Brocade Fabric OS Command Reference (Supporting Fabric OS v7.3.0) User Manual

Page 216

background image

186

Fabric OS Command Reference

53-1003131-01

cryptoCfg

2

cryptocfg --leave_encryption_group

cryptocfg --genmasterkey

cryptocfg --exportmasterkey [-file]

cryptocfg --recovermasterkey currentMK | alternateMK
-keyID keyID | -srcfile filename

cryptocfg --show -mkexported_keyids key_id

cryptocfg --show -groupcfg

cryptocfg --show -groupmember -all | node_WWN

cryptocfg --show -egstatus -cfg | -stat

cryptocfg --sync -encgroup

cryptocfg --sync -securitydb

cryptocfg --perfshow [slot] [-tx | -rx | -tx -rx] [-t interval]

DESCRIPTION

Use these cryptoCfg commands to create or delete an encryption group, to add or remove group
member nodes, key vaults, and authentication cards, to enable or disable system cards, to enable
quorum authentication and set the quorum size, to manage keys including key recovery from backup, to
configure group-wide policies, and to sync the encryption group databases.

An encryption group is a collection of encryption engines that share the same key vault and are managed
as a group. All EEs in a node are part of the same encryption group. An encryption group can include up
to four nodes, and each node can contain up to four encryption engines. The maximum number of EEs
per encryption group is sixteen (four per member node).

With the exception of the --help and --show commands, all group configuration functions must be
performed from the designated group leader. The encryption switch or blade on which you create the
encryption group becomes the designated group leader. The group leader distributes all relevant
configuration data to the member nodes in the encryption group.

The groupCfg commands include three display options that show group configuration, runtime status,
and group member information. Refer to the Appendix of the Fabric OS Encryption Administrator's Guide
for a more comprehensive explanation of system states.

Use the --show -groupcfg command to display encryption group and member configuration
parameters, including the following parameters:

Encryption group name: user-defined label

Encryption group policies:

-

Failback mode: Auto or Manual

-

Replication mode: Enabled or Disabled

-

Heartbeat misses: numeric value

-

Heartbeat timeout: value in seconds

-

Key Vault Type: LKM, DPM, SKM, TEKA, KMIP, or TKLM

-

System Card: Disabled or Enabled

For each configured key vault, primary and secondary, the command shows:

-

IP address: The key vault IP address

-

Certificate ID: the key vault certificate name