Tape lun support, Skm or eskm key vault deregistration – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

149

53-1002923-01

Steps for connecting to an SKM or ESKM appliance

3

cluster fails, an error is logged and the operation is retried. If the failure occurs during DEK
retrieval after successful archival to one of the ESKMs/SKMs, or synchronization to any
ESKMS/SKMs in the cluster times out, an error is logged and the operation is retried. Any DEK
archived in this case is not used.

-

If key archival of the DEK to the ESKM/SKM cluster is successful, the DEK is read from
either the primary or secondary (or both) ESKMs or SKMs in the cluster until the DEK is
read successfully from each of them. If successful, then the DEK created can be used for
encrypting disk LUNs or tape pools in Brocade native mode.

-

If key archival of the DEK to the ESKM/SKM cluster fails, an error is logged and the
operation is retried. If the failure occurs after archival to one of the ESKMs or SKMs, but
synchronization to all ESKMS or SKMs in the cluster times out, then an error is logged and
the operation is retried. Any DEK archived in this case is not used.

•

DEK retrieval: The DEK is retrieved from the ESKM/SKM cluster using the session list available
from the configured ESKMs/SKMs in the cluster. If DEK retrieval fails, it is retried.

•

DEK update: DEK update behavior is the same as DEK creation.

Tape LUN support

Data Encryption Key (DEK) creation, retrieval, and update for tape LUNs are as follows:

•

DEK creation: The DEK is created and archived to the ESKM/SKM cluster using the using the
session list available for configured ESKMs/SKMs in the cluster. The DEK is synchronized with
other ESKMs/SKMs in the cluster. Upon successful archival of the DEK to the ESKM/SKM
cluster, the DEK can be used for encryption of the tape LUN. If archival of the DEK to the
ESKM/SKM cluster fails, an error is logged and the operation is retried.

•

DEK retrieval: The DEK is retrieved from the ESKM/SKM cluster using the session list available
for configured SKM/ESKM in the cluster. If the DEK retrieval fails, it is retried.

•

DEK update: DEK update behavior is the same as DEK creation.

SKM or ESKM Key Vault Deregistration

Deregistration of either primary or secondary SKM/ESKM key vault from an encryption switch or
blade is allowed independently. Both the primary and secondary SKM should be moved to ESKM,
and a cluster must be formed on ESKM before any new encryption is done to avoid possible
failures.

•

Deregistration of Primary ESKM: You can deregister the primary ESKM/SKM from an
encryption group (EG) without deregistering the backup or secondary ESKM/SKM for
maintenance or replacement purposes. Future key operations will use only the secondary
ESKM/SKM until the primary ESKM/SKM is reregistered on the Brocade Encryption Switch or
blade.

When the primary ESKM/SKM is replaced with a different ESKM/SKM, you must first
synchronize the DEKs from the secondary ESKM/SKM before reregistering the primary
ESKM/SKM.

•

Deregistration of Secondary SKM/ESKM: You can deregister the secondary SKM/ESKM
independently. Future key operations will use only the primary SKM/ESKM until the secondary
SKM/ESKM is reregistered on the encryption switch or blade.