Manualshelf

Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June 2010)

ManualsBrandsHP ManualsStorageHP 1606 FCIP 4-pt Enabled 8Gb FC 2-pt Enabled 1GbE Base Switch
161162163164165166167168169170
Fabric OS Encryption Administrator’s Guide 147
53-1001864-01
Data re-keying
3
Configuring a LUN for automatic re-keying
Re-keying options are configured at the LUN level either during LUN configuration with the cryptocfg
--
add -LUN command, or at a later time with the cryptocfg -- modify -LUN command.
For re-keying of a disk array LUN, the Crypto LUN is configured in the following way:
Set LUN policy as either cleartext or encrypt.
If cleartext is enabled (default), all encryption-related options are disabled and no DEK is
associated with the LUN. No encryption is performed on the LUN.
If the LUN policy is set to encrypt, encryption is enabled on the LUN and all other options
related to encryption are enabled. A DEK is generated and associated with the LUN.
Set the auto re-keying feature with the cryptocfg --enable_rekey command and specify the
interval at which the key expires and automatic re-keying should take place (time period in
days) Enabling automatic re-keying is valid only if the LUN policy is set to encrypt and the
encryption format is Brocade native. Refer to the section “Crypto LUN parameters and policies”
on page 129 for more information.
When using Brocade native mode in LKM installations, manual rekey is highly recommended.
If auto rekey is desired, the key expiry date should be configured only when the LUN is created.
Never modify the expiry date after configuring a LUN. If you modify the expiry time after
configuring the LUN, the expiration date will not update properly.
NOTE
For a scheduled re-keying session to proceed, all encryption engines in a given HA cluster, DEK
cluster, or encryption group must be online, and IO sync links must be configured. Refer to the
section “Management LAN configuration” on page 97 for more information.
1. Log into the group leader as FabricAdmin.
2. Enable automatic re-keying by setting the -enable_rekey parameter followed by a time period
(in days). The following example enables the automatic re-keying feature on an existing LUN
with a 90-day re-keying interval. The data will automatically be re-encrypted every 90 days.
FabricAdmin:switch>cryptocfg --modify -LUN my_disk_tgt 0x0 \
10:00:00:00:c9:2b:c9:3a -enable_rekey 90
Operation Succeeded
3. Commit the configuration.
FabricAdmin:switch>cryptocfg --commit
Operation Succeeded