Removing stale rekey information for a lun, Downgrading firmware from fabric os 7.1.0 – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 312
292
Fabric OS Encryption Administrator’s Guide (DPM)
53-1002922-01
Removing stale rekey information for a LUN
6
NOTE
When attempting to reclaim a failed Brocade Encryption Switch, do not execute cryptocfg
–-
transabort. Doing so will cause subsequent reclaim attempts to fail.
Removing stale rekey information for a LUN
To clean up stale rekey information for a LUN, complete one of the following procedures:
Procedure 1:
1. Modify the LUN policy from “encrypt” to “cleartext” and commit. The LUN will become disabled.
2. Enable the LUN using the following command:
Admin:switch> cryptocfg --enable –LUN
2. Modify the LUN policy from “cleartext” to “encrypt” with the enable_encexistingdata command
to enable the first-time encryption, then commit. This will clear the stale rekey metadata on the
LUN and the LUN can be used again for encryption.
Procedure 2:
1. Remove the LUN from the CryptoTarget Container and commit.
2. Add the LUN back to the CryptoTarget Container with LUN State=”clear-text”, policy=”encrypt”
and “enable_encexistingdata” set for enabling the first-time encryption, then commit. This will
clear the stale rekey metadata on the LUN and the LUN can be used again for encryption.
Downgrading firmware from Fabric OS 7.1.0
If you are attempting to download firmware to a Fabric OS version earlier than v6.4.0, for example,
v6.3.0(x), you might be prompted with the following error message, even if there are no failed
decommissioned LUNs, and even if no decommissioned key ID list exists on a node:
"Downgrade is not allowed for this key vault type, as device decommission feature is in use. Please
use cryptocfg
--
delete
-
decommissionedkeyids to disable device decommission. Make sure that
no LUN is undergoing decommission or is in failed state.”
NOTE
When disabling the firmware consistency check, there should be no LUNs with pending
decommission or in a failed state. If the firmware download to a version earlier than Fabric OS 7.1.0
is disallowed because of any LUNs under decommission or in a failed state, you must either
complete decommissioning, or remove the offending LUNs before retrying cryptocfg
--
delete
-
decommissionedkeyids to disable the firmware consistency check.
NOTE
You should not join a Fabric OS 7.0.1(x) node into an encryption group or eject a node with Fabric OS
v7.1.0 or later when the firmware consistency check for the device decommission feature is enabled
in the encryption group.