Generating and backing up the master key – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 172
152
Fabric OS Encryption Administrator’s Guide (SKM/ESKM)
53-1002923-01
Generating and backing up the master key
3
Node Name: 10:00:00:05:1e:41:9a:7e (current node)
State: DEF_NODE_STATE_DISCOVERED
Role: GroupLeader
IP Address: 10.32.244.71
Certificate: GL_cpcert.pem
Current Master Key State: Not configured
Current Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Alternate Master Key State:Not configured
Alternate Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
EE Slot: 0
SP state: Operational; Need Valid KEK
Current Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Alternate Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
No HA cluster membership
Node Name: 10:00:00:05:1e:39:14:00
State: DEF_NODE_STATE_DISCOVERED
Role: MemberNode
IP Address: 10.32.244.60
Certificate: enc1_cpcert.pem
Current Master Key State: Not configured
Current Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Alternate Master Key State:Not configured
Alternate Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
EE Slot:
0
SP state: Unknown State
Current Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Alternate Master KeyID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
No HA cluster membership
Generating and backing up the master key
You must generate a master key on the group leader, and export it to a secure backup location so
that it can be restored, if necessary. The master key is used to encrypt DEKs for transmission to
and from an SKM/ESKM.
The backup location may be an SKM/ESKM, a local file, or a secure external SCP-capable host. All
three options are shown in the following procedure. Note that the Brocade SAN Management
application (BNA) provides the additional option of backing up the master key to system cards.
1. Generate the master key on the group leader.
SecurityAdmin:switch> cryptocfg --genmasterkey
Master key generated. The master key should be
exported before further operations are performed.
2. Export the master key to the key vault. Make a note of the key ID and the passphrase. You will
need the Key ID and passphrase should you have to restore the master key from the key vault.
SecurityAdmin:switch> cryptocfg --exportmasterkey
Enter the passphrase: passphrase
Master key exported. Key ID: 8f:88:45:32:8e:bf:eb:44:c4:bc:aa:2a:c1:69:94:2