Migrating volumes to an encrypted pool

For systems with encryption enabled, you can migrate existing volumes from non-encrypted pools to encrypted pools. Both the management GUI and the command-line interface can be used to migrate volumes to encrypted pools.

Any pools that created after encryption is enabled are assigned a key that can be used to encrypt and decrypt data. However, if encryption was configured after volumes were already assigned to non-encrypted pools, you can migrate those volumes to an encrypted pool by using child pools. When you create a child pool after encryption is enabled, an encryption key is created for the child pool even when the parent pool is not encrypted. You can then use volume mirroring to migrate the volumes from the non-encrypted parent pool to the encrypted child pool. You can use either the management GUI or the command-line interface to migrate volumes to an encrypted pool.

The system supports both internal storage and external storage. Internal storage is comprised of arrays that attached directly to the system through serial-attached SCSI connections. External storage is also comprised of arrays that are attached to the system over a storage-area network (SAN). Depending on the type of underlying storage the volume uses, the migration process is different.

If you are migrating volumes that use SAN-attached MDisks, you must complete the migration steps for Migrating volumes that use SAN-attached MDisks.

Migrating volumes that use SAN-attached MDisks

To migrate volumes that use SAN-attached MDisks in the management GUI, complete these steps:

  1. In the management GUI, select Pools > Pools.
  2. Right-click the non-encrypted parent pool that contains the volumes that you want to migrate and select Create Child Pool.
  3. On the Create Child Pool page, enter the name for the child pool and the amount of capacity. Ensure that you select enough capacity to accommodate the migrated volumes. Encryption is selected by default when the system is enabled for encryption.
  4. Click Create. After the child pool is created, you can migrate the volumes to the child pool by adding volume copies.
  5. In the management GUI, select Volumes > Volumes by Pools.
  6. Select the non-encrypted parent pool to display all the volumes.
  7. Right-click the volume and select Add Volume Copy....
  8. On the Add Volume Copy page, select Basic for the type of copy that you are creating. From the list of available pools, select the child pool as the target pool for the copy of the volume.
  9. Click Add.
  10. Repeat these steps to add volume copies to the encrypted child pool for the remaining volumes in the parent pool.
  11. After all the copies are synchronized in the encrypted child pool, you can delete the all the primary copies from the parent pool. The empty parent pool must remain unused to use encrypted volumes in the child pool.

To migrate volumes that use SAN-attached MDisks in the command-line interface, complete these steps:

  1. In the command-line interface, enter the following command to create a child pool.
    mkmdiskgrp -name my_encrypted_child_pool -parentmdiskgrp mypool -encrypt yes
    where my_encrypted_child_pool is the name of the new child pool and mypoolis the name of the parent pool.
  2. Issue the CLI command addvdiskcopy to create mirrored copies of the volumes that are in the parent pool, in the new child pool. An example of this command would be:
    addvdiskcopy -autodelete -mdiskgrp my_encrypted_child_pool -vdisk volume1
    where my_encrypted_child_pool is the name of the new child pool and volume1 is the name of the volume that is being copied. Use the -autodelete to automatically delete the primary copy of the volume after the copy synchronizes.
  3. Repeat step 2 until all the volumes from the original parent contain mirrored copies in the new child pool. The empty parent pool must remain unused to use encrypted volumes in the child pool.
Parent topic: Managing volumes