Fabric OS Encryption Administrator's Guide
Fabric OS Encryption Administrator’s Guide 193
53-1002159-03
Configuration upload and download considerations
5
Configuration upload at an encryption group member node
A configuration upload at an individual encryption group member node contains the following:
• The local switch configuration.
• Encryption group-related configuration.
• Encryption group-wide configuration of Crypto Targets, disk and tape LUNs, tape pools, HA
clusters, security, and key vaults.
Information not included in an upload
The following certificates will be not be present when the configuration is downloaded:
• External certificates imported on the switch:
- key vault certificate
- peer node/switch certificate
- authentication card certificate
• Certificates generated internally:
- KAC certificate
- CP certificate
- FIPS officer and user certificates
The Authentication Quorum size is included in the configuration upload for read-only purposes, but
is not set by a configuration download.
Steps before configuration download
The configuration download does not have any certificates, public or private keys, master key, or
link keys included. Perform following steps prior to configuration download to generate and obtain
the necessary certificates and keys:
1. Use the following commands to initialize the encryption engine
cryptocfg --InitNode
cryptocfg --initEE
cryptocfg --regEE
Initializing the switch generates the following internal certificates:
- KAC certificate
- CP certificate
- FIPS officer and user certificates
2. Import peer nodes/switches certificates onto the switch prior to configuration download.
3. Import key vault certificates onto switch prior to configuration download.
4. Create an encryption group with same name as in configuration upload information for the
encryption group leader node.
5. Import Authentication Card Certificates onto the switch prior to configuration download.