You will also need an external key management solution (read "expensive") to hold the unlocking keys for the disks, unless you are also able to run OnTap 9.0 which is just out now in Release Candidate stage.  OnTap 9.0 includes the capability to manage disk unlocking keys onboard.

Hope this helps you.

Bob Greenwald

Lead Storage Engineer, Consilio LLC

NCIE SAN, Data Protection

Kudos and accepted solutions are always appreciated.

What about a system that has only SED disks but is currently not paired with a key manager and disks protection mode all set to open.  Is it possible to set a  key a spare disk and manually swap encrypted disks into an aggregate 1 at a time?  

Follow up on my questions...

https://kb.netapp.com/app/answers/answer_view/a_id/1032894

Based on this KB it sounds to me like my drives are already encrypted, just with a 0x0 key and unlocked.  If that is the case what I am describing is really a key change.  If anyone has any input or confirm I would appreciate it.

Hi Jordan,

That's essentially the case. NSE drives do the encryption themselves, ONTAP manages the initialisation/changing/unlocking of drives in interaction with either the internal (in newer versions) or external KMS.

If your system is already in production with data in place, please open a support ticket to walk through the process of enabling a KMS and setting an encryption key for the drives.

Hope this helps!