Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP ISL Trunking Kit

181

182

183

184

185

186

187

188

189

190

170 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Data re-keying

Resource allocation

System resources for first time encryption sessions are shared with re-key sessions. There is an

upper limit of 10 sessions with two concurrent sessions per target. Refer to the re-key “Resource

allocation” on page 170 section for details.

First time encryption modes

First-time encryption can be performed under the following conditions:

• Offline encryption - The hosts accessing the LUN are offline or host I/O is halted while

encryption is in process.

• Online encryption - The hosts accessing the LUN are online and host I/O is active during the

encryption operation.

Configuring a LUN for first time encryption

First time encryption options are configured at the LUN level either during LUN configuration with

the cryptocfg

--add -LUN command, or at a later time with the cryptocfg --modify -LUN

command.

1. Set the LUN policy to encrypt to enable encryption on the LUN. All other options related to

encryption are enabled. A DEK is generated and associated with the LUN.

2. Enable first time encryption by setting the -enable_encexistingdata parameter. The existing

data on the disk is encrypted using the configured DEK.

3. Optionally set the auto re-keying feature with the cryptocfg --enable_rekey command and

specify the interval at which the key expires and automatic re-keying should take place (time

period in days) Enabling automatic re-keying is valid only if the LUN policy is set to encrypt and

the encryption format is Brocade native. Refer to the section “Crypto LUN parameters and

policies” on page 156 for more information.

The following example configures a LUN for first time encryption with re-keying scheduled at a

6-month interval. You must commit the operation to take effect.

FabricAdmin:switch>cryptocfg --add -LUN my_disk_tgt 0x0 \

10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a -encrypt \

-enable_encexistingdata -enable_rekey 180

Operation Succeeded

Data re-keying

In a re-keying operation, encrypted data on a LUN is decrypted with the current key, re-encrypted

with a new key and written back to the same LUN at the same logical block address (LBA) location.

This process effectively re-encrypts the LUN and is referred to as “in-place re-keying.”

It is recommended that you limit the practice of re-keying to the following situations:

• Key compromise as a result of a security breach.

• As a general security policy to be implemented as infrequently as every six months or once per

year.