ONTAP Discussions

Aggregate level dedupe with NVE

BenCoughtry
8,184 Views

I understand aggregate level deduplication is not supported for volumes encrypted by NVE.  Is anyone able to confirm whether or not this is being roadmapped in future releases of OnTap?

 

Thanks!

-Ben

1 ACCEPTED SOLUTION

GidonMarcus
8,039 Views

Hi

 

For a moment i thought you are saying it's not possible to enable it on any vol in the aggr with NVE vol present (which i coulden't understand why)

i still don't think they can or should workaround that.

 

in NVE each volume is encrypted with it's own key and this key is stored in the CSP/KMIP (the key you generated for the cluster, is very likelly the key to protect the KMIP, this key can be changed without re-encrypting the data).

 

The volumes can be re-keyd with "volume encryption rekey start -vserver vs1 -volume vol1" or with another volume move , that does re-encrypt all the data (and recommended to do after a clone split).

 

 

G

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

7 REPLIES 7

GidonMarcus
8,096 Views

Hi

 

As each volume encrypted with it's own key, the data is different on each volume. even when you do a vol clone you are required to split it and re-key the new volume.

also,

 

As for enabling dedup on aggr with NVE volumes for the sake of the other volumes. i don't see this limitation anywhere being enforced. do you believe the case is different ?

 

 

G

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

BenCoughtry
8,083 Views

Hi GidonMarcus, I recieve the error below upon enabling -cross-volume-inline-dedupe on volumes encrypted with NVE.  OnTap 9.2P1

 

cluster::> vol eff mod -vserver xxxx -volume xxxx -cross-volume-inline-dedupe true

Error: command failed: Failed to modify efficiency configuration for volume "xxxx" of Vserver "xxxx": Cross volume deduplication cannot be enabled on encrypted volumes.

 

Also, with NVE I have not had per volume keys for vclones or new volumes, only 1 cluster-wide encryption key generated during onboard key-manager setup, and then encrypt existing volumes with "vol move start -encrypt-destination true".

 

 

Thanks,

GidonMarcus
8,040 Views

Hi

 

For a moment i thought you are saying it's not possible to enable it on any vol in the aggr with NVE vol present (which i coulden't understand why)

i still don't think they can or should workaround that.

 

in NVE each volume is encrypted with it's own key and this key is stored in the CSP/KMIP (the key you generated for the cluster, is very likelly the key to protect the KMIP, this key can be changed without re-encrypting the data).

 

The volumes can be re-keyd with "volume encryption rekey start -vserver vs1 -volume vol1" or with another volume move , that does re-encrypt all the data (and recommended to do after a clone split).

 

 

G

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

BenCoughtry
8,017 Views

I understand now.  Thank you very much!

WillFulmer
7,600 Views

So to clarify

 

In order to enable cross volume inline or background deduplication on a volume, one must run the command

*> volume efficiency modify -vserver VSERVER -volume VOLNAME -cross-volume-inline-dedupe true -

cross-volume-background-dedupe true

 

However, on a volume that is encrypted with NVE - this command results in error - 

Error: command failed: Failed to modify efficiency configuration for volume "VOLNAME" of Vserver "VSERVER": Cross volume deduplication cannot be enabled on encrypted volumes. If there are active SIS

       operations then use the "volume efficiency stop -all true -vserver * -volume *" command to stop all efficiency operations on all volumes in the cluster.

 

In order to enable these storage efficiency commands on NVE volumes, you must rekey each volume?

 

BenCoughtry
7,564 Views

As I understand it (and correct me if I'm wrong) per volume encryption keys are not controllable.  Meaning, you can rekey a volume but cannot control with what key it uses.  Thus, post encryption every volume will always look entirely different on the aggregate, regardless of the data within.  And thus, even if the 'enable cross vol dedupe on an NVE volume' attempt didn't didn't throw an error you'd still get near 0 space savings.

AlexDawson
7,532 Views

Correct! Easy way to think of it is:

 

Vol A clear text = AAA

Vol A private key = 123

Vol A on disk = BBB

 

Vol B clear text = AAA

Vol B private key = 456

Vol B on disk = CCC

 

Cross volume dedupe would compare CCC and BBB and find no match so provide no efficiency. 

Public