Skip to main content

Enabling aggregate-level encryption with LVE license

Starting with ONTAP 9.7, newly created aggregates and volumes are encrypted by default when you have the LVE license and onboard or external key management. Starting with ONTAP 9.6, you can use aggregate-level encryption to assign keys to the containing aggregate for the volumes to be encrypted. Volumes you create in the aggregate are encrypted by default. You can override the default when you encrypt the volume.

Before you begin

You must be a cluster administrator to perform this task.

About this task

You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication. Aggregate-level deduplication is otherwise not supported by LVE.

An aggregate enabled for aggregate-level encryption is called an LAE volume (for Lenovo Aggregate Encryption). Plain text volumes are not supported in LAE aggregates.

  1. Enable or disable aggregate-level encryption:
    To...Use this command...
    Create a LAE aggregate with ONTAP 9.7 or laterstorage aggregate create -aggregate aggregate_name -node node_name
    Create a LAE aggregate with ONTAP 9.6storage aggregate create -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true
    Convert a non-LAE aggregate to an LAE aggregatestorage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true
    Convert an LAE aggregate to a non-LAE aggregatestorage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key false

    For complete command syntax, see the man pages.

    Example

    The following command enables aggregate-level encryption on aggr1 :

    • ONTAP 9.7 or later:
      cluster1::> storage aggregate create -aggregate aggr1
    • ONTAP 9.6 or earlier:
      cluster1::> storage aggregate create -aggregate aggr1 -encrypt-with-aggr-key true
  2. Verify that the aggregate is enabled for encryption: storage aggregate show -fields encrypt-with-aggr-key

    For complete command syntax, see the man page.

    Example

    The following command verifies that aggr1 is enabled for encryption:

    cluster1::> storage aggregate show -fields encrypt-with-aggr-key 
    aggregate            encrypt-aggr-key
    -------------------- ----------------
    aggr0_vsim4          false
    aggr1                true
    2 entries were displayed.

After you finish

Run the volume create command to create the encrypted volumes.

If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically pushes an encryption key to the server when you encrypt a volume.