Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Start a New Post

Need to disable encryption on a FAS2650

Stormont
‎2020-06-11 07:15 PM

We have a FAS2650 running OnTap 9.7 and we are using volume encryption.  We have a FAS2520 that we are trying to SnapVault to, but we can't since that cluster doesn't support encryption.  Unfortunately we need to disable encryption on the FAS2650 but don't know the best way forward.  We have two aggregates and don't have enough disks to create a new non-encrypted aggregate.  Can we just run “storage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key false” on each aggregate to disable encryption or do we have to move all volumes off of an aggregate, run that command, move the volumes back, and then run that command on the other aggregate?

0 Kudos
1 ACCEPTED SOLUTION

Mjizzini
Community Manager
‎2020-06-11 10:22 PM

The command you are trying to run only support encryption with aggregate keys.

 

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-970/storage__aggregate__modify.html

 

[-encrypt-with-aggr-key {true|false}] - Enable Aggregate level EncryptionThis parameter specifies that the volumes within the new aggregate can be encrypted with aggregate keys. If this parameter is set to true, the aggregate will support encryption with aggregate keys.

 

run::*>volume show -encryption

The command will check how many volumes are encrypted.

 

****Unencrypting volume data

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.pow-nve/GUID-92365841-311A-4EE4-A920-82C326C5F8A7.html

 

View solution in original post

0 Kudos
6 REPLIES 6

bmccullough
‎2020-06-12 08:04 AM

You should be able to SnapVault from the FAS2650 to the FAS2520 without disabling encryption on the FAS2650.

 

NVE is data at rest and occurs below the WAFL layer,  i.e. the data can't be read if you pull the disk and plug it in somewhere else.   The data is unencrypted by the time it reaches the read/write operations level, i.e. snapmirror operations.   I have converted hundreds of volumes and dozens of flexgroups to NVE.  During this time, I had NVE volume snapmirroring unencrypted volumes,  unencrypted volumes snapmirroring to NVE volumes, and the other two combinations.

 

https://www.netapp.com/us/media/ds-3899.pdf

 

 

0 Kudos

Stormont
‎2020-06-12 08:14 AM
In response to bmccullough

When I tried to create the SnapVault relationship from the 2650 using volume encryption to the 2520, clicking the "Validate" button for the relationship gives the following error and you cannot proceed.

 

“Error: Volume encryption is not supported on the destination cluster."

0 Kudos

bmccullough
‎2020-06-12 08:22 AM
In response to Stormont

Ah, I should of clarified my statements were pre-9.7 and not in the GUI.   The logic for checking for encryption on either end, most likely a 'feature' of 9.7 or a GUI enhancement i.e. validate button.  

0 Kudos

Mjizzini
Community Manager
‎2020-06-11 10:22 PM

The command you are trying to run only support encryption with aggregate keys.

 

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-970/storage__aggregate__modify.html

 

[-encrypt-with-aggr-key {true|false}] - Enable Aggregate level EncryptionThis parameter specifies that the volumes within the new aggregate can be encrypted with aggregate keys. If this parameter is set to true, the aggregate will support encryption with aggregate keys.

 

run::*>volume show -encryption

The command will check how many volumes are encrypted.

 

****Unencrypting volume data

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.pow-nve/GUID-92365841-311A-4EE4-A920-82C326C5F8A7.html

 

View solution in original post

0 Kudos

Stormont
‎2020-06-12 06:59 AM
In response to Mjizzini

How do we then disable encryption entirely since it is enabled by default and we don't want to have to go through the decryption process each time.

0 Kudos
Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

View All
NetApp Insights to Action
I2A Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public