Brocade Encryption Solution Overview - Brocade Communications Systems Brocade 8/12c Administrator's Manual

Brocade encryption solution overview

The loss of stored private data, trade secrets, intellectual properties, and other sensitive
information through theft or accidental loss of disk or tape media can have widespread negative
consequences for governments, businesses, and individuals. This threat is countered by an
increasing demand from governments and businesses for solutions that create and enforce
policies and procedures that protect stored data. Encryption is a powerful tool for data protection.
Brocade provides an encryption solution that resides in a Storage Area Network (SAN) fabric. This
location, between computers and storage, is ideal for implementing a solution that works
transparently with heterogeneous servers, disk storage subsystems, and tape libraries. Data
entering the SAN from a server is encrypted before it is written to storage. When stored data is
encrypted, theft or loss of storage media does not pose a security threat.
Figure 2
server to the encryption engine, where it is encrypted into ciphertext using one of two encryption
algorithms: one for disk storage targets, and one for tape storage targets. The encrypted data
cannot be read without first being decrypted. The key management system is required for
management of the data encryption keys (DEKs) that are generated by the encryption engine, and
used for encrypting and decrypting the data. The key management system is provided by a
third-party vendor.
Fabric OS Encryption Administrator's Guide
53-1002159-03
provides a high-level view of the Brocade encryption solution. Cleartext is sent from the
Host
Ciphertext
Cleartext
FIGURE 2
Encryption overview

Brocade encryption solution overview

Encryption Switch
Ciphertext
Cleartext AES256-XTS
Ciphertext
DEKs
based on
AES256-GCM
Key Management
System
Disk Storage
based on
Tape Storage
1
7