Data Encryption Key Life Cycle Management - Brocade Communications Systems StoreFabric SN6500B Administrator's Manual
Brocade fabric os encryption administrator's guide v7.1.0 (53-1002721-01, march 2013)
Hide thumbs
Also See for StoreFabric SN6500B:
- User manual (1505 pages) ,
- Command reference manual (1168 pages) ,
- Reference (934 pages)
Table of Contents
Advertisement
Data encryption key life cycle management
Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and
decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the
ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly,
and some data may be stored for years or decades before it is accessed. To be sure the data
remains accessible, DEKs may also need to be stored for years or decades. Key management
systems provide life-cycle management for all DEKs created by the encryption engine. Key
management systems are provided by third-party vendors.
Figure 4
nodes.
Regardless of the length of the life cycle, there are four stages in the life of a DEK, as shown in
Figure
is used to encrypt and decrypt data at least once, and possibly many times. A DEK may be
configured to expire in a certain time frame to avoid becoming compromised. Under those
conditions, it must be used one more time to decrypt the data, and the resulting cleartext is
encrypted with a new key (rekeyed).
Fabric OS Encryption Administrator's Guide (SKM/ESKM)
53-1002721-01
shows the relationship of the LAN connections to the key vault and between encryption
Key Management
System
Node 1
EE
FIGURE 4
LAN connections to the key vault, and between encryption nodes
5. A DEK is created by an encryption engine, distributed, then stored in a key vault. The key
Data encryption key life cycle management
LAN
Encryption Group
Node 2
Node 3
EE
Group Leader
IO Sync LAN
Node 4
EE
EE
1
9
Advertisement
Table of Contents
Troubleshooting
