Enabling node volume encryption

Beginning in ONTAP 9.8, you can use Lenovo Volume Encryption to protect the root volume of your node.

Before you begin

Your system must be using an HA configuration.
Your node volume must already be created.
Your system must have an onboard key manager or an external key management server using the Key Management Interoperability Protocol (KMIP).

About this task

Note

This procedure applies to the node root volume. It does not apply to SVM root volumes. SVM root volumes can be protected through aggregate-level encryption.

Once root volume encryption begins, it must complete. You cannot pause the operation. Once encryption is complete, you cannot assign a new key to the root volume and you cannot perform a secure-purge operation.

Encrypt the root volume: volume encryption conversion start -vserver SVM_name -volume root_vol_name
Verify the status of the conversion operation: volume encryption conversion show
When the conversion operation is complete, verify that the volume is encrypted: volume show -fields
Example
The following shows example output for an encrypted volume.
::> volume show -vserver xyz -volume vol0 -fields is-encrypted vserver volume is-encrypted ---------- ------ ------------ xyz vol0 true

Give documentation feedback