Decrypting Flexgroup Volumes | NetApp | Page 1

quiet tundra Oct 3, 2025, 2:45 PM

#

Hey guys, looking for a general explanation on how to handle updating the onboard key manager due to a lost passphrase on a flexgroup.
The general consensus I came across was to do vol moves, similar to how you enable encryption on flexgroup vols, but set the destination to be false for encryption enabled.
After doing that for all of the volumes, I could then decrypt them, set up a new passphrase and then rekey.
However im getting met with “changing encryption is not allowed for flexgroup constituents”

Running 9.16.1p6 on a Fas8700. A previous employee enabled the onboard okm but didn’t think to store the passphrase in our repository

One thing to note is I’ve done this on NVE vols but in this case it has NAE enabled.

stable crest Oct 3, 2025, 3:16 PM

#

oh boy. let me start

#

Are you using NVE or NAE?

#

vol show -encrypt tru -fields encryption-type

#

the encryption type will be volume or aggregate

#

Depending on the reply will dictate which answer I give

#

@quiet tundra ^^^

#

(FYI, I unfortunately deal with this too frequently so I have the answers)

quiet tundra Oct 3, 2025, 3:18 PM

#

Aggregate 🙁

stable crest Oct 3, 2025, 3:18 PM

#

oh boy...

#

Step 1: you must convert EVERYTHING to NVE first
vol move start -vserver xxx -volume yyy -encrypt-with-aggr-key false -encrypt-destination false -destination-aggr aggr
(for flexgroups, you MUST use advanced mode and move the individual members)

ALL volumes must be NVE to continue

Step two: turn off NAE
aggr modify -aggr xxx|xxy -encrypt-with-aggr-key false

Step 3:you must remove ALL NVE encryption
vol move start -vserver xxx -volume yyy -encrypt-with-aggr-key false -encrypt-destination false -destination-aggr aggr

Step 4: you can now remove the OKM
security onboard key-manager disable

#

you will need enough space to do all the "moves"
In some cases, customers need to move volumes between aggregates to get enough space to do what is needed

I usually make a spreadsheet with
volume, aggregate, encryption-type, size, used, avail,space-guarantee

If volumes are thick provisioned (space-guarantee volume), convert to thin (guarantee none) first, It speeds up the moves

Then I start with low-hanging fruit (the volumes with least-used space)

#

let me know if you more direction

quiet tundra Oct 3, 2025, 3:27 PM

#

Oh wow thank you so much for this. It sounds very similar to what I imagined would be needed for nve.
What you explained is perfect and makes complete sense!

worldly minnow Oct 3, 2025, 7:03 PM

#

Ah yes going from "NAE-to-unencrypted" (or vice versa) is never fun. 💀
But just a hint: Using NAE on a FAS only makes sense if you have SSD-aggrs. The only reason for NAE vs NVE is being able to use cross-volume deduplication since the volumes are sharing the key. Even though it's supported I really would not recommend to enable it on HDD-only aggrs.
So after you managed to change the OKM key-phrase I would only encrypt your vols to NVE. Saves you one vol-move cycle.

stable crest Oct 4, 2025, 2:32 AM

#

Side note: if you have hybrid aggregates, you can in fact turn on the inline efficiencies.

#Decrypting Flexgroup Volumes