ONTAP Discussions

What is the best way to apply encryption in NetApp Cluster Mode IN AFFA400


Hello Experts,


Currently, I have AFF A400 Box with 129 volumes and I want to apply encryption to it.


What is the best option here to apply encryption to the existing filer?






I believe the best option is to set up NVE and convert existing volumes to encrypted ones, see https://docs.netapp.com/us-en/ontap/pdfs/sidebar/Configure_NetApp_Volume_Encryption.pdf


Depends on what you want as an end result. 

NVE gives you encryption on each volume individually and the volume each have their own unique key. You have the option of either encrypting or not for each individual volume.  If you plan to use an external KMIP server to take advantage of the secure-purge capability, then this is where you need to be. You just run through each volume and convert it “volume encryption conversion start…”

NAE (Netapp Aggregate Encryption) encrypts everything on the aggregate. Period. No choice. Additionally, you get to use the cross-volume efficiencies. Why? Using NAE, all volumes in the same aggregate share the same key. This allows for cross volume dedupe and compression to work.  To get there is a multi step process. First ever SVM data volume must be encrypted as NVE. Then you pick an aggregate and make sure to svm-root volumes are there, if they are move it/them. Then you can modify that aggregate to be encryption-enabled. Then you start the process of converting each volume to aggregate-encryption. You would use the “volume move start” command. You can “move” it to the same aggregate but you include the option to encryption w with aggregate key. 

you can always check your volumes:

 volume show -fields encryption-type, encrypt


 which shows either volume or aggregate or none for the type and enabled or not. 

this is all in the pdf above.