Manualshelf

Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsStorageHP SN8000B 4-slot SAN Director Switch
211212213214215216217218219220
Fabric OS Encryption Administrator’s Guide 199
53-1002159-03
Deployment with Admin Domains (AD)
5
Deployment with Admin Domains (AD)
Virtual devices created by the encryption device do not support the AD feature in this release. All
virtual devices are part of AD0 and AD255. Targets for which virtual targets are created and hosts
for which virtual initiators are created must also be in AD0 and AD255. If they are not, access from
the hosts and targets to the virtual targets and virtual initiators is denied, leading to denial of
encryption services.
Do not use DHCP for IP interfaces
Do not use DHCP for either the GbE management interface or the Ge0 and Ge1 interfaces. Assign
static IP addresses.
Ensure uniform licensing in HA clusters
Licenses installed on the nodes should allow for identical performance numbers between HA
cluster members.
Tape library media changer considerations
In tape libraries where the media changer unit is addressed by a target port that is separate from
the actual tape SCSI I/O ports, create a CryptoTarget container for the media changer unit and
CryptoTarget containers for the SCSI I/O ports. If a CryptoTarget container is created only for the
media changer unit target port, no encryption is performed on this device.
In tape libraries where the media changer unit is addressed by separate LUN at the same target
port as the actual tape SCSI I/O LUN, create a CryptoTarget container for the target port, and add
both the media changer unit LUN and one or more tape SCSI I/O LUNs to that CryptoTarget
container. If only a media changer unit LUN is added to the CryptoTarget container, no encryption is
performed on this device.
Turn off host-based encryption
If a host has an encryption capability of any kind, be sure it is turned it off before using the
encryption engine on the encryption switch or blade. Encryption and decryption at the host may
make it impossible to successfully decrypt the data.
Avoid double encryption
Encryption and decryption at tape drives does not affect the encryption switch or blade
capabilities, and does not cause problems with decrypting the data. However, double encryption
adds the unnecessary need to manage two sets of encryption keys, increases the risk of losing
data, may reduce performance, and does not add security.