Fabric OS Encryption Administrator's Guide
166 Fabric OS Encryption Administrator’s Guide
53-1002159-03
Configuring a multi-path Crypto LUN
3
Impact of tape pool configuration changes
Tape pool-level policies overrule policy configurations at the LUN level, when no policies are
configured at the tape pool level. The following restrictions apply when modifying tape pool-level
configuration parameters:
• If you change the tape pool policy from encrypt to cleartext or from cleartext to encrypt while
data is written to or read from a tape backup device, the policy change is not enforced until the
current process completes and the tape is unmounted, rewound, or overwritten. This
mechanism prevents the mixing of cleartext data to cipher-text data on the tape.
• You cannot modify the tape pool label or the key lifespan value. If you wish to modify these
tape pool attributes, delete the tape pool and create a new tape pool with a different label and
key lifespan.
Configuring a multi-path Crypto LUN
A single LUN may be accessed over multiple paths. A multi-path LUN is exposed and configured on
multiple CryptoTarget Containers located on the same encryption switch or blade or on different
encryption switches or blades.
CAUTION
When configuring a LUN with multiple paths, there is a considerable risk of ending up with
potentially catastrophic scenarios where different policies exist for each path of the LUN, or a
situation where one path ends up being exposed through the encryption switch and other path
has direct access to the device from a host outside the secured realm of the encryption platform.
Failure to follow proper configuration procedures for multi-path LUNs results in data corruption.
To avoid the risk of data corruption, you must observe the following rules when configuring
multi-path LUNs:
• During the initiator-target zoning phase, complete in sequence all zoning for ALL hosts that
should gain access to the targets before committing the zoning configuration.
• Complete the CryptoTarget container configuration for ALL target ports in sequence and add
the hosts that should gain access to these ports before committing the container
configuration. Upon commit, the hosts lose access to all LUNs until the LUNs are explicitly
added to the Crypto Target containers.
• When configuring the LUNs, the same LUN policies must be configured for ALL paths of ALL
LUNs. Failure to configure all LUN paths with the same LUN policies results in data corruption.
Multi-path LUN configuration example
Figure 95 on page 167 shows a single LUN on a dual-port target that is accessed over two paths by
a dual-port host. The two encryption switches form an encryption group and an HA cluster. The
following example illustrates a simplified version of a multi-path LUN configuration.