Skip to main content

Enabling encryption on an existing volume with the volume move start command

You can use the volume move start command to enable encryption by moving an existing volume. You can use the same aggregate or a different aggregate.

Before you begin

You must be a cluster administrator to perform this task, or an SVM administrator to whom the cluster administrator has delegated authority.

Delegating authority to run the volume move command

About this task

You cannot use volume move start to enable encryption on a SnapLock or FlexGroup volume.

If you enable cc-mode when you set up the Onboard Key Manager, volumes you create with the volume move start command are automatically encrypted. You need not specify -encrypt-destination true.

Starting with ONTAP 9.6, you can use aggregate-level encryption to assign keys to the containing aggregate for the volumes to be moved. A volume encrypted with a unique key is called an LVE volume. A volume encrypted with an aggregate-level key is called an LAE volume (for Lenovo Aggregate Encryption). Plaintext volumes are not supported in LAE aggregates.

  1. Move an existing volume and specify whether encryption is enabled on the volume:
    To convert...Use this command...
    A plaintext volume to an LVE volumevolume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -encrypt-destination true
    An LVE or plaintext volume to an LAE volume (assuming aggregate-level encryption is enabled on the destination)volume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -encrypt-with-aggr-key true
    An LAE volume to an LVE volumevolume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -encrypt-with-aggr-key false
    An LAE volume to a plaintext volumevolume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -encrypt-destination false -encrypt-with-aggr-key false
    An LVE volume to a plaintext volumevolume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -encrypt-destination false

    For complete command syntax, see the man page for the command.

    Example

    The following command converts a plaintext volume named vol1 to an LVE volume:

    cluster1::> volume move start -vserver vs1 -volume vol1 -destination-aggregate aggr2 -encrypt-destination true

    Example

    Assuming aggregate-level encryption is enabled on the destination, the following command converts an LVE or plaintext volume named vol1 to an LAE volume:

    cluster1::> volume move start -vserver vs1 -volume vol1 -destination-aggregate aggr2 -encrypt-with-aggr-key true

    Example

    The following command converts an LAE volume named vol2 to an LVE volume:

    cluster1::> volume move start -vserver vs1 -volume vol2 -destination-aggregate aggr2 -encrypt-with-aggr-key false

    Example

    The following command converts an LAE volume named vol2 to a plaintext volume:

    cluster1::> volume move start -vserver vs1 -volume vol2 -destination-aggregate aggr2 -encrypt-destination false -encrypt-with-aggr-key false

    Example

    The following command converts an LVE volume named vol2 to a plaintext volume:

    cluster1::> volume move start -vserver vs1 -volume vol2 -destination-aggregate aggr2 -encrypt-destination false
  2. View the encryption type of cluster volumes: volume show -fields encryption-type none|volume|aggregate

    The encryption-type field is available in ONTAP 9.6 and later.

    For complete command syntax, see the man page for the command.

    Example

    The following command displays the encryption type of volumes in cluster2 :

    cluster2::> volume show -fields encryption-type

    vserver  volume  encryption-type 
    -------  ------  ---------------  
    vs1      vol1    none 
    vs2      vol2    volume
    vs3      vol3    aggregate

  3. Verify that volumes are enabled for encryption: volume show -is-encrypted true

    For complete command syntax, see the man page for the command.

    Example

    The following command displays the encrypted volumes on cluster2 :

    cluster2::> volume show -is-encrypted true

    Vserver  Volume  Aggregate  State  Type  Size  Available  Used
    -------  ------  ---------  -----  ----  -----  --------- ----
    vs1      vol1    aggr2     online    RW  200GB    160.0GB  20%

Result

If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically pushes an encryption key to the server when you encrypt a volume.