Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP ISL Trunking Kit

171

172

173

174

175

176

177

178

179

180

156 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Crypto LUN configuration

Number of host(s): 1

Configuration status: committed

Host: 10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a

VI: 20:02:00:05:1e:41:4e:1d 20:03:00:05:1e:41:4e:1d

LUN number: 0x0

LUN type: disk

LUN status: 0

Encryption mode: encrypt

Encryption format: native

Encrypt existing data: enabled

Rekey: disabled

Key ID: not available

Operation Succeeded

Crypto LUN parameters and policies

Table 6 shows the encryption parameters and policies that can be specified for a disk or tape LUN,

during LUN configuration (with the cryptocfg

--add -LUN command). Some policies are applicable

only to disk LUNs, and some policies are applicable only to tape LUNs. It is recommended that you

plan to configure all the LUN state and encryption policies with the cryptocfg

--add -LUN

command. You can use the cryptocfg

--modify -LUN command to change some of the settings, but

not all options are modifiable.

NOTE

LUN policies are configured at the LUN-level but apply to the entire HA or DEK cluster. For multi-path

LUNs exposed through multiple target ports and thus configured on multiple Crypto Target

containers on different encryption engines in an HA cluster or DEK cluster, the same LUN policies

must be configured. Failure to do so results in unexpected behavior and may lead to data corruption.

The tape policies specified at the LUN configuration level take effect if you do not create tape pools

or configure policies at the tape pool level. The Brocade encryption solutions supports up to a 1 MB

block size for tape encryption. Also, the LBA 0 block size (I/O size from the host) must be at least

1 K less than the maximum supported backend block size (usually 1 MB). This is typically the case,

as label operations are small I/O operations. If this support requirement is not met, the Brocade

encryption solution will not allow the backup operation to start to that tape.

TABLE 6 LUN parameters and policies

Policy name Command parameters Description

LUN state

Disk LUN: yes

Tape LUN: No

Modify? No

-lunstate encrypted |

cleartext

Sets the Encryption state for the LUN. Valid values are:

• cleartext - Default LUN state. Refer to policy configuration

considerations for compatibility with other policy settings.

• encrypted - Metadata on the LUN containing the key ID of the

DEK that was used for encrypting the LUN is used to retrieve

the DEK from the key vault. DEKs are used for encrypting and

decrypting the LUN.

Key ID

Disk LUN: yes

Tape LUN: No

Modify? No

-keyID Key_ID Specifies the key ID. Use this option only if the LUN was encrypted

but does not include the metadata containing the key ID for the

LUN. This is a rare case for LUNs encrypted in Native (Brocade)

mode.