Migrating volumes to an encrypted pool

For systems with encryption enabled, you can migrate existing volumes from non-encrypted pools to encrypted pools. Both the management GUI and the command line interface can be used to migrate volumes to encrypted pools.

During system setup in the management GUI, you can activate and enable encryption licenses. The management GUI automatically displays any enclosure that supports encryption. The license can either be automatically or manually activated and then enabled for the system and the supported enclosures.The management GUI automatically displays any nodes that support encryption. The license can either be automatically or manually activated and then enabled for the system and the supported nodes. Any pools that created after encryption is enabled are assigned a key that can be used to encrypt and decrypt data. However, if encryption was configured after volumes were already assigned to non-encrypted pools, you can migrate those volumes to an encrypted pool by using child pools. When you create a child pool after encryption is enabled, an encryption key is created for the child pool even when the parent pool is not encrypted. You can then use volume mirroring to migrate the volumes from the non-encrypted parent pool to the encrypted child pool. You can use either the management GUI or the command line interface to migrate volumes to an encrypted pool.

The system supports both internal storage and external storage. Internal storage consists of arrays that attached directly to the system through serial-attached SCSI connections. External storage consists of arrays that are attached to the system over a storage area network (SAN). Depending on the type of underlying storage the volume uses, the migration process is different.

If you are migrating volumes that use SAN-attached MDisks, you must complete the migration steps for Migrating volumes that use SAN-attached MDisks.

Migrating volumes that use SAN-attached MDisks

To migrate volumes that use SAN-attached MDisks in the management GUI, complete these steps:

  1. In the management GUI, select Pools > Pools.
  2. Right-click the non-encrypted parent pool that contains the volumes that you want to migrate and select Create Child Pool.
  3. On the Create Child Pool page, enter the name for the child pool and the amount of capacity. Ensure that you select enough capacity to accommodate the migrated volumes. Encryption is selected by default when the system is enabled for encryption.
  4. Click Create. After the child pool is created, you can migrate the volumes to the child pool by adding volume copies.
  5. In the management GUI, select Volumes > Volumes by Pools.
  6. Select the non-encrypted parent pool to display all the volumes.
  7. Right-click the volume and select Add Volume Copy....
  8. On the Add Volume Copy page, select Basic for the type of copy that you are creating. From the list of available pools, select the child pool as the target pool for the copy of the volume.
  9. Click Add.
  10. Repeat these steps to add volume copies to the encrypted child pool for the remaining volumes in the parent pool.
  11. After all the copies are synchronized in the encrypted child pool, you can delete the all the primary copies from the parent pool. The empty parent pool must remain unused to use encrypted volumes in the child pool.

To migrate volumes that use SAN-attached MDisks in the command line interface, complete these steps:

  1. In the command line interface, enter the following command to create a child pool.
    mkmdiskgrp -name my_encrypted_child_pool -parentmdiskgrp mypool -encrypt yes
    where my_encrypted_child_pool is the name of the new child pool and mypoolis the name of the parent pool.
  2. Issue the CLI command addvdiskcopy to create mirrored copies of the volumes that are in the parent pool, in the new child pool. In the following example, my_encrypted_child_pool is the name of the new child pool and volume1 is the name of the volume that is being copied.
    addvdiskcopy -autodelete -mdiskgrp my_encrypted_child_pool -vdisk volume1
    Use the -autodelete operand to automatically delete the primary copy of the volume after the copy synchronizes.
  3. Repeat step #svc_migratevolencryption/step2 until all the volumes from the original parent contain mirrored copies in the new child pool. The empty parent pool must remain unused to use encrypted volumes in the child pool.

Migrating volumes that use internal MDisks

If you have internally attached enclosures that either do not support encryption or that do not have an encryption license activated and enabled and want encrypted volumes, you can still migrate volumes to encrypted pools. Before you can migrate volumes, you must upgrade your software to a version that supports encryption and obtain an encryption license. After you receive authorization documents for the encryption license, you must activate the license and enable the encryption function on the system before you attempt migration of any volumes. In addition, you must ensure that the unencrypted pool contains enough free extents to complete the migration. The migration fails if there are not enough free extents. You have two options to ensure that the pool contains enough extents:
  • If you have spare drives, create a new encrypted array with the spare drives.
  • If you do not have spare drives, add unassigned external MDisks to the parent pool and create a new encrypted child pool. If you chose this option and intend to keep the external MDisk in the pool after migration, then use the instructions in Migrating volumes that use SAN-attached MDisks.

These steps assume that these tasks were completed.

To migrate volumes that use internal MDisks in the management GUI, complete these steps:
  1. In the management GUI, select Pools > MDisks by Pools.
  2. Select the pool and right-click the MDisk that represents the array that you want to delete and select Remove.
  3. To add the array back to the pool, select MDisk by Pools. The new available internal storage is displayed at the bottom of the panel. Select the icon that represents the drive class of the drives that were formerly in the array that was deleted and select Assign. The new array is encrypted by default. After all the arrays are encrypted, the pool is considered encrypted and data on volumes in that pool is also encrypted.
  4. To verify that the data on these volumes was migrated to encrypted arrays and are now encrypted, select Volumes > Volume by Pools.
  5. Select the pool and verify that the volumes that are listed are encrypted. A key icon is displayed under the Encryption column to indicate that the data on the volume is encrypted.
For migrated volumes that use internal MDisk in the command line interface, complete these steps:
  1. To remove an array from pool, enter the following command:
    rmarray -mdisk mdisk3 pool2
    In this example, mdisk3 is the array that is removed from pool2.
  2. To create a new encrypted array and add the array to the storage pool, enter the following command:
    mkarray -level raid5 -drive 0:1:2:3 -mdiskgrp pool2
    In this example, the array is encrypted by default because encryption is enabled on the I/O group for the array. The data that is stored on the volumes that use that array is now encrypted.
  3. To verify that the volumes in the pool are encrypted, enter the following command:
    lsvdisk 
    The encrypt state is yes if all the data on the volume is encrypted.