Advanced Mode - Cisco AJ732A - MDS 9134 Fabric Switch Configuration Manual
Cisco mds 9000 family storage media encryption configuration guide - release 4.x (ol-18091-01, february 2009)
Hide thumbs
Also See for AJ732A - Cisco MDS 9134 Fabric Switch:
- Command reference manual (1640 pages) ,
- Configuration manual (700 pages) ,
- Messages manual (518 pages)
Table of Contents
Advertisement
Key Management Operations
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Advanced Mode
In Advanced security mode, the master key is stored on five smart cards. Depending on the quorum
required to recover the master key, two or three of the five smart cards or two of the three smart cards
will be required to unlock the master key. The master key is stored securely on a PIN-protected smart
card.
To replace a lost or damaged smart card, the quorum of Cisco SME Recovery Officers must be present
with their smart cards to authorize the master key recovery. This ensures that the split-knowledge
security policy of the master key is maintained throughout the lifetime of the Cisco SME cluster. This
method guarantees that following the creation of the Cisco SME cluster in Advanced security mode, the
master key can only be retrieved by the quorum of Cisco Recover Officers and both the replacement
operation as well as the new smart card are authorized and authenticated by the quorum.
The smart card replacement triggers a master key recreation (master key rekey) and a new version of the
master key is generated for the cluster. The new set of master keyshares are stored in the smart cards. All
the volume group keys are also synchronized with the new master key.
In the unique key mode, a new tape volume group wrap key is generated for each volume group. The
existing tape volume group wrap key is duplicated with the new master key and put in the archived state.
In the shared key mode, a new tape volume group wrap key and tape volume group shared key are
generated. The existing tape volume group wrap key is duplicated with the new master key and put in
the archived state. The existing tape volume group shared key remains as it were.
To replace a smart card (Advanced security mode), follow these steps:
Select Smartcards to display the smart card information for the cluster.
Step 1
Select the smart card that you want to replace. Click Replace to launch the smart card replacement
Step 2
wizard.
Insert the new smart card. Click Next.
Step 3
Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
6-24
Chapter 6
Cisco SME Key Management
OL-18091-01, Cisco MDS NX-OS Release 4.x
Advertisement
Table of Contents
Troubleshooting
