Skip to main content

Enabling encryption on a new volume

You can use the volume create command to enable encryption on a new volume.

About this task

Starting with ONTAP 9.4, if you enable cc-mode when you set up the Onboard Key Manager, volumes you create with the volume create command are automatically encrypted, whether or not you specify -encrypt true.

Starting with ONTAP 9.6, you can use aggregate-level encryption to assign keys to the containing aggregate for the volumes to be encrypted. Volumes you create in the aggregate are encrypted by default. You can use the -encrypt option to override the default when you create the volume.

Starting with ONTAP 9.7, newly created volumes are encrypted by default when you have the LVE license and onboard or external key management.

A volume encrypted with a unique key is called an LVE volume. A volume encrypted with an aggregate-level key is called an LAE volume (for Lenovo Aggregate Encryption). Plaintext volumes are not supported in LAE aggregates.

  1. Create a new volume and specify whether encryption is enabled on the volume:
    To create...Use this command...
    An ONTAP 9.7 or later LAE volumevolume create -vserver SVM_name -volume volume_name -aggregate aggregate_name
    An ONTAP 9.6 LAE volume (assuming aggregate-level encryption is enabled)volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name
    An ONTAP 9.7 or later LVE volumevolume create -vserver SVM_name -volume volume_name -aggregate aggregate_name
    An ONTAP 9.6 or earlier LVE volumevolume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt true
    A plain text volumevolume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt false

    For complete command syntax, see the man page for the command.

    Starting with ONTAP 9.7 or later, the following command creates an LAE volume named vol1 on aggr1:

    cluster1::> volume create -vserver vs1 -volume vol1 -aggregate aggr1

    Using ONTAP 9.6, assuming aggregate-level encryption is enabled, the following command creates an LAE volume named vol1 on aggr1:

    cluster1::> volume create -vserver vs1 -volume vol1 -aggregate aggr1

    Starting with ONTAP 9.7 or later, the following command creates an LVE volume named vol2 on aggr1:

    cluster1::> volume create -vserver vs1 -volume vol2 -aggregate aggr1

    Using ONTAP 9.6 or earlier, the following command creates an LVE volume named vol2 on aggr1:

    cluster1::> volume create -vserver vs1 -volume vol2 -aggregate aggr1 -encrypt true

    The following command creates a plaintext volume named vol3 on aggr1:

    cluster1::> volume create -vserver vs1 -volume vol3 -aggregate aggr1 -encrypt false
  2. Verify that volumes are enabled for encryption: volume show -is-encrypted true

    For complete command syntax, see the man page for the command.

    Example

    The following command displays the encrypted volumes on cluster2 :

    cluster2::> volume show -is-encrypted true

    Vserver  Volume  Aggregate  State  Type  Size  Available  Used
    -------  ------  ---------  -----  ----  -----  --------- ----
    vs1      vol1    aggr2     online    RW  200GB    160.0GB  20%

Result

If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically pushes an encryption key to the server when you encrypt a volume.