggregate report the encryption-type as 'volume.'
::> volume show -aggregate <aggr_name> -fields encryption-type
vserver volume encryption-type
------------- ------------------ ---------------
svm1 vol1 volume
C. After all the volumes are NVE, and no NAE encrypted volumes exist on the aggregate, disable NAE:::> aggregate modify -aggregate <aggr_name> -node <node_name> -encrypt-with-aggr-key false
Note: Make sure that no aggregate snapshot copies exist, or the command will fail.
c. Use the volume move command to convert the NVE volumes from NVE to plain text:
::> volume move start -vserver <vserver_name> -volume <volume_name> -destination-aggregate <aggr_name> -encrypt-destination false
Note: If the step A was missed, the volume move will fail with the error:
Error: command failed: The destination aggregate "aggr_name" is an NAE (NetApp Aggregate Encryption) aggregate. Non-encrypted volumes are not supported in such aggregates.