Return of The Blog
Making Encrypted Volumes the Default
Once administrators get comfortable with the idea of encryption and notice that they can enable it across the board non-disruptively, they've been asking - how can we make sure new volumes that are created are always NVE volumes?
Setting a boot argument
To enable NVE for new volumes by default, you have to set a bootarg. But you can set that bootarg without having to reboot - but you will need the diag account. If you're not comfortable with that, then you would have to reboot to set the boot argument at the corresponding prompt.Assuming you're ok with briefly having access to the diag account the following command will do the trick (make sure it is set on each node) -
systemshell * -c sudo kenv -p bootarg.softwareencryption.encryptallvol=true
FAQ
- Is there a minimum ONTAP
version required?
- This is available with
ONTAP 9.1
- If there are existing
unencrypted volumes when this bootarg is applied, does this convert
existing plain volumes?
- No. Setting this
bootarg will not modify any existing volumes.
- Can this bootarg be
applied after the array has been setup?
- Yes, after the bootarg is set, any new volumes created will be encrypted. No need to reboot the systems.
- Does this apply to MetroCluster?
- Yes, make sure the bootarg is set on every node.
Comments
Post a Comment