Solved: Need to disable encryption on a FAS2650

Stormont · ‎2020-06-11

We have a FAS2650 running OnTap 9.7 and we are using volume encryption. We have a FAS2520 that we are trying to SnapVault to, but we can't since that cluster doesn't support encryption. Unfortunately we need to disable encryption on the FAS2650 but don't know the best way forward. We have two aggregates and don't have enough disks to create a new non-encrypted aggregate. Can we just run “storage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key false” on each aggregate to disable encryption or do we have to move all volumes off of an aggregate, run that command, move the volumes back, and then run that command on the other aggregate?

Mjizzini · ‎2020-06-11

The command you are trying to run only support encryption with aggregate keys.

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-970/storage__aggregate__modify.html

[-encrypt-with-aggr-key {true|false}] - Enable Aggregate level EncryptionThis parameter specifies that the volumes within the new aggregate can be encrypted with aggregate keys. If this parameter is set to true, the aggregate will support encryption with aggregate keys.

run::*>volume show -encryption

The command will check how many volumes are encrypted.

****Unencrypting volume data

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.pow-nve/GUID-92365841-311A-4EE4-A920-82C326C5F8A7.html

View solution in original post

Mjizzini · ‎2020-06-11

The command you are trying to run only support encryption with aggregate keys.

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-970/storage__aggregate__modify.html

[-encrypt-with-aggr-key {true|false}] - Enable Aggregate level EncryptionThis parameter specifies that the volumes within the new aggregate can be encrypted with aggregate keys. If this parameter is set to true, the aggregate will support encryption with aggregate keys.

run::*>volume show -encryption

The command will check how many volumes are encrypted.

****Unencrypting volume data

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.pow-nve/GUID-92365841-311A-4EE4-A920-82C326C5F8A7.html

Stormont · ‎2020-06-12

How do we then disable encryption entirely since it is enabled by default and we don't want to have to go through the decryption process each time.

paul_stejskal · ‎2020-06-12

https://kb.netapp.com/Advice_and_Troubleshooting%2FData_Storage_Software%2FONTAP_OS%2FHow_to_disable_default_encryption_in_ONTAP__9.7

bmccullough · ‎2020-06-12

You should be able to SnapVault from the FAS2650 to the FAS2520 without disabling encryption on the FAS2650.

NVE is data at rest and occurs below the WAFL layer, i.e. the data can't be read if you pull the disk and plug it in somewhere else. The data is unencrypted by the time it reaches the read/write operations level, i.e. snapmirror operations. I have converted hundreds of volumes and dozens of flexgroups to NVE. During this time, I had NVE volume snapmirroring unencrypted volumes, unencrypted volumes snapmirroring to NVE volumes, and the other two combinations.

https://www.netapp.com/us/media/ds-3899.pdf

Stormont · ‎2020-06-12

When I tried to create the SnapVault relationship from the 2650 using volume encryption to the 2520, clicking the "Validate" button for the relationship gives the following error and you cannot proceed.

“Error: Volume encryption is not supported on the destination cluster."

bmccullough · ‎2020-06-12

Ah, I should of clarified my statements were pre-9.7 and not in the GUI. The logic for checking for encryption on either end, most likely a 'feature' of 9.7 or a GUI enhancement i.e. validate button.