5
Configuration upload and download considerations
Configuration download at the encryption group leader
The configuration download contains the encryption group-wide configuration information about
Crypto Targets, disk and tape LUNs, tape pools, HA clusters, security, and key vaults. The
encryption group leader first applies the encryption group-wide configuration information to the
local configuration database and then distributes the configuration to all members in the
encryption group. Also any layer-2 and switch specific configuration information is applied locally to
the encryption group leader.
Configuration download at an encryption group member
Switch specific configuration information pertaining to the member switch or blade is applied.
Information specific to the encryption group leader is filtered out.
Steps after configuration download
For all opaque key vaults, restore or generate and backup the master key. In a multiple node
encryption group, the master key is propagated from the group leader node.
1. Use the following command to enable the encryption engine.
2. Commit the configuration.
3. If there are containers that belonged to the old encryption switch or blade, then after
4. Commit the configuration.
5. Use the following command to check if the switch or blade has the master key.
6. If a master key is not present, restore the master key from backed up copy. Procedures will
If authentication cards are used, set the authentication quorum size from the encryption group
leader node after importing and registering the necessary number of Authentication Card
certificates.
194
cryptocfg --enableEE [slot num]
cryptocfg --commit
configdownload is run, use the following command to change the ownership of containers to
the new encryption switch or blade, assuming the host and target physical zone exists.
cryptocfg --replace
cryptocfg --commit
cryptocfg --show -groupmember <switch WWN>
differ depending on the backup media used (from recovery smart cards, from the key vault,
from a file on the network or a file on a USB-attached device). If new master key needs to be
generated, generate the master key and back it up.
<old EE WWN> <new EE WWN>
Fabric OS Encryption Administrator's Guide
53-1002159-03