ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Highlighted

Need to disable encryption on a FAS2650

Stormont
‎2020-06-11 07:15 PM

We have a FAS2650 running OnTap 9.7 and we are using volume encryption.  We have a FAS2520 that we are trying to SnapVault to, but we can't since that cluster doesn't support encryption.  Unfortunately we need to disable encryption on the FAS2650 but don't know the best way forward.  We have two aggregates and don't have enough disks to create a new non-encrypted aggregate.  Can we just run “storage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key false” on each aggregate to disable encryption or do we have to move all volumes off of an aggregate, run that command, move the volumes back, and then run that command on the other aggregate?

Reply
6 Replies
0 Likes
6 REPLIES 6
Highlighted

Re: Need to disable encryption on a FAS2650

Mjizzini
NetApp
‎2020-06-11 10:22 PM

The command you are trying to run only support encryption with aggregate keys.

 

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-970/storage__aggregate__modify.html

 

[-encrypt-with-aggr-key {true|false}] - Enable Aggregate level EncryptionThis parameter specifies that the volumes within the new aggregate can be encrypted with aggregate keys. If this parameter is set to true, the aggregate will support encryption with aggregate keys.

 

run::*>volume show -encryption

The command will check how many volumes are encrypted.

 

****Unencrypting volume data

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.pow-nve/GUID-92365841-311A-4EE4-A920-82C326C5F8A7.html

 

View solution in original post

Reply
6 Replies
0 Likes
Highlighted

Re: Need to disable encryption on a FAS2650

Stormont
‎2020-06-12 06:59 AM

How do we then disable encryption entirely since it is enabled by default and we don't want to have to go through the decryption process each time.

Reply
6 Replies
0 Likes
Highlighted

Re: Need to disable encryption on a FAS2650

bmccullough
‎2020-06-12 08:04 AM

You should be able to SnapVault from the FAS2650 to the FAS2520 without disabling encryption on the FAS2650.

 

NVE is data at rest and occurs below the WAFL layer,  i.e. the data can't be read if you pull the disk and plug it in somewhere else.   The data is unencrypted by the time it reaches the read/write operations level, i.e. snapmirror operations.   I have converted hundreds of volumes and dozens of flexgroups to NVE.  During this time, I had NVE volume snapmirroring unencrypted volumes,  unencrypted volumes snapmirroring to NVE volumes, and the other two combinations.

 

https://www.netapp.com/us/media/ds-3899.pdf

 

 

Reply
6 Replies
0 Likes
Highlighted

Re: Need to disable encryption on a FAS2650

Stormont
‎2020-06-12 08:14 AM

When I tried to create the SnapVault relationship from the 2650 using volume encryption to the 2520, clicking the "Validate" button for the relationship gives the following error and you cannot proceed.

 

“Error: Volume encryption is not supported on the destination cluster."

Reply
6 Replies
0 Likes
Highlighted

Re: Need to disable encryption on a FAS2650

bmccullough
‎2020-06-12 08:22 AM

Ah, I should of clarified my statements were pre-9.7 and not in the GUI.   The logic for checking for encryption on either end, most likely a 'feature' of 9.7 or a GUI enhancement i.e. validate button.  

Reply
6 Replies
0 Likes
Start a New Post
Check out the KB!
Knowledge Base
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2020 NetApp
Let us know