NetApp Aggregate Encryption: Some Examples and Some Questions Answered

When NetApp Aggregate Encryption came out with ONTAP 9.6, there was some excitement for two reasons (the second probably being the biggest reason):
- i: Create a new aggregate and enable NAE on it, and then all the new volumes created on the NAE aggregate are encrypted (by NAE).
- ii: NVE volumes do not participate in aggregate deduplication savings, but NAE volumes in an NAE aggregate do participate in aggregate deduplication savings.

If you have existing aggregates with data on them, enabling NAE isn’t as simple as just switching it on. Every volume in the aggregate needs to be encrypted with NVE first, then you can enable NAE on the aggregate. But, if the aggregate is NAE, and all the volumes are NVE, well, you won’t get those aggregate deduplication savings (which was probably the main reason for enabling NAE in the first place.)

Also, if you have a system with just one aggregate and existing data, you’ll be a little stumped because the SVM rootvol can’t be NVE encrypted, so unless you can make a tiny temporary NAE aggregate out of spares to vol move the SVM rootvol to and then back once the main aggregate is NAE (or find another trick), you’re stuck with a non-encrypted aggregated.

I always think things make much more sense with examples, so below are 11 examples which follow on from one another and hopefully aid understanding.

Clustershell Guided Examples

1) Enable Onboard Key Manager (OKM):


cluster1::> security key-manager onboard enable


Note: The passphrase needs to be 32 to 256 ASCII-range characters long otherwise you get:
Error: command failed: The onboard passphrase must be 32 to 256 ASCII-range characters long.

After configuring onboard key management, save the encrypted configuration data in a safe location so that you can use it if you need to perform a manual recovery operation. To view the data, use the "security key-manager onboard show-backup" command.


cluster1::> security key-manager onboard show-backup


2) Create a brand new NAE aggregate (encrypt-with-aggr-key true):


cluster1::> aggr create -node cluster1-01 -aggr n1_aggr1 -diskcount 10 -encrypt-with-aggr-key true

cluster1::> aggr show -fields encrypt-with-aggr-key -root false
aggregate encrypt-with-aggr-key
--------- ---------------------
n1_aggr1  true


3) Create a volume on an NAE aggregate with fairly default settings and see its encryption status:


cluster1::> vol create -vserver svm0 -volume vol01 -aggregate n1_aggr1 -size 1G -security-style unix

cluster1::> vol show -fields encryption-type,encrypt,is-encrypted -volume vol01
vserver volume encryption-type encrypt is-encrypted
------- ------ --------------- ------- ------------
svm0    vol01  aggregate       true    true


4) Create a non-NAE aggregate for testing purposes:


cluster1::> aggr create -node cluster1-02 -aggr n2_aggr1 -diskcount 10 -encrypt-with-aggr-key false ‌

cluster1::> aggr show -fields encrypt-with-aggr-key -root false
aggregate encrypt-with-aggr-key
--------- ---------------------
n1_aggr1  true
n2_aggr1  false


5) Create an SVM on the non-NAE aggregate, and look at the SVM rootvol’s encryption status:


cluster1::> vserver create -vserver svm1 -aggregate n2_aggr1

cluster1::> vol show -fields encryption-type,encrypt,is-encrypted -vserver svm1
vserver volume    encryption-type encrypt is-encrypted
------- --------- --------------- ------- ------------
svm1    svm1_root none            false   false


6) Q: Can we encrypt the SVM rootvol? Answer = NO

‌‌
cluster1::> volume encryption conversion start -vserver svm1 -volume svm1_root

Error: command failed: Failed to start conversion on volume "svm1_root" in Vserver "svm1". Reason: Operation is not supported on a Vserver root volume.


7) Q: Can we encrypt the non-NAE aggregate with an unencrypted SVM rootvol in it? Answer = NO

cluster1::> aggregate modify -aggregate n2_aggr1 -encrypt-with-aggr-key true

Error: command failed: Failed to modify the aggregate "n2_aggr1" since it contains non-encrypted volumes. Run the "volume show -encrypt false" command to get the list of non-encrypted volumes. Convert all of them to NVE (NetApp Volume Encryption) volumes and try again later.


8) Q: Can we vol move the unencrypted SVM rootvol to the NAE aggregate? Answer = YES

cluster1::> vol move start -vserver svm1 -volume svm1_root -destination-aggregate n1_aggr1

Error: command failed: The destination aggregate "n1_aggr1" is an NAE (NetApp Aggregate Encryption) aggregate. Non-encrypted volumes are not supported in such aggregates.

cluster1::> vol move start -vserver svm1 -volume svm1_root -destination-aggregate n1_aggr1 -encrypt-with-aggr-key true
[Job 130] Job is queued: Move "svm1_root" in Vserver "svm1" to aggregate "n1_aggr1". Use the "volume move show -vserver svm1 -volume svm1_root" command to view the status of this operation.

cluster1::> volume move show -vserver svm1 -volume svm1_root

                           Vserver Name: svm1
                            Volume Name: svm1_root
                 Actual Completion Time: Wed Jan 29 21:21:57 2020
                  Destination Aggregate: n1_aggr1
                        Detailed Status: Successful
                          Managing Node: cluster1-02
                    Percentage Complete: 100%
                             Move Phase: completed
                       Source Aggregate: n2_aggr1
                             Move State: done
             Is Source Volume Encrypted: false
     Encryption Key ID of Source Volume:
        Is Destination Volume Encrypted: true
Encryption Key ID of Destination Volume: 00000000000000000200000000000500eb33c6a732638615349e38f7259e9c200000000000000000

cluster1::> vol show -fields encryption-type,encrypt,is-encrypted -vserver svm1
vserver volume    encryption-type encrypt is-encrypted
------- --------- --------------- ------- ------------
svm1    svm1_root aggregate       true    true


9) Create an NVE volume on the non-encrypted aggregate.


cluster1::> vol create -vserver svm1 -volume vol11 -aggregate n2_aggr1 -size 1G -security-style unix -encrypt true

cluster1::> vol show -fields encryption-type,encrypt,is-encrypted -vserver svm1 -volume vol11
vserver volume encryption-type encrypt is-encrypted
------- ------ --------------- ------- ------------
svm1    vol11  volume          true    true


10) Convert the non-encrypted aggregate to NAE aggregate and check the encryption status of our NVE volume.


cluster1::> aggregate modify -aggregate n2_aggr1 -encrypt-with-aggr-key true

cluster1::> aggr show -fields encrypt-with-aggr-key -root false
aggregate encrypt-with-aggr-key
--------- ---------------------
n1_aggr1  true
n2_aggr1  true

cluster1::> vol show -fields encryption-type,encrypt,is-encrypted -vserver svm1 -volume vol11
vserver volume encryption-type encrypt is-encrypted
------- ------ --------------- ------- ------------
svm1    vol11  volume          true    true


11) Q: Can we convert the NVE volume on the NAE aggregate to aggregate encryption-type? Answer = NO (but you can vol move it to an NAE aggregate to give it the aggregate encryption-type)

The only way to convert the NVE volume to aggregate encryption-type is to vol move the volume to another NAE aggregate (you could then move it back again if you so wish.)

cluster1::> vol move start -vserver svm1 -volume vol11 -destination-aggregate n1_aggr1 -encrypt-with-aggr-key true

cluster1::> vol show -fields encryption-type,encrypt,is-encrypted,aggregate -vserver svm1 -volume vol11
vserver volume aggregate encryption-type encrypt is-encrypted
------- ------ --------- --------------- ------- ------------
svm1    vol11  n1_aggr1  aggregate       true    true


Image: NVE v NAE

Also see my post from 24 July 2019:
NetApp Aggregate Encryption (NAE) in ONTAP 9.6: How to Configure

Comments