Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP ISL Trunking Kit

191

192

193

194

195

196

197

198

199

200

Fabric OS Encryption Administrator’s Guide 171

53-1002159-03

Data re-keying

Re-keying is only applicable to disk array LUNs or fixed block devices. There is no re-keying support

for tape media. If there is a need to re-encrypt encrypted tape contents with a new key, the process

is equivalent to restoring the data from tape backup. You decrypt the data with the old DEK and

subsequently back up the tape contents to tape storage, which will have the effect of encrypting

the data with the new DEK.

Resource Allocation

A maximum of ten concurrent rekey sessions are supported per Encryption Group, with a maximum

of ten concurrent re-key/encryption sessions per target container and 10 concurrent sessions per

physical initiator. If your configuration has two containers that are accessed by the same physical

initiator, you cannot have more than ten concurrent re-key or encryption sessions. This includes

both re-key (auto and manual) and first time encryption sessions.

When scheduled re-key or first time encryption sessions exceed the maximum allowable limit,

these sessions will be pending and a Temporarily out of resources message is logged. Whenever

an active re-key of first time encryption session completes, the next pending session is scheduled.

The system checks once every 15 minutes to determine if there are any re-key or first time

encryption sessions pending. If resources are available, the next session in the queue is processed.

There may be up to an hour lag before the next session in the queue is processed. It is therefore

recommended that you do not schedule more than ten re-key or first time encryption sessions.

Re-keying modes

Re-keying operations can be performed under the following conditions:

• Offline re-keying - The hosts accessing the LUN are offline, or host I/O is halted.

• Online re-keying - The hosts accessing the LUN are online, and host I/O is active.

Configuring a LUN for automatic re-keying

Re-keying options are configured at the LUN level either during LUN configuration with the cryptocfg

add -LUN command, or at a later time with the cryptocfg --modify -LUN command.

For re-keying of a disk array LUN, the Crypto LUN is configured in the following way:

• Set LUN policy as either cleartext or encrypt.

• If cleartext is enabled (default), all encryption-related options are disabled and no DEK is

associated with the LUN. No encryption is performed on the LUN.

• If the LUN policy is set to encrypt, encryption is enabled on the LUN and all other options

related to encryption are enabled. A DEK is generated and associated with the LUN.

• Set the auto re-keying feature with the cryptocfg --enable_rekey command and specify the

interval at which the key expires and automatic re-keying should occur (time period in days)

Enabling automatic re-keying is valid only if the LUN policy is set to encrypt and the encryption

format is Brocade native. Refer to the section “Crypto LUN parameters and policies” on

page 156 for more information.