Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

x

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002923-01

Rekeying best practices and policies. . . . . . . . . . . . . . . . . . . . . . . .233

Manual rekey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Latency in rekey operations . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Allow rekey to complete before deleting a container. . . . . . . .233
Rekey operations and firmware upgrades . . . . . . . . . . . . . . . .233
Do not change LUN configuration while rekeying . . . . . . . . . .234
Recommendation for Host I/O traffic during online
rekeying and first- time encryption . . . . . . . . . . . . . . . . . . . . . .234

KAC certificate registration expiry . . . . . . . . . . . . . . . . . . . . . . . . . .234

Changing IP addresses in encryption groups . . . . . . . . . . . . . . . . .234

Disabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . .235

Recommendations for Initiator Fan-Ins . . . . . . . . . . . . . . . . . . . . . .235

Best practices for host clusters in an encryption environment . . .236

HA Cluster deployment considerations and best practices . . . . . .236

Key Vault Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236

Tape device LUN mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237

Special notes for HP Data Protector backup and restore
application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237

Tape pool encryption policy specification. . . . . . . . . . . . . . . . .237
Tape LUN encryption policy specification. . . . . . . . . . . . . . . . .237

Chapter 6

Maintenance and Troubleshooting

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Encryption group and HA cluster maintenance. . . . . . . . . . . . . . . .240

Displaying encryption group configuration
or status information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Removing a member node from an encryption group. . . . . . .240
Deleting an encryption group . . . . . . . . . . . . . . . . . . . . . . . . . .243
Removing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . .243
Displaying the HA cluster configuration . . . . . . . . . . . . . . . . . .244
Replacing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . .245
Deleting an HA cluster member . . . . . . . . . . . . . . . . . . . . . . . . 247
Performing a manual failback of an encryption engine . . . . .248

Encryption group merge and split use cases . . . . . . . . . . . . . . . . .249

A member node failed and is replaced . . . . . . . . . . . . . . . . . .249
A member node reboots and comes back up . . . . . . . . . . . . .250
A member node lost connection to the group leader . . . . . . .251
A member node lost connection to all other nodes
in the encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Several member nodes split off from an encryption
group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Adjusting heartbeat signaling values . . . . . . . . . . . . . . . . . . . .253
EG split possibilities requiring manual recovery . . . . . . . . . . .254
Configuration impact of encryption group split
or node isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258