1.
Modify the LUN policy from encrypt to cleartext and commit. The LUN will become disabled.
2.
Enable the LUN using cryptocfg --enable
text to encrypt with enable_encexistingdata to enable the first time encryption and
do commit. This clears the stale rekey metadata on the LUN and the LUN can be used
again for encryption.
Method 2
1.
Remove the LUN from Crypto Target Container and commit.
2.
Add the LUN back to the Crypto Target Container with LUN State="clear-text",
policy="encrypt" and enable_encexistingdata set for enabling the First Time
Encryption and commit. This clears the stale rekey metadata on the LUN and the LUN can
be used again for encryption.
Relative to the HP Encryption switch and HP Encryption blade, all nodes in the Encryption Group
must be at the same firmware level before starting a rekey or First Time Encryption operation.
Make sure that existing rekey or First Time Encryption operations complete before upgrading any
of the encryption products in the Encryption Group. Also, make sure that the firmware upgrade
of all nodes in the Encryption Group completes before starting a rekey or First Time Encryption
operation.
SKM FIPS mode enablement
FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described
in the SKM User Guide, "Configuring the Key Manager for FIPS Compliance" section.
NOTE:
Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager.
Therefore, if you must enable FIPS, HP strongly recommends that you do so during the initial SKM
configuration, before any key sharing between the switch and the SKM occurs.
Initial setup of encrypted LUNs
IMPORTANT:
While performing first-time encryption to a LUN with more than one initiator active at the time, rekey
operations slow to a standstill. Define LUNs for a single initiator at a time to avoid this occurrence.
NOTE:
When configuring multipath LUNs, care should be taken to add LUN 0 on all of the paths, subject to
the following considerations:
•
If LUN 0 presented by the back-end target is a controller LUN (not a disk LUN; that is, not visible
in the discoverLUN output), add LUN 0 to the container as a clear text LUN. Make sure all of
the paths have this LUN 0 added for MPIO operation (EVA configuration, for example).
•
If LUN 0 presented by the back-end target is a disk LUN, LUN 0 can be added to the container
either as clear text or encrypted (MSA configuration, for example).
•
For HP-UX, LUN 0 can appear as 0x0 or 0x400, but both of them are LUN 0 only and should be
treated alike.
34
LUN. Modify the LUN policy from clear-