6
Encryption group merge and split use cases
The above manual configuration recovery procedure will work nearly identically for all combinations
of EG split scenarios. Simply perform the following steps for the other scenarios:
•
•
•
•
•
Configuration impact of encryption group split or node isolation
When a node is isolated from the encryption group or the encryption group is split to form separate
encryption group islands, the defined or registered node list in the encryption group is not equal to
the current active node list, and the encryption group is in a DEGRADED state rather than in a
CONVERGED state.
under such conditions
TABLE 7
.
Configuration Type
Encryption group
HA cluster
Security & key vault
TABLE 8
Configuration Type
Security & key vault
HA cluster
320
Pick one EG/EG Leader to be maintained.
Using that GL Node, deregister all Nodes which are in a DISCOVERING state as determined by
the output of the cryptocfg
Go to the other EG islands and delete the EGs.
-
In the one case where the other EG has a member node which is in a DISCOVERED state,
you will first need to eject that DISCOVERED Node prior to being allowed to delete that
other EG.
From the only remaining EG/EG leader, reregister the previously deregistered Nodes.
Confirm the EG is converged.
Table 7
and
Allowed Configuration Changes
Allowed configuration changes
•
Adding a node to the encryption group
•
Removing a node from the encryption group
•
Invoking a node leave command
•
Deleting an encryption group
•
Registering a member node (IP address, certificates)
•
Removing an encryption engine from an HA cluster
•
Deleting an HA cluster
•
Initializing a node
•
Initializing an encryption engine
•
Re-registering an encryption engine
•
Zeroizing an encryption engine
Disallowed Configuration Changes
Disallowed configuration changes
•
Register or modify key vault settings
•
Generating a master key
•
Exporting a master key
•
Restoring a master key
•
Enabling or disabling encryption on an encryption engine
•
Creating an HA cluster
•
Adding an encryption engine to an HA cluster
•
Modifying the failback mode
show
groupmember
--
-
Table 8
list configuration changes that are allowed and disallowed
Fabric OS Encryption Administrator's Guide (SKM/ESKM)
all command.
-
53-1002721-01