Resource allocation, Rekeying modes, Configuring a lun for automatic rekeying – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 218
198
Fabric OS Encryption Administrator’s Guide (SKM/ESKM)
53-1002923-01
Data rekeying
3
•
Rekey temporarily uses the last 512 blocks. As a result, these blocks will be marked as
provisioned by the thin provisioned LUN.
•
The first 16 blocks of the LUN will be mapped automatically (if it was unmapped), after the LUN
has been configured as an encrypted LUN.
Resource allocation
A maximum of ten concurrent rekey sessions are supported per Encryption Group, with a maximum
of 10 concurrent rekey/encryption sessions per target container and 10 concurrent sessions per
physical initiator. If your configuration has two containers that are accessed by the same physical
initiator, you cannot have more than ten concurrent rekey or encryption sessions. This includes
both rekey (auto and manual) and first-time encryption sessions.
When scheduled rekey or first-time encryption sessions exceed the maximum allowable limit, these
sessions will be pending and a Temporarily out of resources message is logged. Whenever an
active rekey of first-time encryption session completes, the next pending session is scheduled.
The system checks once every 15 minutes to determine if there are any rekey or first-time
encryption sessions pending. If resources are available, the next session in the queue is processed.
There may be up to an hour lag before the next session in the queue is processed. It is therefore
recommended that you do not schedule more than 10 rekey or first-time encryption sessions.
Rekeying modes
Rekeying operations can be performed under the following conditions:
•
Offline rekeying: The hosts accessing the LUN are offline, or host I/O is halted.
•
Online rekeying: The hosts accessing the LUN are online, and host I/O is active.
Configuring a LUN for automatic rekeying
Rekeying options are configured at the LUN level either during LUN configuration with the
cryptocfg
--
add
-
LUN command, or at a later time with the cryptocfg
--
modify
-
LUN command.
For rekeying of a disk array LUN, the Crypto LUN is configured in the following way:
•
Set LUN policy as either cleartext or encrypt.
•
If cleartext is enabled (default), all encryption-related options are disabled and no DEK is
associated with the LUN. No encryption is performed on the LUN.
•
If the LUN policy is set to encrypt, encryption is enabled on the LUN and all other options
related to encryption are enabled.
•
Set the auto rekeying feature with the cryptocfg
-
enable_rekey command and specify the
interval at which the key expires and automatic rekeying should occur (time period in days)
Enabling automatic rekeying is valid only if the LUN policy is set to encrypt and the encryption
format is Brocade native. Refer to the section
“Crypto LUN parameters and policies”
page 176 for more information.
NOTE
For a scheduled rekeying session to proceed, all encryption engines in a given HA cluster, DEK
cluster, or encryption group must be online, and I/O sync links must be configured. Refer to the
section
“Management LAN configuration”
on page 132 for more information.