Tape Block Zero Handling; Tape Key Expiry; Configuring Cryptotarget Containers And Luns - Brocade Communications Systems StoreFabric SN6500B Administrator's Manual

5

Tape block zero handling

Tape block zero handling

The block zero of the tape media is not encrypted and the data in the block zero is sent as cleartext
along with the block zero metadata header prefixed to the data to the tape device.

Tape key expiry

When the tape key of native pools expires in the middle of a write operation on the tape, the key is
used for the duration of any write operation to append the data on the tape media. On any given
tape medium, the same key is used for all written blocks, regardless of the time in between append
operations.
With the exception of native pools, whenever you rewind a tape and write to block zero, a new key
will be generated that is unique to that tape. Only with native pools will the same key be used to
write to multiple media. This key has a user-determined lifespan, which applies to the elapsed time
between write operations to new tapes (after rewind).
Note the following:
•
•
•

Configuring CryptoTarget containers and LUNs

The following are best practices to follow when configuring CryptoTarget containers and crypto
LUNs:
•
•
•
•
292
Key expiration does not apply to append operations, no matter how long in the future.
Key expiration never applies to read operations.
Key expiration never applies to LUN-based policies. A new key is generated every time a tape
media is rewound and written to block zero (label), regardless of whether the specified key life
span has expired.
Host a target port on only one encryption switch, or one HA cluster. All LUNs visible through the
target port are hosted on the same encryption switch, and are available for storing cipher text.
Be sure all nodes in a given DEK or HA cluster are up and enabled before creating an
encrypted LUN. If a node in the DEK or HA cluster is down, or the encryption engine is down or
not enabled when an encrypted LUN is added to the CryptoTarget container, write operations
will hang when writing metadata to the LUN, and I/O will timeout. Data integrity is not
guaranteed in this condition.
Before committing CryptoTarget container or LUN configurations or modifications on an
encryption switch or FS8-18 blade, make sure that there are no outstanding zoning
transactions in the switch or fabric. If there is an outstanding zoning transaction, the commit
operation will fail and result in disabling the LUN. You can check for outstanding zoning
transactions by issuing the cfgtransshow command.
LUNs are uniquely identified by the encryption switch or FS8-18 blade using the LUN serial
number. The LUN serial number must be unique for LUNs exposed from the same target port.
The LUN serial number must be unique for LUNs belonging to different target ports in
non-multipathing configurations. Failure to ensure that the serial numbers are unique will
result in undefined behavior and may result in faulting the encryption switch or FS8-18 blade.
Fabric OS Encryption Administrator's Guide (SKM/ESKM)
53-1002721-01