Fabric OS Encryption Administrator's Guide
Fabric OS Encryption Administrator’s Guide 135
53-1002159-03
Generating and backing up the master key
3
Role: MemberNode
IP Address: 10.32.244.60
Certificate: enc1_cpcert.pem
Current Master Key State: Not configured
Current Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Alternate Master Key State:Not configured
Alternate Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
EE Slot: 0
SP state: Unknown State
Current Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Alternate Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
No HA cluster membership
Generating and backing up the master key
You must generate a master key on the group leader, and export it to a secure backup location so
that it can be restored, if necessary. The master key is used to encrypt DEKs for transmission to
and from an SKM/ESKM.
The backup location may be an SKM/ESKM, a local file, or a secure external SCP-capable host. All
three options are shown in the following procedure. Note that the Brocade SAN management
application provides the additional option of backing up the master key to system cards.
1. Generate the master key on the group leader.
SecurityAdmin:switch>cryptocfg --genmasterkey
Master key generated. The master key should be
exported before further operations are performed.
2. Export the master key to the key vault. Make a note of the key ID and the passphrase. You will
need the Key ID and passphrase should you have to restore the master key from the key vault.
SecurityAdmin:switch>cryptocfg --exportmasterkey
Enter the passphrase: passphrase
Master key exported. Key ID:
8f:88:45:32:8e:bf:eb:44:c4:bc:aa:2a:c1:69:94:2
3. Save the master key to a file.
SecurityAdmin:switch>cryptocfg --exportmasterkey -file
Master key file generated.
4. Export the master key to an SCP-capable external host:
SecurityAdmin:switch>cryptocfg --export -scp -currentMK \
192.168.38.245 mylogin GL_MK.mk
Password:
Operation succeeded.
5. Display the group membership information. Verify that the master key ID for all member nodes
is the same.
SecurityAdmin:switch>cryptocfg --show -groupmember -all
NODE LIST