Thin provisioning support – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

92

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Thin provisioned LUNs

2

NOTE:

•

For thin provisioned LUNs that were previously full provisioned then converted to thin, a
discoverLUN command must be performed prior to any rekeying operations. Failure to do so
results in the full capacity of the LUN to be encrypted as if it were not thin provisioned.
Updated thin provisioned status can be verified using the cryptocfg

--

show

-

container

-

all

-

stat command and checking the output for “

Thin Provision LUN: Yes

”. Similarly, if a thin-

to full-LUN conversion has been performed, a discoverLUN command must be performed for
this LUN change to reflect on the Brocade Encryption Switch or FS8-18 blade.

•

If a LUN is a thin provisioned LUN, LUN status is shown as Yes. (Thin provision support is
limited to Brocade-tested storage arrays. The thin provisioned LUN status will be displayed as
Yes for supported storage arrays only.)

•

If a LUN is not a thin provisioned LUN or if thin provisioning is not supported with the LUN, LUN
status is shown as No. (This can be a result of the array not supporting thin provisioning, or the
Brocade Encryption Switch/blade does not support the thin provisioning features of the array.
Refer to the Fabric OS release notes for supported arrays.)

•

If LUN status cannot be determined, LUN status is shown as Unknown.

•

If you are running a Fabric OS version earlier than v7.1.0, LUN status is shown as Not
Applicable.

•

Zero detect with encryption is not supported.

Thin provisioning support

Thin-provisioned logical unit numbers (LUNs) are increasingly used to support a pay-as-you-grow
strategy for data storage capacity. Also known as dynamic provisioning, virtual LUNs, or thin LUNs,
the same technology that allows storage administrators to allocate physical disk space to LUNs on
an as-needed basis creates limitations around certain data-at-rest encryption operations that use
the Brocade Encryption Switch or blade. Performing first-time encryption (FTE) (conversion of
cleartext to ciphertext) and data rekeying operations (applying new data encryption keys to
ciphertext data) on thin-provisioned LUNs results in an attempt by the encryption switch to
overwrite data up to the size of the logical size of the thin-provisioned LUN, rather than limiting
FTE/rekeying to the size of the physically allocated LUN size or to the data that has been written.
This generally triggers the allocation of additional blocks to the thin-provisioned LUN, using up the
amount of physical disk space that is available to the LUN and defeating the objective of using thin
provisioning.

Additionally, for thin-provision capable storage products that support space reclamation based on
data pattern recognition (for example, ‘string of zeros’), the encryption of such patterns will
interfere with the space reclamation functionality of the storage and should be avoided.

Certain types of storage have been successfully tested by limiting the use of thin provisioning to
“greenfield” LUNs, or LUNs that do not have any written data yet. Rekeying operations on these
LUNs, like FTE, are also not permitted. As these limitations are not feasible for most environments,
the recommendation from Brocade is that any encrypted LUNs be fully provisioned with disk.