ONTAP Discussions

NVE and Snapmirror

EddieJ
5,417 Views

Running ONTAP 9.1P8

 

Have NVE (Netapp Volume Encryption) enabled on both Clusters involved in the snapmirror (UK to US and vice versa)

The source volume is encrypted, but the destination volume is not (as I just found out) . I thought since encryption was enabled on both systems the destination snapmirror volume would be. So the question is how do I achieve this?  Reading around as much as possible I think I may have to enable the default option to encrypt all new volumes upon creation? Or can I convert the destination snapmirror volume to encrypted. Hope that made sense

 

Thanks!!

1 ACCEPTED SOLUTION

naveens17
5,371 Views

1. Based on your version 9.1P8 you can't use in place conversion ..Need 9.3

 

2. So for now use Vol move with atribute encryption on destionation volume, this will convert your snapmirror target to encrypted volume.

 

3. FYI

Encryption keys apply only to a single cluster.

 

There is no in-flight encryption its all data at rest.

View solution in original post

5 REPLIES 5

naveens17
5,372 Views

1. Based on your version 9.1P8 you can't use in place conversion ..Need 9.3

 

2. So for now use Vol move with atribute encryption on destionation volume, this will convert your snapmirror target to encrypted volume.

 

3. FYI

Encryption keys apply only to a single cluster.

 

There is no in-flight encryption its all data at rest.

EddieJ
5,313 Views

Thanks!  That works. Was concerned about the volume being DP vs RW. All is well there..

 

Also, How do I set the option that all new volumes created on the cluster will be encrypted going forward? Have not been able to find the command anywhere..

 

Thanks!

 

 

naveens17
5,296 Views

volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt true

EddieJ
5,294 Views

Yes, that I know. I am looking for the setting that tells ONTAP to encrypt by default newly created volumes. I recall reading there was an option setting for that. This way when DP volumes are created on the destination cluster they are encrypted by default..

naveens17
5,292 Views

To enable volume encryption by default perform the following:

Note: Any existing volume will not be converted.

From the systemshell:
ClusterA::>set diag
Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

ClusterA::*> systemshell -node * -command sudo kenv -p bootarg.softwareencryption.encryptallvol=true
  (system node systemshell)

Node: ClusterA-01
bootarg.softwareencryption.encryptallvol="true"

Node: ClusterA-02
bootarg.softwareencryption.encryptallvol="true"
2 entries were acted on.



Verification:
ClusterA::*> systemshell -node * kenv bootarg.softwareencryption.encryptallvol
  (system node systemshell)

Node: ClusterA-01
true

Node: ClusterA-02
true
2 entries were acted on.


A reboot is not necessary for these changes to take effect.

Public