Nonstop Volume Level Encryption Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series

Preparation for REVIVE key rotation

Before performing INIT and REVIVE, prepare the disks:

• Use FCHECK to check the disk volume for errors:

FCHECK -SCAN -VOL volume-name

See FCHECK --HELP for help.

REVIVE key rotation procedure

To encrypt a mirrored disk volume, follow these procedures. For details about SCF commands, see

the SCF Reference Manual for the Storage Subsystem.

1. Use the SCF STOP DISK command to stop both paths to the mirror disk:

STOP disk-name-M

STOP disk-name-MB

2. Use the INITIALIZE DISK command to initialize the stopped mirror disk with the new key:

INITIALIZE disk-name-P | -M, NEWENCRYPTKEY, KEYALGORITHM keyalgorithm [, KEYSIZE keysize]

You must specify -P or -M. The default keysize is 256. This example uses the CBC-AES

KEYALGORITHM:

4-> INIT DISK $SAS111-P, NEWENCRYPTKEY, KEYALGORITHM CBC-AES

STORAGE W01010 The INITIALIZE operation will DESTROY any

existing files on $SAS111-P.

Are you sure you want to INITIALIZE $SAS111-P (Y/[N])Y

3. Issue a START command to revive the downed mirror disk:

6-> START DISK $SAS111

STORAGE W01001 To START the disk, SCF must revive the information on

\BLDQA2.$SAS111. This operation might IMPACT system

performance, especially users of $SAS111.

Do you want to start a disk revive on \BLDQA2.$SAS111 (Y/[N])Y

The data is read from the primary disk and written, encrypted with the mirror disk key, to the

mirror disk. Wait for the mirror disk revive to complete and the mirror disk to come up, then

proceed to the next step.

4. After the revive completes and the mirror disk is up, use the SCF STOP DISK command to stop

both paths to the primary disk:

STOP disk-name-P

STOP disk-name-B

5. Use the INITIALIZE DISK command to initialize the stopped primary disk with the new key.

Use the same key algorithm and key size that you used for the mirror disk.

6. Issue a START command to revive the downed primary disk. The data is read, decrypted with

the mirror disk key from the mirror disk, and written, encrypted with the primary disk key, to

the primary disk. Wait for the primary disk revive to complete and the primary disk to come

up.

7. Use the STATUS DISK, ENCRYPTION, detail command to verify that the disk is now encrypted:

77-> STATUS DISK $SAS111, ENCRYPTION, DETAIL

STORAGE — Status DISK \BLDQA2.$SAS111, ENCRYPTION

Primary path

KeyName.......... N50000C500078BBD07_20090827161904

KeyAlgorithm..... CBC-AES

KeySize.......... 256

KeyAccess........ OK

ChangeStatus..... No change in progress

Backup path

KeyName.......... N50000C500078BBD07_20090827161904

KeyAlgorithm..... CBC-AES

KeySize.......... 256

KeyAccess........ OK

Encrypting data on disk drives 49