Resource Allocation; First Time Encryption Modes; Configuring A Lun For First Time Encryption; Data Re-Keying - Brocade Communications Systems Brocade 8/12c Administrator's Manual
Supporting hp secure key manager (skm) environments and hp enterprise secure key manager (eskm) environments
Hide thumbs
Also See for Brocade 8/12c:
- User manual (1301 pages) ,
- Command reference manual (1132 pages) ,
- Reference (362 pages)
Table of Contents
Advertisement
3
Data re-keying
Resource allocation
System resources for first time encryption sessions are shared with re-key sessions. There is an
upper limit of 10 sessions with two concurrent sessions per target. Refer to the re-key
allocation"
First time encryption modes
First-time encryption can be performed under the following conditions:
•
•
Configuring a LUN for first time encryption
First time encryption options are configured at the LUN level either during LUN configuration with
the cryptocfg
command.
1. Set the LUN policy to encrypt to enable encryption on the LUN. All other options related to
2. Enable first time encryption by setting the -enable_encexistingdata parameter. The existing
3. Optionally set the auto re-keying feature with the cryptocfg --enable_rekey command and
The following example configures a LUN for first time encryption with re-keying scheduled at a
6-month interval. You must commit the operation to take effect.
Data re-keying
In a re-keying operation, encrypted data on a LUN is decrypted with the current key, re-encrypted
with a new key and written back to the same LUN at the same logical block address (LBA) location.
This process effectively re-encrypts the LUN and is referred to as "in-place re-keying."
It is recommended that you limit the practice of re-keying to the following situations:
•
•
170
on page 170 section for details.
Offline encryption - The hosts accessing the LUN are offline or host I/O is halted while
encryption is in process.
Online encryption - The hosts accessing the LUN are online and host I/O is active during the
encryption operation.
add -LUN command, or at a later time with the cryptocfg
--
encryption are enabled. A DEK is generated and associated with the LUN.
data on the disk is encrypted using the configured DEK.
specify the interval at which the key expires and automatic re-keying should take place (time
period in days) Enabling automatic re-keying is valid only if the LUN policy is set to encrypt and
the encryption format is Brocade native. Refer to the section
policies"
on page 156 for more information.
FabricAdmin:switch>cryptocfg --add -LUN my_disk_tgt 0x0 \
10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a -encrypt \
-enable_encexistingdata -enable_rekey 180
Operation Succeeded
Key compromise as a result of a security breach.
As a general security policy to be implemented as infrequently as every six months or once per
year.
"Resource
modify -LUN
--
"Crypto LUN parameters and
Fabric OS Encryption Administrator's Guide
53-1002159-03
Advertisement
Table of Contents
Troubleshooting
