beautypg.com

Skm or eskm key vault high availability deployment, Data encryption keys, Disk keys and tape pool keys support – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 168

background image

148

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002923-01

Steps for connecting to an SKM or ESKM appliance

3

The user name and password must match the user name and password specified for the
Brocade group.

The same user name and password must be configured on all nodes in an encryption group.
This is not enforced or validated by the encryption group members, so care must be taken
when configuring the user name and password to ensure they are the same on each node.

Different user names and passwords can never be used within the same encryption group, but
each encryption group may have its own user name and password.

If you change the user name and password using the

-

KAClogin option, the keys created by

the previous user become inaccessible. The Brocade group user name and password must
also be changed to the same values on the SKM/ESKM to make the keys accessible.

When storage is moved from one encryption group to another, and the new encryption group
uses a different user name and password, the Brocade group user name and password must
also be changed to the same values on the SKM/ESKM to make the keys accessible.

SKM or ESKM key vault high availability deployment

The SKM/ESKM key vault has high availability clustering capability. SKM/ESKM appliances can be
clustered together in a transparent manner to the end user. Encryption keys saved to one key vault
are synchronously hardened to the cluster pairs. Refer to the HP SKM/ESKM appliance user
documentation for configuration requirements and procedures.

Configured primary and secondary HP SKM/ESKM appliances must be registered with the Brocade
Encryption Switch or blade to begin key operations. The user can register only a single SKM/ESKM
if desired. In that case, the HA features are lost, but the archived keys are backed up to any other
non-registered cluster members. Beginning with Fabric OS v6.3.0, the primary and secondary
appliances must be clustered.

Both the SKM/ESKM appliances in the cluster can be registered using the following command.

SecurityAdmin:switch> cryptocfg --reg -keyvault

Data Encryption Keys

The following sections describe Data Encryption Key (DEK) behavior during DEK creation, retrieval,
and updates as they relate to disk keys and tape pool keys, and tape LUN and DF-compatible tape
pool support:

Disk keys and tape pool keys support

Data Encryption Key (DEK) creation, retrieval, and update for disk and tape pool keys are as
follows:

DEK creation: The DEK is first archived using the session list available for the configured
ESKMs/SKMs in the cluster. After the DEK is archived successfully, it gets synchronized with
other ESKMs/SKMs in the cluster. If archival is successful, the DEK is then read from both the
primary and secondary ESKMs/SKMs in the cluster until the DEK is read successfully from
each. If the set of operations is successful, the DEK created can be used for encrypting disk
LUNs or tape pools in Brocade native mode. If key archival of the DEK to the ESKM/SKM

See also other documents in the category Brocade Computer Accessories: