ONTAP 9 Manuals ( CA08871-402 )

Enable encryption on a new volume

You can use the volume create command to enable encryption on a new volume.

About this task

You can encrypt volumes using Volume Encryption (VE) and Aggregate Encryption (AE). To learn more about AE and VE, refer to the volume encryption overview.

The procedure to enable encryption on a new volume in ONTAP varies based on the version of ONTAP you are using and your specific configuration:

  • If you enable cc-mode when you set up the Onboard Key Manager, volumes you create with the volume create command are automatically encrypted, whether or not you specify -encrypt true.

  • Newly created volumes are encrypted by default when you have the VE license and onboard or external key management. By default, new volumes created in an AE aggregate will be of type AE rather than VE.

    • If you add -encrypt true to the volume create command to create a volume in an AE aggregate, the volume will have VE encryption instead of AE. All volumes in an AE aggregate must be encrypted with either VE or AE.

Plaintext volumes are not supported in AE aggregates.
Steps
  1. Create a new volume and specify whether encryption is enabled on the volume. If the new volume is in an AE aggregate, by default the volume will be an AE volume:

    To create…​

    Use this command…​

    An AE volume

    volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name

    An VE volume

    volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt true

    Where volumes are created in AE aggregates, -encrypt true overrides the default encryption type of AE to create an VE volume instead.

    A plain text volume

    volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt false

    For complete command syntax, refer to the command reference page for volume create.

  2. Verify that volumes are enabled for encryption:

    volume show -is-encrypted true

    For complete command syntax, see the ONTAP command reference.

Result

If you are using a KMIP server to store the encryption keys for a node, ONTAP automatically "pushes" an encryption key to the server when you encrypt a volume.

Top of Page