Data Center Fabric Manager Enterprise User Manual v10.3.X (53-1001357-01, November 2009)
DCFM Enterprise User Manual 517
53-1001357-01
Master keys
16
9. Select target port B, click LUNs, then click Add. Select the LUNs to be encrypted and the
encryption policies for the LUNs, making sure that the encryption policies match the policies
specified in the other path.
10. Click Commit to make the LUN configuration changes effective in both paths simultaneously.
The Management application does not automatically commit LUN configuration changes. This
allows matching changes made in a multi-path environment to be committed together, preventing
cases where one path may be encrypting and another path is not encrypting, resulting in corrupted
data. You must remember to click the Commit button after any LUN configuration changes, even in
non-multi-path environments. The Encryption Targets dialog box displays a reminder if you attempt
to close the dialog box without committing LUN configuration changes.
NOTE
There is a limit of 25 uncommitted LUN configuration changes. When adding more than 12 LUNs in
a multi-path environment, repeat steps step 8 through step 10 above, adding only 12 LUNs to each
target container at a time. Each commit operation, then, will commit 24 LUNs, 12 in each path.
Master keys
When an opaque key vault is used, a master key is used to encrypt the data encryption keys. The
master key status indicates whether a master key is used and whether it has been backed up.
Encryption is not allowed until the master key has been backed up.
Only the active master key can be backed up, and multiple backups are recommended. You can
back up or restore the master key to the key vault, to a file, or to a recovery card set. A recovery
card set is set of smart cards. Each recovery card holds a portion of the master key. The cards must
be gathered and read together from a card reader attached to a PC running the Brocade SAN
Management Application to restore the master key.
NOTE
It is very important to back up the master key because if the master key is lost, none of the data
encryption keys can be restored and none of the encrypted data can be decrypted.
Active master key
The active master key is used to encrypt newly-created data encryption keys (DEKs) prior to
sending them to a key vault to be stored. You can restore the active master key under the following
conditions:
• The active master key has been lost, which happens if all encryption engines in the group have
been zeroized or replaced with new hardware at the same time.
• You want multiple encryption groups to share the same active master key. Groups should share
the same master key if the groups share the same key vault and tapes (or disks) are going to
be regularly exchanged between the groups.