Initiating A Manual Re-Key Session - Brocade Communications Systems Brocade 8/12c Administrator's Manual
Supporting hp secure key manager (skm) environments and hp enterprise secure key manager (eskm) environments
Hide thumbs
Also See for Brocade 8/12c:
- User manual (1301 pages) ,
- Command reference manual (1132 pages) ,
- Reference (362 pages)
Table of Contents
Advertisement
3
Data re-keying
NOTE
For a scheduled re-keying session to proceed, all encryption engines in a given HA cluster, DEK
cluster, or encryption group must be online, and I/O sync links must be configured. Refer to the
section
1. Log in to the group leader as FabricAdmin.
2. Enable automatic re-keying by setting the -enable_rekey parameter followed by a time period
3. Commit the configuration.
Initiating a manual re-key session
You can initiate a re-keying session manually at your own convenience. All encryption engines in a
given HA cluster, DEK cluster, or encryption group must be online for this operation to succeed. The
manual re-keying feature is useful when the key is compromised and you want to re-encrypt
existing data on the LUN before taking action on the compromised key.
CAUTION
Do not commit this operation if there are any changes pending for the container in which the
re-key was started. If you attempt to do this, the system displays a warning stating that the
encryption engine is busy and a forced commit is required for the changes to take effect. A forced
commit in this situation will halt any re-key that is in-progress (in any container) and corrupt any
LUN that is running re-key at the time. There is no recovery for this type of failure.
1. Log in to the group leader as FabricAdmin.
2. Do LUN discovery by issuing the cryptocfg
3. Ensure that all encryption engines in the HA cluster, DEK cluster, or encryption group are online
4. Enter the cryptocfg
172
"Management LAN configuration"
(in days). The following example enables the automatic re-keying feature on an existing LUN
with a 90-day re-keying interval. The data will automatically be re-encrypted every 90 days.
FabricAdmin:switch>cryptocfg --modify -LUN my_disk_tgt 0x0 \
10:00:00:00:c9:2b:c9:3a -enable_rekey 90
Operation Succeeded
FabricAdmin:switch>cryptocfg --commit
Operation Succeeded
manual_rekey command to avoid a potential I/O timeout because of a path state change at
the host.
by issuing the cryptocfg --show -groupmember -all command.
manual_rekey command. Specify the CryptoTarget container name, the
--
LUN number and the initiator PWWN.
FabricAdmin:switch>cryptocfg --manual_rekey my_disk_tgt 0x0\
10:00:00:05:1e:53:37:99
Operation Succeeded
Please check the status of the operation using "cryptocfg --show -rekey"
on page 116 for more information.
discoverLUN command before issuing the
--
Fabric OS Encryption Administrator's Guide
53-1002159-03
Advertisement
Table of Contents
Troubleshooting
