Thank you Alex,
so I can *not* use encrypted aggregates with my normal shipped ONTAP, although the only piece of documentation I can find about is suggesting I could... - It cries out for a documentation update on this, otherwise it might confuse others too who would be keen on the feature.
I am interested in this functionality, because we've got regulatory demands. They prohibit us from giving back defective disks to Netapp except we can proove all data has been deleted before or it has been encrypted all the time. The problem with volume based encryption is you could create an unencrypted volume, fill it with critical data and delete it. Or you could delete some of the unencrypted data at the client and encrypt the volume later. Is there an ONTAP/WAFL mechanism guaranteeing that the deleted unencrypted blocks can't be found anymore on a disk? - If not, the only way to proove this would be a kind of cyclical monitoring, looking for the ecnryption status of all existing volumes and historicize the results. - Quite cumbersome.
As aggregates usually aren't deleted the aggregate encryption would be charming in my eyes.
Thanks and regards