Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

ONTAP Discussions

Need to disable encryption on a FAS2650

Stormont

We have a FAS2650 running OnTap 9.7 and we are using volume encryption.  We have a FAS2520 that we are trying to SnapVault to, but we can't since that cluster doesn't support encryption.  Unfortunately we need to disable encryption on the FAS2650 but don't know the best way forward.  We have two aggregates and don't have enough disks to create a new non-encrypted aggregate.  Can we just run “storage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key false” on each aggregate to disable encryption or do we have to move all volumes off of an aggregate, run that command, move the volumes back, and then run that command on the other aggregate?

1 ACCEPTED SOLUTION

Mjizzini

The command you are trying to run only support encryption with aggregate keys.

 

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-970/storage__aggregate__modify.html

 

[-encrypt-with-aggr-key {true|false}] - Enable Aggregate level EncryptionThis parameter specifies that the volumes within the new aggregate can be encrypted with aggregate keys. If this parameter is set to true, the aggregate will support encryption with aggregate keys.

 

run::*>volume show -encryption

The command will check how many volumes are encrypted.

 

****Unencrypting volume data

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.pow-nve/GUID-92365841-311A-4EE4-A920-82C326C5F8A7.html

 

View solution in original post

6 REPLIES 6

bmccullough

You should be able to SnapVault from the FAS2650 to the FAS2520 without disabling encryption on the FAS2650.

 

NVE is data at rest and occurs below the WAFL layer,  i.e. the data can't be read if you pull the disk and plug it in somewhere else.   The data is unencrypted by the time it reaches the read/write operations level, i.e. snapmirror operations.   I have converted hundreds of volumes and dozens of flexgroups to NVE.  During this time, I had NVE volume snapmirroring unencrypted volumes,  unencrypted volumes snapmirroring to NVE volumes, and the other two combinations.

 

https://www.netapp.com/us/media/ds-3899.pdf

 

 

Stormont

When I tried to create the SnapVault relationship from the 2650 using volume encryption to the 2520, clicking the "Validate" button for the relationship gives the following error and you cannot proceed.

 

“Error: Volume encryption is not supported on the destination cluster."

bmccullough

Ah, I should of clarified my statements were pre-9.7 and not in the GUI.   The logic for checking for encryption on either end, most likely a 'feature' of 9.7 or a GUI enhancement i.e. validate button.  

Mjizzini

The command you are trying to run only support encryption with aggregate keys.

 

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-970/storage__aggregate__modify.html

 

[-encrypt-with-aggr-key {true|false}] - Enable Aggregate level EncryptionThis parameter specifies that the volumes within the new aggregate can be encrypted with aggregate keys. If this parameter is set to true, the aggregate will support encryption with aggregate keys.

 

run::*>volume show -encryption

The command will check how many volumes are encrypted.

 

****Unencrypting volume data

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.pow-nve/GUID-92365841-311A-4EE4-A920-82C326C5F8A7.html

 

View solution in original post

Stormont

How do we then disable encryption entirely since it is enabled by default and we don't want to have to go through the decryption process each time.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public