Fabric OS Encryption Administrator's Guide
162 Fabric OS Encryption Administrator’s Guide
53-1002159-03
Tape pool configuration
3
Force-enabling a disabled disk LUN for encryption
You can force a disk LUN to become enabled for encryption when encryption is disabled on the
LUN. A LUN may become disabled for various reasons, such as a change in policy from encrypt to
cleartext when encrypted data (and metadata) exist on the LUN, a conflict between LUN policy and
LUN state, or a missing DEK in the key vault. Force-enabling a LUN while metadata exist on the LUN
may result in a loss of data and should be exercised with caution. Refer to Chapter 6, “LUN policy
troubleshooting” on page 234 for a description of conditions under which a LUN may be disabled,
and for recommendations on re-enabling the LUN while minimizing the risk of data loss.
This procedure must be performed on the local switch that is hosting the LUN. No commit is
required to force-enable after executing this command.
1. Log in to the switch that hosts the LUN as Admin or FabricAdmin.
2. Enter the cryptocfg
--enable -LUN command followed by the CryptoTarget container name,
the LUN Number, and the initiator PWWN.
FabricAdmin:switch>cryptocfg --enable -LUN my_disk_tgt 0x0 \
10:00:00:00:c9:2b:c9:3a
Operation Succeeded
Tape pool configuration
Tape pools are used by tape backup application programs to group all configured tape volumes into
a single backup to facilitate their management within a centralized backup plan. A tape pool is
identified by either a name or a number, depending on the backup application. Tape pools have the
following properties:
• They are configured and managed per encryption group at the group leader level.
• All encryption engines in the encryption group share the same tape pool policy definitions.
• Tape pool definitions are only used when writing tapes. The tape contains enough information
(encryption method and key ID) to enable any encryption engine to read the tape.
• Tape pool names and numbers must be unique within the encryption group.
• If a given tape volume belongs to a tape pool, tape pool-level policies (defaults or configured
values) are applied and override any LUN-level policies.
• Tape drive (LUN) policies are used if no tape pools are created or if a given tape volume does
not belong to any configured tape pools.
NOTE
Tape pool configurations must be committed to take effect. Expect a five second delay before the
commit operation takes effect.There is an upper limit of 25 on the number of tape pools you can
add or modify in a single commit operation. Attempts to commit a configuration that exceeds this
maximum fails with a warning.
Tape pool labeling
Tape pools may be identified by either a name or a number depending on your backup application.
Numbers are always entered and displayed in hex notation. Names and numbers are independent;
it is possible to have one tape pool with the name ABC and another with the hex number ABC.