ONTAP 9 Manuals ( CA08871-402 )

Configure Volume Encryption on an SVM root volume

Beginning with ONTAP 9.14.1, you can enable Volume Encryption (VE) on a storage VM (SVM) root volume. With VE, the root volume is encrypted with a unique key, enabling greater security on the SVM.

About this task

VE on an SVM root volume can only be enabled after the SVM has been created.

Before you begin
  • The SVM root volume must not be on an aggregate encrypted with Aggregate Encryption (AE).

  • You must have enabled encryption with the Onboard Key Manager or an external key manager.

  • You must be running ONTAP 9.14.1 or later.

  • To migrate an SVM containing a root volume encrypted with VE, you must convert the SVM root volume to a plain text volume after the migration completes then re-encrypt the SVM root volume.

    • If the destination aggregate of the SVM migration uses AE, the root volume inherits AE by default.

  • If the SVM is in an SVM disaster recovery relationship:

    • Encryption settings on a mirrored SVM are not copied to the destination. If you enable VE on the source or destination, you must separately enable VE on the mirrored SVM root volume.

    • If all aggregates in the destination cluster use AE, the SVM root volume will use AE.

Steps

You can enable VE on an SVM root volume with the ONTAP CLI or ONTAP System Manager.

CLI

You can enable VE on the SVM root volume in-place or by moving the volume between aggregates.

Encrypt the root volume in place
  1. Convert the root volume to an encrypted volume:

    volume encryption conversion start -vserver svm_name -volume volume

  2. Confirm the encryption succeeded. The volume show -encryption-type volume displays a list of all volumes using VE.

Encrypt the SVM root volume by moving it
  1. Initiate a volume move:

    volume move start -vserver svm_name -volume volume -destination-aggregate aggregate -encrypt-with-aggr-key false -encrypt-destination true

    For more information about volume move, see Move a volume.

  2. Confirm the volume move operation succeeded with the volume move show command. The volume show -encryption-type volume displays a list of all volumes using VE.

ONTAP System Manager
  1. Navigate to Storage > Volumes.

  2. Next to the name of the SVM root volume you want to encrypt, select three vertical dots then Edit.

  3. Under the Storage and Optimization heading, select Enable encryption.

  4. Select Save.

Top of Page