How to convert plain text volume to use NAE
Applies to
- ONTAP 9.6 and later
- NetApp Aggregate Encryption (NAE)
Description
- This article describes how to convert plain text volumes to NAE volumes.
- NAE was introduced in ONTAP 9.6 and uses shared keys at aggregate level to allow encryption of the volumes within that aggregate.
- You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication.
Procedure
- ONTAP 9.6 or later
- Volume Encryption (VE) license
- key manager (onboard or external)
- Available space in the aggregate to convert the SVM-root from plain text to NAE volume
The following steps will guide you through converting plain text existing aggregates to NAE.
1. NAE aggregates do not support plain-text volumes; thus, it is necessary to convert plain-text volumes and SVM root volume 9.14.1 and later to NVE (NetApp Volume Encryption) first:
Encrypt in-place from plain-text volume to NVE
OR
Encrypt to NVE by moving the volume to another aggregate
Note: You can volume move to the same aggregate as the destination
2. Prior to 9.14.1, SVM root must also be encrypted before converting aggregate to NAE. Use volume move start
to accomplish this.
• Volume move the SVM root volumes to another data aggregate:
::> volume move start -volume <svm_root> -destination-aggregate <aggr_dest>
• Volume move the SVM back to the original aggregate:::> volume move start -volume <svm_root> -destination-aggregate <aggr_src> -encrypt-with-aggr-key true
3. Convert the aggregate to NAE.
::> storage aggregate modify -aggregate aggr1 -encrypt-with-aggr-key true
4. Then, convert the rest of the volumes to NAE volumes. Run the volume move start
command to convert each volume within aggregate from NVE to NAE.
::> volume move start -vserver svm1 -volume vol_with_nve -destination-aggregate aggr1 -encrypt-with-aggr-key true
[Job 92] Job is queued: Move "vol_with_nve" in Vserver "svm1" to aggregate "aggr1". Use the "volume move show -vserver svm1 -volume vol_with_nve" command to view the status of this operation.
• Allow the volume move command to finish. This will take a varying amount of time depending upon the amount of data within the volume and the available resources of the cluster.
::> volume move show -vserver svm1 -volume vol_with_nve -fields state
vserver volume state
------- ------------ -----
svm1 vol_with_nve done
5. This is optional, but one of the main benefits of NAE. On AFF aggregates, configure aggregate level inline deduplication settings for the volume.
::> volume efficiency modify -vserver svm1 -volume vol_with_nve -cross-volume-inline-dedupe true -cross-volume-background-dedupe true
6. To confirm all volumes are NAE:
::> volume show -fields encryption-type -aggregate aggr1
vserver volume encryption-type
------- ------------ ---------------
svm1 vol_with_nve aggregate
svm1 vol_without_nve aggregate
2 entries were displayed.