Notes from ‘ONTAP 9 NetApp Encryption Power Guide’

on
https://library.netapp.com/ecm/ecm_download_file/ECMLP2572742

Enabling onboard key management (NVE)

security key-manager setup

Note: Do not enable-cc-mode unless you want to enter the key manager passphrase after a reboot.
Note: If adding new nodes to the cluster must run with the -node switch.

Enabling encryption on a new volume

volume create -vserver vs1 -volume vol1 -aggregate aggr1 -encrypt true

volume show -is-encrypted true

Enabling encryption on an existing volume with the volume encryption conversion start command

Starting with ONTAP 9.3, you can use the volume encryption conversion start command
to enable encryption on an existing volume.

volume encryption conversion start -vserver vs1 -volume vol1

volume encryption conversion show

volume show -is-encrypted true

Note: If you encounter a performance issue during the operation, you can run the volume encryption conversion pause command to pause the operation, and the volume encryption conversion restart command to resume the operation.
Note: You cannot use volume encryption conversion start to convert a SnapLock or FlexGroup volume.
Note: To enable volume encryption on all volumes in an SVM you can do (can wildcard it)::>

volume encryption conversion start -vserver vs1 -volume *

Enabling encryption on an existing volume with the volume move start command

You can use the volume move start command to enable encryption on an existing volume. You must use volume move start in ONTAP 9.2 and earlier. You can use the same aggregate or a different aggregate.

volume move start -vserver SVM_name -volume volume_name -destinationaggregate aggregate_name -encrypt-destination true|false

volume show -is-encrypted true

Node: You cannot use volume move start to enable encryption on a SnapLock or FlexGroup volume.

Miscellany

Q: Is there a maximum number of simultaneous volume encryption conversion processes?
A: No, but it is recommended to have no more than four combined encryption conversions or encryption volume moves per node simultaneously.

Q: Is NVE supported with backup applications (for example, Commvault backup)?
A: Yes. NVE is independent of the backup targets or solutions. The data presented to the backup solutions is not encrypted.

FAQ: NetApp Volume Encryption ONTAP 9.5
https://kb.netapp.com/app/answers/answer_view/a_id/1086920/~/faq%3A-netapp-volume-encryption-ontap-9.5-

Image: NVE encrypt/decrypt flow

Comments

Post a Comment