Planning For Encryption; Switch Chassis - IBM System Storage SAN32B-E4 Installation, Service And User Manual

Figure 6. Switch chassis

Planning for encryption

Attention: Setup of this switch for encryption requires the use of this document
for the physical installation of the switch. Critical information required for enabling
and managing encryption is contained in the Fabric OS Encryption Administrator's
Guide Supporting Tivoli Key Lifecycle Manager (TKLM) Environments, which is
included on the documentation CD-ROM that is shipped with the product. You
must use both documents in order to successfully set up the switch for encryption.
Careful attention to details of setup and configuration are essential to enabling a
secure encryption functionality. The following guidelines should be followed when
planning for encryption with the SAN32B-E4 switch or the 16-port encryption
blade (FS8-18), which is available for the SAN768B and SAN384B products.
v Redundancy of hardware is essential because if the encryption path is disrupted,
v Cable planning for the encryption switch and its back-up and for a primary and
v Begin with a limited application of encryption in a test environment and once an
v Avoid dual encryption (Fabric encryption and device encryption). While this
6
SAN32B-E4 Installation, Service, and User Guide
access to the encrypted data will be lost with a single encryption device. You
must have two encryption devices to ensure backup and access in the event that
one of the devices goes down. If one of the devices in the encryption pair is not
functioning, you will only have read access to the encrypted data on the
functioning device until the non-functioning device is restored. Redundancy of
hardware for encryption can be accomplished with the following:
– Two Key Vault locations on different devices
– Two encryption devices in any combination of encryption switches
(SAN32B-E4) and FS8-18 encryption blades (in SAN768B or SAN384B chassis)
secondary key vault manager is critical. These devices can be separated by
distance as long as they can maintain constant communication contact. One
device must back up the other to ensure access to encrypted data. Refer to the
Fabric OS Encryption Administrator's Guide Supporting Tivoli Key Lifecycle Manager
(TKLM) Environments for more information on Master Keys (MK).
expanded encryption test is successful, move the encryption into production
should not cause any encryption errors, it will degrade performance.