Skip to main content
NetApp Knowledge Base

How to convert plain text volume to use NAE

  1. Last updated
    Mar 31, 2025
  2. Save as PDF
Views:
2,491
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
core
Last Updated:
3/31/2025, 6:29:06 PM

Applies to

  • ONTAP 9.6 and later
  • NetApp Aggregate Encryption (NAE)

Description

  • This article describes how to convert plain text volumes to NAE volumes.
  • NAE was introduced in ONTAP 9.6 and uses shared keys at aggregate level to allow encryption of the volumes within that aggregate. 
  • You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication.

Procedure

Prerequisites
  • ONTAP 9.6 or later
  • Volume Encryption (VE) license
  • key manager (onboard or external)
  • Available space in the aggregate to convert the SVM-root from plain text to NAE volume

The following steps will guide you through converting plain text existing aggregates to NAE.

1. NAE aggregates do not support plain-text volumes; thus, it is necessary to convert plain-text volumes and SVM root volume 9.14.1 and later  to NVE (NetApp Volume Encryption) first:

Encrypt in-place from plain-text volume to NVE​​​​​​

OR

Encrypt to NVE by moving the volume to another aggregate

Note: You can volume move to the same aggregate as the destination

2. Prior to 9.14.1, SVM root must also be encrypted before converting aggregate to NAE. Use volume move start to accomplish this.

•  Volume move the SVM root volumes to another data aggregate:
::> volume move start -volume <svm_root> -destination-aggregate <aggr_dest>

•  Volume move the SVM back to the original aggregate:::> volume move start -volume <svm_root> -destination-aggregate <aggr_src> -encrypt-with-aggr-key true

3. Convert the aggregate to NAE.

::> storage aggregate modify -aggregate aggr1 -encrypt-with-aggr-key true

4. Then, convert the rest of the volumes to NAE volumes. Run the volume move start command to convert each volume within aggregate from NVE to NAE.

::> volume move start -vserver svm1 -volume vol_with_nve -destination-aggregate aggr1 -encrypt-with-aggr-key true

[Job 92] Job is queued: Move "vol_with_nve" in Vserver "svm1" to aggregate "aggr1". Use the "volume move show -vserver svm1 -volume vol_with_nve" command to view the status of this operation.

•  Allow the volume move command to finish. This will take a varying amount of time depending upon the amount of data within the volume and the available resources of the cluster.

::> volume move show -vserver svm1 -volume vol_with_nve -fields state
vserver volume       state
------- ------------ -----
svm1    vol_with_nve done

5. This is optional, but one of the main benefits of NAE. On AFF aggregates, configure aggregate level inline deduplication settings for the volume.

::> volume efficiency modify -vserver svm1 -volume vol_with_nve -cross-volume-inline-dedupe true -cross-volume-background-dedupe true

6. To confirm all volumes are NAE:

::> volume show -fields encryption-type -aggregate aggr1
vserver volume           encryption-type
------- ------------     ---------------
svm1    vol_with_nve     aggregate
svm1    vol_without_nve  aggregate
2 entries were displayed.

Additional Information

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.