Nonstop Volume Level Encryption Guide
KeyName.......... N5000C50005B0551F_1_20090827093551
N5000C50005B0551F_2_20090827093551
KeyAlgorithm..... XTS-AES
KeySize.......... 256
ChangeStatus..... In progress at %H005BEF00 of %H11176B27 (2%)
EncryptRate...... 50
EncryptPriority.. 4
Backup path
KeyName.......... N5000C50005B0551F_1_20090827093551
N5000C50005B0551F_2_20090827093551
KeyAlgorithm..... XTS-AES
KeySize.......... 256
ChangeStatus..... In progress on other CLIM
Mirror path
Not Encrypted
ChangeStatus..... No change in progress
Mirror backup path
Not Encrypted
ChangeStatus..... No change in progress
The other path to the same physical disk is in the STOPPED state during encryption:
92-> STATUS DISK $SAS112
STORAGE - Status DISK \BLDQA2.$SAS112
LDev Primary Backup Mirror MirrorBackup Primary Backup
PID PID
438 *STARTED STOPPED *STARTED STARTED 2,403 3,544
The other path is updated automatically after the key rotation completes. If you try to start the
path before the encryption finishes you will get an error. After the key rotation on the primary
disk completes, proceed to the next step.
5. Use the SCF STATUS DISK, ENCRYPTION command to check the encryption state of the
primary and mirror disks.
6. Use the SCF STATUS DISK command to verify that all paths are in the STARTED state:
7. Use the ALTER DISK command to start a key rotation on the mirror disk:
ALTER disk-name-P | -B | -M | -MB, NEWENCRYPTKEY, KEYALGORITHM keyalgorithm[, KEYSIZE keysize]
You must specify -P, -B, -M or -MB. The default keysize is 256.
8. Now when you do a STATUS DISK, ENCRYPTION command it shows ChangeStatus as “In
progress at …” for the -M path, “In progress on other CLIM” for the -MB path and “No change
in progress” for the -P and -B paths. The other path to the same physical disk is in the STOPPED
state during encryption. The other path is updated automatically after the key rotation completes.
If you try to start the path before the key rotation finishes you will get an error.
You can change EncryptRate and EncryptPriority with the ALTER DISK command:
ALTER $ENCM21-P, ENCRYPTIONPRIORITY 6, ENCRYPTRATE 70
• If you do not specify these values, the defaults are 50 for ENCRYPTRATE and 4 for
ENCRYPTPRIORITY. The default values limit potential interference with system performance.
• To speed up the encryption operation (even though this change might slow system
performance), increase the ENCRYPTPRIOITY value and/or increase the ENCRYPTRATE
value.
• You may change these values only while an encryption operation is in progress. The new
values affect the ongoing encryption operation from the point at which you entered the
new values. They have no effect on future encryption operations.
You can abort the key rotation operation (if it is taking too long, for instance) by stopping the
path and using INITIALIZE on the disk. The data on that disk will be lost, and you must revive
the disk to restore it. This is similar to encrypting data using INIT and REVIVE:
Encrypting data on disk drives 47