Brocade Network Advisor SAN User Manual v11.1x (53-1002167-01, May 2011)
Brocade Network Advisor SAN User Manual 503
53-1002167-01
Creating a new encryption group
18
Understanding configuration status results
After configuration of the encryption group is completed, the Management application sends API
commands to verify the switch configuration. The CLI commands are detailed in encryption
administrator’s guide for your key vault management system.
• Initialize the switch. If the switch is not already in the initiated state, the Management
application performs the
cryptocfg --initnode command.
• Create an encryption group on the switch. The Management application creates a new group
using the
cryptocfg --create -encgroup command, and sets the key vault type using the
cryptocfg --set -keyvault command.
• Register the key vault. The Management application registers the key vault using the
cryptocfg --reg keyvault command.
• Enable the encryption engines. The Management application initializes an encryption switch
using the
cryptocfg --initEE [<slotnumber>] and cryptocfg --regEE [<slotnumber>]
commands.
• Create a new master key. (Opaque key vaults only). The Management application checks for a
new master key. New master keys are generated from the Security tab located in the
Encryption Group Properties dialog box. See “Creating a new master key” on page 548 for
more information.
• Save the switch’s public key certificate to a file. The Management application saves the KAC
certificate into the specified file.
• Back up the master key to a file. (Opaque key vaults only). The Management application saves
the master key into the specified file.
NOTE
A master key is not generated if the key vault type is LKM. LKM manages DEK exchanges
through a trusted link, and the LKM appliance uses its own master key to encrypt DEKs.