Impact of tape lun configuration changes, Configuring a multi-path crypto lun, The section – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 171: Configuring a, Multi-path crypto lun
Fabric OS Encryption Administrator’s Guide (LKM/SSKM)
153
53-1002925-01
Impact of tape LUN configuration changes
3
For tape LUNs, the
-
enable_encexistingdata,
-
enable_rekey, and
-
key_lifespan options are not
valid and therefore cannot be modified. When you attempt to execute these parameters while
modifying a tape LUN, the system returns an error. Disabling
-
write_early ack or
-
read_ahead for
tape LUN will result in lower total throughput depending on the number of flows per encryption
engine.
NOTE
Make sure all the outstanding backup and recovery operations on the media are completed before
changing the LUN configuration.
For disk LUNs
-
write_early_ack and
-
read_ahead are not valid and therefore cannot be modified.
When you attempt to execute these parameters while modifying a disk LUN, the system returns an
error.
For specific handling of encryption policy changes when using DF-compatible encryption format,
refer to
.
Impact of tape LUN configuration changes
LUN-level policies apply when no policies are configured at the tape pool level. The following
restrictions apply when modifying tape LUN configuration parameters:
•
If you change a tape LUN policy from encrypt to cleartext or from cleartext to encrypt, or if you
change the encryption format from Brocade native to DF-compatible while data is written to or
read from a tape backup device, the policy change is not enforced until the current process
completes and the tape is unmounted, rewound, or overwritten. This mechanism prevents the
mixing of cleartext data to cipher-text data on the tape.
•
Make sure you understand the ramifications of changing the tape LUN encryption policy from
encrypt to cleartext or from cleartext to encrypt. Refer to
for
information on the impact of policy changes when working in DataFort-compatible encryption
format.
•
You cannot modify the key lifespan value. If you wish to modify the key lifespan, delete and
recreate the LUN with a different key lifespan value. Key lifespan values only apply to
native-mode pools. When in DF-compatible mode, every new media receives a unique key,
matching DataFort behavior.
Configuring a multi-path Crypto LUN
A single LUN may be accessed over multiple paths. A multi-path LUN is exposed and configured on
multiple CryptoTarget Containers located on the same encryption switch or blade or on different
encryption switches or blades.
CAUTION
When configuring a LUN with multiple paths, there is a considerable risk of ending up with
potentially catastrophic scenarios where different policies exist for each path of the LUN, or a
situation where one path ends up being exposed through the encryption switch and other path
has direct access to the device from a host outside the secured realm of the encryption platform.
Failure to follow proper configuration procedures for multi-path LUNs results in data corruption.