Fabric OS Encryption Administrator's Guide
Fabric OS Encryption Administrator’s Guide 7
53-1002159-03
Brocade encryption solution overview
1
Brocade encryption solution overview
The loss of stored private data, trade secrets, intellectual properties, and other sensitive
information through theft or accidental loss of disk or tape media can have widespread negative
consequences for governments, businesses, and individuals. This threat is countered by an
increasing demand from governments and businesses for solutions that create and enforce
policies and procedures that protect stored data. Encryption is a powerful tool for data protection.
Brocade provides an encryption solution that resides in a Storage Area Network (SAN) fabric. This
location, between computers and storage, is ideal for implementing a solution that works
transparently with heterogeneous servers, disk storage subsystems, and tape libraries. Data
entering the SAN from a server is encrypted before it is written to storage. When stored data is
encrypted, theft or loss of storage media does not pose a security threat.
Figure 2 provides a high-level view of the Brocade encryption solution. Cleartext is sent from the
server to the encryption engine, where it is encrypted into ciphertext using one of two encryption
algorithms: one for disk storage targets, and one for tape storage targets. The encrypted data
cannot be read without first being decrypted. The key management system is required for
management of the data encryption keys (DEKs) that are generated by the encryption engine, and
used for encrypting and decrypting the data. The key management system is provided by a
third-party vendor.
FIGURE 2 Encryption overview
Host
Encryption Switch
Cleartext
DEKs
Ciphertext
based on
AES256-GCM
Ciphertext
based on
AES256-XTS
Disk Storage
Tape Storage
Key Management
System
Ciphertext
Cleartext