Brocade Communications Systems StoreFabric SN6500B Administrator's Manual page 192

3
Crypto LUN configuration
The tape policies specified at the LUN configuration level take effect if you do not create tape pools
or configure policies at the tape pool level. The Brocade encryption solutions supports up to a 1 MB
block size for tape encryption. Also, the Logical Block Address (LBA) 0 block size (I/O size from the
host) must be at least 1 K less than the maximum supported backend block size (usually 1 MB).
This is typically the case, as label operations are small I/O operations. If this support requirement
is not met, the Brocade encryption solution will not allow the backup operation to start to that tape.
NOTE
LBA 0 is not encrypted. Data sent to this block address is always sent as clear text.
TABLE 6
Policy name
LUN state
Disk LUN: yes
Tape LUN: No
Modify? No
Key ID
Disk LUN: yes
Tape LUN: No
Modify? No
Encryption
format
Disk LUN: yes
Tape LUN: yes
Modify? Yes
Encryption
policy
Disk LUN: yes
Tape LUN: Yes
Modify? Yes
Existing data
encryption
Disk LUN: yes
Tape LUN: No
Modify? Yes
Rekey policy
Disk LUN: yes
Tape LUN: No
Modify? Yes
Key lifespan
Disk LUN: No
Tape LUN: Yes
Modify? Disks
only. Tape: No
174
LUN parameters and policies
Command parameters
-lunstate encrypted |
cleartext
-keyID Key_ID
-encryption_format native
-encrypt | -cleartext
-enable_encexistingdata |
-disable_encexistingdata
-enable_rekey time_period
<days>| -disable_rekey
-key_lifespan time_in_days
| none
Description
Sets the Encryption state for the LUN. Valid values are:
•
cleartext - Default LUN state. Refer to policy configuration
considerations for compatibility with other policy settings.
•
encrypted - Metadata on the LUN containing the key ID of the
DEK that was used for encrypting the LUN is used to retrieve
the DEK from the key vault. DEKs are used for encrypting and
decrypting the LUN.
Specifies the key ID. Use this option only if the LUN was encrypted
but does not include the metadata containing the key ID for the
LUN. This is a rare case for LUNs encrypted in Native (Brocade)
mode.
Sets the encryption format. The LUN is encrypted or decrypted
using the Brocade encryption format (metadata format and
algorithm). This is the default setting
Enables or disables a LUN for encryption. Valid values are:
•
cleartext - Encryption is disabled. This is the default setting.
When the LUN policy is set to cleartext the following policy
parameters are invalid and generate errors when executed:
-enable_encexistingdata -enable_rekey, and
-key_lifespan.
•
encrypt - The LUN is enabled to perform encryption.
Specifies whether or not existing data on the LUN should be
encrypted. By default, encryption of existing data is disabled.
Encryption policy must be set to -enable_encexistingdata, and
the LUN state must be set to cleartext (default). If the encryption
policy is cleartext, the existing data on the LUN will be overwritten.
Enables or disables the auto rekeying feature on a specified disk
LUN. This policy is not valid for tape LUNs. By Default, the
automatic rekey feature is disabled. Enabling automatic rekeying
is valid only if the LUN policy is set to -encrypt. You must specify a
time period in days when enabling Auto Rekey to indicate the
interval at which automatic rekeying should take place.
Specifies the life span of the encryption key in days. The key will
expire after the specified number of days. Accepted values are
integers from 1 to 2982616. The default value is none, which
means the key does not expire. On tape LUNs, the key life span
cannot be modified after it is set.
Fabric OS Encryption Administrator's Guide (SKM/ESKM)
53-1002721-01