beautypg.com

Lkm/sskm key vault high availability deployment, Tape lun and df -compatible tape pool support – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 146

background image

128

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Steps for connecting to an LKM/SSKM appliance

3

Secondary Key Vault not configured

[output truncated]

LKM/SSKM key vault high availability deployment

Two LKM/SSKM appliances can be used together to provide high availability capabilities. Both
LKM/SSKMs in the must be registered and configured with the link keys before starting any crypto
operations.

Disk keys and tape pool keys (Brocade native mode support)

DEK creation, retrieval, and update for disk and tape pool keys in Brocade native mode are as
follows:

DEK creation: The DEK is archived into the primary LKM/SSKM. Upon successful archive of
DEK onto primary LKM/SSKM, the DEK is read from secondary LKM/SSKM until it is
synchronized to the secondary LKM/SSKM, or a timeout of 10 seconds occurs (2 seconds with
5 retries). If successful, then the DEK created can be used for encrypting disk LUNs or tape
pool in Brocade native mode. If key archival of the DEK to primary LKM/SSKM fails, an error is
logged and the operation is retried. If the failure happens after archival of the DEK to the
primary LKM/SSKM, but before synchronization to the secondary, a VAULT_OFFLINE error is
logged and the operation is retried. Any DEK archived to the primary in this case is not used.

DEK retrieval: The DEK is retrieved from the primary LKM/SSKM if the primary LKM/SSKM is
online and reachable. If the registered primary LKM/SSKM is not online or not reachable, the
DEK is retrieved from a clustered secondary LKM/SSKM.

DEK Update: DEK Update behavior is same as DEK Creation.

Tape LUN and DF -compatible tape pool support

DEK creation, retrieval, and update for disk and tape pool keys in DataFort compatible mode are as
follows:

DEK Creation: The DEK is created and archived to the primary LKM/SSKM only. Upon
successful archival of the DEK to the primary LKM/SSKM, the DEK can be used for encryption
of a Tape LUN or DF-Compatible tape pool. The DEK is synchronized to a secondary
LKM/SSKM through clustering. If DEK archival to the primary LKM/SSKM fails, DEK archival is
retried to the clustered secondary LKM/SSKM. If DEK archival also fails to secondary
LKM/SSKM, an error is logged and the operation is retried.

DEK retrieval: The DEK is retrieved from primary LKM/SSKM if primary is online and reachable.
If the primary LKM/SSKM is not online or not reachable, the DEK is retrieved from the
clustered secondary LKM/SSKM.

DEK update: DEK update behavior is same as DEK Creation.

See also other documents in the category Brocade Computer Accessories: