ONTAP Discussions

how to enable encryption on no-empty aggregate on version 9.6p3 without downtime

FelixZhou
3,279 Views

we have a NetApp 9.6P3 in production, needs to enable aggr encrption. how can we do it without downtime? Looks we have to empty aggregate before we can enable the encryption on an aggregate. we can LUNs presented to hosts from both aggregates on a HP pair.

thanks

1 ACCEPTED SOLUTION

FelixZhou
3,258 Views

if i remember right, on new version (forgot which), we can enable NVE without moving a volume. if this is true, can we enable all data vols with encryption and move root vols to parter's aggr, then we can enable encryption on aggr. is that possible?

thanks.

View solution in original post

3 REPLIES 3

Ontapforrum
3,260 Views
Hi,
 
It's a very good question. Your assumptions are correct.
 
Please take a look at kb below.
 

Can I encrypt an existing volume in place with NAE in ONTAP 9.6?

Answer: No. You need to do one of the following options mentioned below in the kb.

 
This is a useful kb:

https://kb.netapp.com/app/answers/answer_view/a_id/1086920/~/faq%3A-netapp-volume-encryption-and-netapp-aggregate-encryption-

 
All it suggests is that, you either create a new aggr and then move the vols, or turn the existing aggr with NVE vols into encryption and then move the vols.  However, this means you will need enough free disks to create a new aggregate in the first place, or select any existing aggr with enough space. ( This may or may not be feasible)
 
Finally, I guess vol move is NDU in Ontap, so technically that part should be non-disruptive when you move vol to NAE aggr.
 
Thanks!

FelixZhou
3,259 Views

if i remember right, on new version (forgot which), we can enable NVE without moving a volume. if this is true, can we enable all data vols with encryption and move root vols to parter's aggr, then we can enable encryption on aggr. is that possible?

thanks.

Ontapforrum
3,189 Views

Yes, I think you are talking about - In-place encryption of existing volumes, feature introduced in ONTAP 9.3.

 

Procedure to transition an existing un-encrypted volume:
A) Prior to 9.3 = 'volume move' command
B) 9.3 later = 'volume encryption conversion start'

 

Some Kbs for referemce, hope it helps.
How to configure NetApp Volume Encryption
https://kb.netapp.com/app/answers/answer_view/a_id/1030618

 

Is it possible to tune the NetApp Volume Encryption conversion process?
https://kb.netapp.com/app/answers/answer_view/a_id/1086286

 

Considerations when using Netapp Volume Encryption (NVE)
https://kb.netapp.com/app/answers/answer_view/a_id/1074806

 

Difference:

  • A volume encrypted with a unique key is called an NVE volume
  • A volume encrypted with an aggregate-level key is called an NAE volume

 


Regarding 'root' vol :
There are two types in cDOT/ONTAP
1) Controller root vol (Aggregtates) = Not encrypted in both NAE & NVE
2) SVM root vol = encrpted in NVE only.
KB: 1086920 [To be honest, I will be more concern with data volumes]

 

Thanks!

Public