Manualshelf

Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsStorageHP SN8000B 4-slot SAN Director Switch
21222324252627282930
Fabric OS Encryption Administrator’s Guide 3
53-1002159-03
Terminology
1
Opaque Key Vault
A storage location that provides untrusted key management functionality. Its contents
may be visible to a third party. DEKs in an opaque key vault are stored encrypted in a
master key to protect them.
Recovery cards
A set of smart cards that contain a backup master key. Each recovery card holds a
portion of the master key. The cards must be gathered and read together from a card
reader attached to a PC running the Brocade Data Center Fabric Manager (DCFM)
application to restore the master key. Recovery cards may be stored in different
locations, making it very difficult to steal the master key. The cards should not be stored
together, as that defeats the purpose.
Redirection zone
When encryption is implemented, data traffic is routed to and from virtual initiators and
virtual targets. Redirection zones are automatically created to enable frame redirection
to the virtual initiators and virtual targets.
Re-keying
Re-keying refers to decrypting data with the current Data Encryption Key (DEK), and
encrypting it with a new DEK. This is done when the security of the current key is
compromised, or when a DEK is configured to expire in a specific time frame. The
re-keying operation can be used to encrypt existing data currently stored as cleartext. In
that case, there is no existing DEK, and the data does not have to be decrypted before it
is encrypted using the new DEK.
Trusted Key Vault
Very secure storage on a hardware appliance that establishes a trusted link with the
encryption device for secure exchange of DEKs. DEKs are encrypted with the link for
transit between the encryption device and the hardware appliance. At the hardware
appliance, the DEKs are re-encrypted, using master key created and maintained by
hardware appliance, and then stored in the trusted key vault.
Virtual Initiator
A logical entity that acts as a stand-in for a physical host when communicating with a
physical target LUN.
Virtual Target
A logical entity that acts as a stand-in for a physical target LUN when communicating
with a physical host. A virtual target is mapped one to one to a specific physical target.