beautypg.com

Modifying crypto lun parameters, Lun modification considerations – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 170

background image

152

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Crypto LUN configuration

3

Modifying Crypto LUN parameters

You can modify one or more policies of an existing Crypto LUN with the cryptocfg

--

modify

-

LUN

command.

A maximum of 25 disk LUNs can be added or modified in a single commit operation. Attempts to
commit configurations or modifications that exceed the maximum commit allowed will fail with a
warning. There is a five second delay before the commit operation takes effect.

Make sure the LUNs in previously committed LUN configurations and LUN modifications have a
LUN state of Encryption Enabled before creating and committing another batch of LUN
configurations or modifications.

The following example disables automatic rekeying operations on the disk LUN “my_disk_tgt.”

1. Log in to the group leader as Admin or FabricAdmin.

2. Enter the cryptocfg

--

modify

-

LUN command followed by the CryptoTarget container name,

the LUN Number, the initiator PWWN, and the parameter you want to modify.

FabricAdmin:switch> cryptocfg --modify -LUN my_disk_tgt 0x0

10:00:00:00:c9:2b:c9:3a -disable_rekey

Operation Succeeded

3. Commit the configuration.

FabricAdmin:switch> cryptocfg --commit

Operation Succeeded

CAUTION

When configuring a LUN with multiple paths, do not commit the configuration before you have
modified all the LUNs with identical policy settings and in sequence for each of the CryptoTarget
containers for each of the paths accessing the LUNs. Failure to do so results in data corruption.
Refer to the section

“Configuring a multi-path Crypto LUN”

on page 153.

LUN modification considerations

Make sure you understand the ramifications of modifying LUN policy parameters (such as
encrypt/cleartext) for LUNs that are online and already being utilized. The following restrictions
apply when modifying LUN policy parameters for disk LUNs:

When you change LUN policy from encrypt to cleartext, you wipe out all encrypted data stored
on the LUN the next time data is written to that LUN. The following policy parameters are
disabled:

-

enable_encexistingdata,

-

enable_rekey.

When you change the LUN policy back to encrypt, for example, by force-enabling the LUN,

-

enable_encexistingdata and

-

enable_rekey are disabled by default, and you must configure

both options again.

When you add a LUN as cleartext and later you want to change the LUN policy from cleartext to
encrypt, you must set the

-

enable_encexistingdata option. If you do not, all data on that LUN

is lost, and cannot be recovered.

See also other documents in the category Brocade Computer Accessories: