NVE gives you encryption on each volume individually and the volume each have their own unique key. You have the option of either encrypting or not for each individual volume. If you plan to use an external KMIP server to take advantage of the secure-purge capability, then this is where you need to be. You just run through each volume and convert it “volume encryption conversion start…”
NAE (Netapp Aggregate Encryption) encrypts everything on the aggregate. Period. No choice. Additionally, you get to use the cross-volume efficiencies. Why? Using NAE, all volumes in the same aggregate share the same key. This allows for cross volume dedupe and compression to work. To get there is a multi step process. First ever SVM data volume must be encrypted as NVE. Then you pick an aggregate and make sure to svm-root volumes are there, if they are move it/them. Then you can modify that aggregate to be encryption-enabled. Then you start the process of converting each volume to aggregate-encryption. You would use the “volume move start” command. You can “move” it to the same aggregate but you include the option to encryption w with aggregate key.
you can always check your volumes:
volume show -fields encryption-type, encrypt
which shows either volume or aggregate or none for the type and enabled or not.