When NetApp Aggregate Encryption came out with ONTAP 9.6,
there was some excitement for two reasons (the second probably being the
biggest reason):
- i: Create a new aggregate and enable NAE on it, and then all the new volumes created on the NAE
aggregate are encrypted (by NAE).
- ii: NVE volumes do not participate in aggregate deduplication
savings, but NAE volumes in an NAE aggregate do participate in aggregate
deduplication savings.
If you have existing aggregates with data on them, enabling
NAE isn’t as simple as just switching it on. Every volume in the aggregate
needs to be encrypted with NVE first, then you can enable NAE on the aggregate.
But, if the aggregate is NAE, and all the volumes are NVE, well, you won’t get
those aggregate deduplication savings (which was probably the main reason for
enabling NAE in the first place.)
Also, if you have a system with just one aggregate and
existing data, you’ll be a little stumped because the SVM rootvol can’t be NVE
encrypted, so unless you can make a tiny temporary NAE aggregate out of spares
to vol move the SVM rootvol to and then back once the main aggregate is NAE (or find another trick), you’re stuck with a non-encrypted aggregated.
I always think things make much more sense with examples,
so below are 11 examples which follow on from one another and hopefully aid
understanding.
Clustershell Guided
Examples
1) Enable Onboard Key Manager (OKM):
cluster1::> security key-manager
onboard enable
Note: The passphrase needs to be 32 to 256 ASCII-range
characters long otherwise you get:
Error:
command failed: The onboard passphrase must be 32 to 256 ASCII-range characters
long.
After configuring onboard key management, save the
encrypted configuration data in a safe location so that you can use it if you
need to perform a manual recovery operation. To view the data, use the
"security key-manager onboard show-backup" command.
cluster1::> security key-manager
onboard show-backup
2) Create a brand new NAE aggregate
(encrypt-with-aggr-key true):
cluster1::> aggr create -node
cluster1-01 -aggr n1_aggr1 -diskcount 10 -encrypt-with-aggr-key true
cluster1::> aggr show -fields encrypt-with-aggr-key
-root false
aggregate encrypt-with-aggr-key
--------- ---------------------
n1_aggr1
true
3) Create a volume on an NAE aggregate with fairly
default settings and see its encryption status:
cluster1::> vol create -vserver svm0
-volume vol01 -aggregate n1_aggr1 -size 1G -security-style unix
cluster1::> vol show -fields
encryption-type,encrypt,is-encrypted -volume vol01
vserver volume encryption-type encrypt
is-encrypted
------- ------ --------------- -------
------------
svm0
vol01 aggregate true
true
4) Create a non-NAE aggregate for testing purposes:
cluster1::> aggr create -node
cluster1-02 -aggr n2_aggr1 -diskcount 10 -encrypt-with-aggr-key false
cluster1::> aggr show -fields
encrypt-with-aggr-key -root false
aggregate encrypt-with-aggr-key
--------- ---------------------
n1_aggr1
true
n2_aggr1
false
5) Create an SVM on the non-NAE aggregate, and look at
the SVM rootvol’s encryption status:
cluster1::> vserver create -vserver
svm1 -aggregate n2_aggr1
cluster1::> vol show -fields
encryption-type,encrypt,is-encrypted -vserver svm1
vserver volume encryption-type encrypt is-encrypted
------- --------- --------------- -------
------------
svm1
svm1_root none
false false
6) Q: Can we encrypt the SVM rootvol? Answer = NO
cluster1::> volume encryption
conversion start -vserver svm1 -volume svm1_root
Error: command failed: Failed to start conversion on volume
"svm1_root" in Vserver "svm1". Reason: Operation is not
supported on a Vserver root volume.
7) Q: Can we encrypt the non-NAE aggregate with an unencrypted
SVM rootvol in it? Answer = NO
cluster1::> aggregate modify
-aggregate n2_aggr1 -encrypt-with-aggr-key true
Error: command failed: Failed to modify the aggregate
"n2_aggr1" since it contains non-encrypted volumes. Run the
"volume show -encrypt false" command to get the list of non-encrypted
volumes. Convert all of them to NVE (NetApp Volume Encryption) volumes and try
again later.
8) Q: Can we vol move the unencrypted SVM rootvol to the NAE
aggregate? Answer = YES
cluster1::> vol move start -vserver
svm1 -volume svm1_root -destination-aggregate n1_aggr1
Error: command failed: The destination aggregate
"n1_aggr1" is an NAE (NetApp Aggregate Encryption) aggregate.
Non-encrypted volumes are not supported in such aggregates.
cluster1::> vol move start -vserver
svm1 -volume svm1_root -destination-aggregate n1_aggr1 -encrypt-with-aggr-key
true
[Job 130] Job is queued: Move
"svm1_root" in Vserver "svm1" to aggregate
"n1_aggr1". Use the "volume move show -vserver svm1 -volume
svm1_root" command to view the status of this operation.
cluster1::> volume move show -vserver
svm1 -volume svm1_root
Vserver Name: svm1
Volume Name:
svm1_root
Actual Completion Time: Wed
Jan 29 21:21:57 2020
Destination Aggregate: n1_aggr1
Detailed Status: Successful
Managing Node:
cluster1-02
Percentage Complete: 100%
Move Phase: completed
Source Aggregate:
n2_aggr1
Move State: done
Is Source Volume Encrypted: false
Encryption Key ID of Source Volume:
Is Destination
Volume Encrypted: true
Encryption Key ID of Destination Volume:
00000000000000000200000000000500eb33c6a732638615349e38f7259e9c200000000000000000
cluster1::> vol show -fields
encryption-type,encrypt,is-encrypted -vserver svm1
vserver volume encryption-type encrypt is-encrypted
------- --------- --------------- -------
------------
svm1
svm1_root aggregate
true true
9) Create an NVE volume on the non-encrypted aggregate.
cluster1::> vol create -vserver svm1
-volume vol11 -aggregate n2_aggr1 -size 1G -security-style unix -encrypt true
cluster1::> vol show -fields
encryption-type,encrypt,is-encrypted -vserver svm1 -volume vol11
vserver volume encryption-type encrypt
is-encrypted
------- ------ --------------- -------
------------
svm1
vol11 volume true true
10) Convert the non-encrypted aggregate to NAE aggregate
and check the encryption status of our NVE volume.
cluster1::> aggregate modify
-aggregate n2_aggr1 -encrypt-with-aggr-key true
cluster1::> aggr show -fields
encrypt-with-aggr-key -root false
aggregate encrypt-with-aggr-key
--------- ---------------------
n1_aggr1
true
n2_aggr1
true
cluster1::> vol show -fields
encryption-type,encrypt,is-encrypted -vserver svm1 -volume vol11
vserver volume encryption-type encrypt
is-encrypted
------- ------ --------------- -------
------------
svm1
vol11 volume true true
11) Q: Can we convert the NVE volume on the NAE aggregate
to aggregate encryption-type? Answer = NO
(but you can vol move it to an NAE aggregate to give it the aggregate
encryption-type)
The only way to convert the NVE volume to aggregate
encryption-type is to vol move the volume to another NAE aggregate (you could then
move it back again if you so wish.)
cluster1::> vol move start -vserver
svm1 -volume vol11 -destination-aggregate n1_aggr1 -encrypt-with-aggr-key true
cluster1::> vol show -fields
encryption-type,encrypt,is-encrypted,aggregate -vserver svm1 -volume vol11
vserver volume aggregate encryption-type
encrypt is-encrypted
------- ------ --------- ---------------
------- ------------
svm1
vol11 n1_aggr1 aggregate true
true
Image: NVE v NAE
Also see my post from 24 July 2019:
NetApp Aggregate Encryption (NAE) in ONTAP 9.6: How
to Configure
Comments
Post a Comment