Skip to main content
NetApp Knowledge Base

How to enable NAE aggregate-level encryption with an SVM root volume or MDV_CRS volume

Last Updated:



Applies to

  • ONTAP 9.6 and later
  • NetApp Aggregate Encryption (NAE)
  • MetroCluster
  • SVM root volume
  • MDV_CRS volume (For MetroCluster)


  • When attempting to convert a data aggregate to NAE, the SVM root or MDV_CRS  volume will not allow the conversion.

::> aggregate modify -aggregate aggr1 -encrypt-with-aggr-key true

Error: command failed: Failed to modify the aggregate "aggr1" since it contains non-encrypted volumes.
Run the "volume show -encrypt  false" command to get the list of non-encrypted volumes.Convert all of them to NVE volumes and try again later.

  • Starting with ONTAP 9.6, you can use aggregate-level encryption to assign keys to the containing aggregate for the volumes to be encrypted. Volumes you create in the aggregate are encrypted by default. You can override the default when you encrypt the volume.
  • An aggregate enabled for aggregate-level encryption is called an NAE volume (for NetApp Aggregate Encryption). Plaintext volumes are not supported in NAE aggregates.


Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.