beautypg.com

Configuring a lun for automatic rekeying – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 227

background image

Fabric OS Encryption Administrator’s Guide (DPM)

207

53-1002922-01

Data rekeying

3

Configuring a LUN for automatic rekeying

Rekeying options are configured at the LUN level either during LUN configuration with the
cryptocfg

--

add

-

LUN command, or at a later time with the cryptocfg

--

modify

-

LUN command.

For rekeying of a disk array LUN, the Crypto LUN is configured in the following way:

Set LUN policy as either cleartext or encrypt.

-

If cleartext is enabled (default), all encryption-related options are disabled and no DEK is
associated with the LUN. No encryption is performed on the LUN.

-

If the LUN policy is set to encrypt, encryption is enabled on the LUN and all other options
related to encryption are enabled. A DEK is retrieved from the key vault and verified with
the metadata.

Set the auto rekeying feature with the cryptocfg

-

enable_rekey command and specify the

interval at which the key expires and automatic rekeying should occur (time period in days)
Enabling automatic rekeying is valid only if the LUN policy is set to encrypt and the encryption
format is Brocade native. Refer to the section

“Crypto LUN parameters and policies”

on

page 169 for more information.

NOTE

For a scheduled rekeying session to proceed, all encryption engines in a given HA cluster, DEK
cluster, or encryption group must be online, and I/O sync links must be configured. Refer to the
section

“Management LAN configuration”

on page 130 for more information.

1. Log in to the group leader as FabricAdmin.

2. Enable automatic rekeying by setting the

-

enable_rekey parameter followed by a time period

(in days). The following example enables the automatic rekeying feature on an existing LUN
with a 90-day rekeying interval. The data will automatically be re-encrypted every 90 days.

FabricAdmin:switch> cryptocfg --modify -LUN my_disk_tgt 0x0 \

10:00:00:00:c9:2b:c9:3a -enable_rekey 90

Operation Succeeded

3. Commit the configuration.

FabricAdmin:switch> cryptocfg --commit

Operation Succeeded

See also other documents in the category Brocade Computer Accessories: