ONTAP 9 Manuals ( CA08871-402 )

Enable aggregate-level encryption with VE license

Newly created aggregates and volumes are encrypted by default when you have the VE license and onboard or external key management. You can use aggregate-level encryption to assign keys to the containing aggregate for the volumes to be encrypted.

About this task

You must use aggregate-level encryption if you plan to perform inline or background aggregate-level deduplication. Aggregate-level deduplication is otherwise not supported by VE.

An aggregate enabled for aggregate-level encryption is called an AE aggregate (for Aggregate Encryption). All volumes in an AE aggregate must be encrypted with AE or VE encryption. With aggregate-level encryption, volumes you create in the aggregate are encrypted with AE encryption by default. You can override the default to use VE encryption instead.

Plain text volumes are not supported in AE aggregates.

Before you begin

You must be a cluster administrator to perform this task.

Steps
  1. Enable or disable aggregate-level encryption:

    To…​

    Use this command…​

    Create an AE aggregate with ONTAP 9.7 or later

    storage aggregate create -aggregate aggregate_name -node node_name

    Convert a non-AE aggregate to an AE aggregate

    storage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true

    Convert an AE aggregate to a non-AE aggregate

    storage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key false

    For complete command syntax, see the man pages.

    The following command enables aggregate-level encryption on aggr1:

    • ONTAP 9.7 or later:

      cluster1::> storage aggregate create -aggregate aggr1
  2. Verify that the aggregate is enabled for encryption:

    storage aggregate show -fields encrypt-with-aggr-key

    For complete command syntax, see the man page.

    The following command verifies that aggr1 is enabled for encryption:

    cluster1::> storage aggregate show -fields encrypt-with-aggr-key
    aggregate            encrypt-aggr-key
    -------------------- ----------------
    aggr0_vsim4          false
    aggr1                true
    2 entries were displayed.
After you finish

Run the volume create command to create the encrypted volumes.

If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically “pushes” an encryption key to the server when you encrypt a volume.

Top of Page