Zeroizing An Encryption Engine - Brocade Communications Systems Brocade BladeSystem 4/24 User Manual
Supporting dcfm 10.4.x
Hide thumbs
Also See for Brocade BladeSystem 4/24:
- User manual (830 pages) ,
- Command reference manual (894 pages) ,
- Documentation update (271 pages)
Table of Contents
Advertisement
Zeroizing an encryption engine
Zeroizing is the process of erasing all data encryption keys and other sensitive encryption
information in an encryption engine. You can zeroize an encryption engine manually to protect
encryption keys. No data is lost because the data encryption keys for the encryption targets are
stored in the key vault.
Zeroizing has the following effects:
•
•
•
•
•
•
NOTE
Zeroizing an engine affects the I/Os but all target and LUN configuration is intact. Encryption target
configuration data is not deleted.
You can zeroize an encryption engine only if it is enabled (running) or disabled, but ready to be
enabled. If the encryption engine is not in one of these states, an error message displays.
When using a NetApp LKM key vault, if all the encryption engines in a switch are zeroized, the
switch loses the link key required to communicate with the LKM vault. After the encryption engines
are rebooted and re-enabled, you must use the CLI to create new link keys for the switch.
When using an opaque key vault, if all the encryption engines in an encryption group are zeroized,
the encryption group loses the master key required to read data encryption keys from the key vault.
After the encryption engines are rebooted and re-enabled, you must restore the master key from a
backup copy, or alternatively you can also generate a new master key and back it up. Restoring the
master key from a backup copy or generating a new master key and backing it up indicates that all
previously generated DEKs will not be decryptable, unless the original master key used to encrypt
them is restored.
Use the Restore Master key wizard from the Encryption Group Properties dialog box to restore the
master key from a backup copy.
1. Select Configure > Encryption from the menu bar.
2. Select the encryption engine.
3. Right-click, or select Engine from the menu bar, and select Zeroize.
DCFM Enterprise User Manual
53-1001775-01
All copies of data encryption keys kept in the encryption switch or encryption blade are erased.
Internal public and private key pairs that identify the encryption engine are erased and the
encryption switch or the encryption blade is in the FAULTY state.
All encryption operations on this engine are stopped and all virtual initiators (VI) and virtual
targets (VT) are removed from the fabric's name service.
The key vault link key (for NetApp LKM key vaults) or the master key (for other key vaults) is
erased from the encryption engine.
Once enabled, the encryption engine is able to restore the necessary data encryption keys
from the key vault when the link key (for the NetApp Lifetime Key Management application) or
the master key (for other key vaults) are restored.
If the encryption engine was part of an HA cluster, targets fail over to the peer which assumes
the encryption of all storage targets. Data flow will continue to be encrypted.
If there is no HA backup, host traffic to the target will fail as if the target has gone offline. The
host will not have unencrypted access to the target. There will be no data flow at all because
the encryption virtual targets will be offline.
The Encryption Center dialog box displays.
Zeroizing an encryption engine
20
569
Advertisement
Chapters
Table of Contents
Troubleshooting
