Impact of tape lun configuration changes, Configuring a multi-path crypto lun, The section – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

181

53-1002923-01

Impact of tape LUN configuration changes

3

For tape LUNs, the

-

enable_encexistingdata,

-

enable_rekey, and

-

key_lifespan options are not

valid and therefore cannot be modified. When you attempt to execute these parameters while
modifying a tape LUN, the system returns an error. Disabling

-

write_early ack or

-

read_ahead for

tape LUN will result in lower total throughput depending on the number of flows per encryption
engine.

NOTE

Make sure all the outstanding backup and recovery operations on the media are completed before
changing the LUN configuration.

For disk LUNs

-

write_early_ack and

-

read_ahead are not valid and therefore cannot be modified.

When you attempt to execute these parameters while modifying a disk LUN, the system returns an
error.

Impact of tape LUN configuration changes

LUN-level policies apply when no policies are configured at the tape pool level. The following
restrictions apply when modifying tape LUN configuration parameters:

•

If you change a tape LUN policy from encrypt to cleartext or from cleartext to encrypt while data
is written to or read from a tape backup device, the policy change is not enforced until the
current process completes and the tape is unmounted, rewound, or overwritten. This
mechanism prevents the mixing of cleartext data to cipher-text data on the tape.

•

Make sure you understand the ramifications of changing the tape LUN encryption policy from
encrypt to cleartext or from cleartext to encrypt.

•

You cannot modify the key lifespan value. If you wish to modify the key lifespan, delete and
recreate the LUN with a different key lifespan value. Key lifespan values only apply to
native-mode pools.

Configuring a multi-path Crypto LUN

A single LUN may be accessed over multiple paths. A multi-path LUN is exposed and configured on
multiple CryptoTarget Containers located on the same encryption switch or blade or on different
encryption switches or blades.

CAUTION

When configuring a LUN with multiple paths, there is a considerable risk of ending up with
potentially catastrophic scenarios where different policies exist for each path of the LUN, or a
situation where one path ends up being exposed through the encryption switch and other path
has direct access to the device from a host outside the secured realm of the encryption platform.
Failure to follow proper configuration procedures for multi-path LUNs results in data corruption.