Terminology - Brocade Communications Systems 1606 Administrator's Manual

1

Terminology

Terminology

The following are definitions of terms used extensively in this document.
ciphertext
cleartext
CryptoModule
Data Encryption Key (DEK)
Data Encryption Key Cluster
(DEK Cluster)
Encryption Engine
Encryption Group
Failback
Failover
Group Leader
High Availability Cluster
(HA Cluster)
Key Encryption Key
Link Key
Master Key
Node
Opaque Key Vault
2
Encrypted data.
Unencrypted data.
The secure part of an encryption engine that is protected to the FIPS 140-2 level 3
standard. The term CryptoModule is used primarily in the context of FIPS
authentication.
An encryption key generated by the encryption engine. The DEK is used to encrypt
cleartext received from a host before it is sent to a target LUN, and to decrypt that data
when it is retrieved by the host.
A cluster of encryption engines which can host all paths to a LUN and share the same
data encryption key (DEK) set. The encryption engines can be in the same or different
fabrics. DEK clusters enable host MPIO failover.
The entity within a node that performs encryption operations, including the generation
of Data Encryption Keys.
A collection of one or more DEK clusters, HA clusters, or both, which share the same key
vault and device configuration, and is managed as a single group.
In the context of this implementation of encryption, failback refers to behavior after a
failed encryption switch recovers. Devices that were transferred to another switch by
failover processing may automatically be transferred back, or they may be manually
switched back. This is determined as a configuration option.
In the context of this implementation of encryption, failover refers to the automatic
transfer of devices hosted by one encryption switch to another encryption switch within
a high availability cluster (HA cluster).
A group leader is a special node within an encryption group which acts as a group and
cluster manager, and manages and distributes all group-wide and cluster-wide
configurations to all members of the group or cluster.
A collection of peer-level encryption engines that provide failover capabilities within a
fabric.
A key used to encrypt and decrypt Data Encryption Keys (DEKs) within encryption
devices so that DEKs are transmitted in a secure manner outside of the encryption
engines, and stored persistently inside key vaults.
A shared secret exchanged between an encryption engine and a FIPS 140-2 level 3
certified key management appliance and key vault. The link key is an Key Encryption
Key (KEK) that is used to encrypt Data Encryption Keys (DEKs) in transit over a secure
connection to and from the key vault. The key management appliance decrypts the
DEKs and stores them encrypted with its own master key.
An Key Encryption Key (KEK) used to encrypt and decrypt DEKs when storing DEKs in
opaque key vaults. There is one master key per encryption group. That means all node
encryption engines within an encryption group use the same master key to encrypt and
decrypt the DEKs.
In terms of encryption, a switch, DCX, or DCX-4S through which users can manage an
encryption engine.
A storage location that provides untrusted key management functionality. Its contents
may be visible to a third party. DEKs in an opaque key vault are stored encrypted in a
master key to protect them.
Fabric OS Encryption Administrator's Guide
53-1001864-01