Security Settings; Zeroizing An Encryption Engine - Brocade Communications Systems StoreFabric SN6500B User Manual

Security Settings

Security settings help you identify if system cards are required to initialize an encryption engine
and also determine the number of authentication cards needed for a quorum.
1. Select Configure > Encryption from the menu task bar to display the Encryption Center
2. Select a group from the Encryption Center Devices table, then select Group > Security from the
NOTE
The Select Security Settings dialog box only sets a quorum number for authentication cards. To
register authentication cards, click Next to display the Authentication Cards dialog box.

Zeroizing an encryption engine

Zeroizing is the process of erasing all data encryption keys and other sensitive encryption
information in an encryption engine. You can zeroize an encryption engine manually to protect
encryption keys. No data is lost because the data encryption keys for the encryption targets are
stored in the key vault.
Zeroizing has the following effects:
•
•
•
•
•
•
Brocade Network Advisor SAN User Manual
53-1002696-01
dialog box (Refer to Figure 185
menu task bar.
The Select Security Settings dialog box displays. The dialog box contains the following
information:
•
Quorum Cards: Select the number of authentication cards needed for a quorum. The
quorum is always set to one card less than the number of cards registered. For example, if
you register three cards, the quorum needed for authentication is two.
•
System Cards: Determine whether or not a system card is required to initialize the
encryption engine
All copies of data encryption keys kept in the encryption switch or blade are erased.
Internal public and private key pairs that identify the encryption engine are erased and the
encryption switch or blade is in the FAULTY state.
All encryption operations on this engine are stopped and all virtual initiators (VI) and virtual
targets (VT) are removed from the fabric's name service.
The key vault link key (for NetApp LKM/SSKM key vaults) or the master key (for other key
vaults) is erased from the encryption engine.
Once enabled, the encryption engine is able to restore the necessary data encryption keys
from the key vault when the link key (for the NetApp Lifetime Key Management application) or
the master key (for other key vaults) is restored.
If the encryption engine was part of an HA cluster, targets fail over to the peer, which assumes
the encryption of all storage targets. Data flow will continue to be encrypted.
If there is no HA backup, host traffic to the target will fail as if the target has gone offline. The
host will not have unencrypted access to the target. There will be no data flow at all because
the encryption virtual targets will be offline.
on page 526).
20
Security Settings
679