Lkm/sskm key vault deregistration, Creating brocade encryption group leader – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 147
Fabric OS Encryption Administrator’s Guide (LKM/SSKM)
129
53-1002925-01
Steps for connecting to an LKM/SSKM appliance
3
LKM/SSKM Key Vault Deregistration
Deregistration of either Primary or Secondary LKM/SSKM key vault from an encryption switch or
blade is allowed independently.
•
Deregistration of Primary LKM/SSKM: You can deregister the primary LKM/SSKM from an
encryption switch or blade without deregistering the backup or secondary LKM/SSKM for
maintenance or replacement purposes. However, when the primary LKM/SSKM is
deregistered, key creation operations will fail until either primary LKM/SSKM is reregistered or
the secondary LKM/SSKM is deregistered and reregistered as primary LKM/SSKM.
When the primary LKM/SSKM is replaced with a different LKM/SSKM, you must first
synchronize the DEKs from secondary LKM/SSKM before reregistering the primary
LKM/SSKM.
•
Deregistration of Secondary LKM/SSKM: You can deregister the secondary LKM/SSKM
independently. Future key operations will use only the primary LKM/SSKM until the secondary
LKM/SSKM is reregistered on the encryption switch or blade.
When the secondary LKM/SSKM is replaced with a different LKM/SSKM, you must first
synchronize the DEKs from primary LKM/SSKM before reregistering the secondary
LKM/SSKM.
Creating Brocade encryption group leader
An encryption group consists of one or more encryption engines. Encryption groups can provide
failover/failback capabilities by organizing encryption engines into Data Encryption Key (DEK)
clusters. An encryption group has the following properties:
•
It is identified by a user-defined name.
•
When there is more than one member, the group is managed from a designated group leader.
•
If your encryption group consists only of one node, it must be defined as an encryption group
leader.
•
All group members must share the same key manager.
•
In the case of FS8-18 blades:
-
All encryption engines in a chassis are part of the same encryption group.
-
An encryption group may contain up to four DCX Backbone nodes with a maximum of four
encryption engines per node forming a total of 16 encryption engines.
1. Identify one node as the designated group leader and log in as Admin or SecurityAdmin.
2. Enter the cryptocfg
--
create
-
encgroup command followed by a name of your choice. The
name can be up to 15 characters long, and it can include any alphanumeric characters and
underscores. White space or other special characters are not permitted.
The following example creates the encryption group "brocade".
SecurityAdmin:switch> cryptocfg --create -encgroup brocade
Encryption group create status: Operation Succeeded.
The switch on which you create the encryption group becomes the designated group leader. After
you have created an encryption group, all group-wide operations are performed on the group
leader. If the group leader is not the only member in the encryption group, continue with
member node to an encryption group”
.