Moving A Cryptotarget Container; Crypto Lun Configuration - Brocade Communications Systems StoreFabric SN6500B Administrator's Manual

3

Crypto LUN configuration

CAUTION
When configuring a multi-path LUN, you must remove all necessary CryptoTarget containers in
sequence before committing the transaction. Failure to do so may result in a potentially
catastrophic situation where one path ends up being exposed through the encryption switch and
another path has direct access to the device from a host outside the protected realm of the
encryption platform. Refer to the section
more information.

Moving a CryptoTarget container

You can move a CryptoTarget container from one encryption engine to another. The encryption
engines must be part of the same fabric and the same encryption group, and the encryption
engines must be online for this operation to succeed. This operation permanently transfers the
encryption engine association of a given CryptoTarget container from an existing encryption engine
to an alternate encryption engine.
NOTE
If a CryptoTarget container is moved in a configuration involving FCR, the LSAN zones and manually
created redirect zones will need to be reconfigured with new VI and VT WWNs. Refer to the section
"Deployment in Fibre Channel routed fabrics"
in an FCR deployment scenario.
1. Log in to the group leader as Admin or FabricAdmin.
2. Enter the cryptocfg
3. Commit the transaction.

Crypto LUN configuration

A Crypto LUN is the LUN of a target disk or tape storage device that is enabled for and capable of
data-at-rest encryption. Crypto LUN configuration is done on a per-LUN basis. You configure the
LUN for encryption by explicitly adding the LUN to the CryptoTarget container and turning on the
encryption property and policies on the LUN. Any LUN of a given target that is not enabled for
encryption must still be added to the CryptoTarget container with the cleartext policy option.
•
•
170
move
--
name and the node WWN of the encryption engine to which you are moving the CryptoTarget
container. Provide a slot number if the encryption engine is a blade.
FabricAdmin:switch> cryptocfg --move -container my_disk_tgt \
10:00:00:05:1e:53:4c:91
Operation Succeeded
FabricAdmin:switch> cryptocfg --commit
Operation Succeeded
The general procedures described in this section apply to both disk and tape LUNs. The
specific configuration procedures differ with regard to encryption policy and parameter setting.
You configure the Crypto LUN on the group leader. You need the Admin or FabricAdmin role to
perform LUN configuration tasks.
"Configuring a multi-path Crypto LUN"
on page 207 for instructions on configuring encryption
container command followed by the CryptoTarget container
-
Fabric OS Encryption Administrator's Guide (SKM/ESKM)
on page 179 for
53-1002721-01