Changing the encryption key for a volume with the volume move start command

It is a security best practice to change the encryption key for a volume periodically. You can use the volume move start command to change the encryption key. The moved volume can reside on the same aggregate or a different aggregate.

Before you begin

You must be a cluster administrator to perform this task, or an SVM administrator to whom the cluster administrator has delegated authority.

Delegating authority to run the volume move command

About this task

You cannot use volume move start to rekey a SnapLock or FlexGroup volume.

Move an existing volume and change the encryption key: volume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -generate-destination-key true
For complete command syntax, see the man page for the command.
Example
The following command moves an existing volume named vol1 to the destination aggregate aggr2 and changes the encryption key:
cluster1::> volume move start -vserver vs1 -volume vol1 -destination-aggregate aggr2 -generate-destination-key true
A new encryption key is created for the volume. The data on the volume remains encrypted.

Verify that the volume is enabled for encryption: volume show -is-encrypted true

For complete command syntax, see the man page for the command.

Example

The following command displays the encrypted volumes on cluster1 :

cluster1::> volume show -is-encrypted true

Vserver  Volume  Aggregate  State  Type  Size  Available  Used
-------  ------  ---------  -----  ----  -----  --------- ----
vs1      vol1    aggr2     online    RW  200GB    160.0GB  20%

Give documentation feedback