Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

158

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Decommissioning LUNs

3

Upon a successful completion of a decommissioning operation, the LUN is deleted from all
containers hosting it, and all active paths to the LUNs are lost.

NOTE

In a mixed encryption group consisting of nodes running Fabric OS 7.0.0 and an earlier Fabric OS
version (for example, Fabric OS 6.4.2), the decommission operation will complete successfully and
the LUNs will be removed from the hosted containers; however, the list of decommissioned key IDs
might not be displayed correctly from all nodes in the encryption group. To resolve this, ensure that
the Fabric OS version running on all nodes in an encryption group is the same version. Otherwise
some of the crypto commands might not work as expected.

Complete the following procedure to decommission a disk LUN.

1. Log in as Admin or FabricAdmin to the node that hosts the container.

2. Enter the cryptocfg

--

decommission command.

FabricAdmin:switch> cryptocfg --decommission -container disk_ct0 -initiator

21:01:00:1b:32:29:5d:1c -LUN 0

3. Enter cryptocfg

--

show

-

decommissionedkeyids to obtain a list of all currently

decommissioned key IDs to be deleted after decommissioning key IDs manually from the key
vault.

FabricAdmin:switch> cryptocfg --show -decommissionedkeyids

4. Enter the cryptocfg

--

show

-

vendorspecific_keyid command to list the

vendor-specific key information for a given key ID.

FabricAdmin:switch> cryptocfg --show -vendorspecific_keyid

AA:8B:91:B0:35:6F:DA:92:8A:72:B3:97:92:1B:CA:B4

uuid = b7e07a6a-db64-40c2-883a-0bc6c4e923e6

5. Manually delete the listed key IDs from the key vault.

6. Enter the cryptocfg

--

delete

-

decommissionedkeyids command to purge all key IDs

associated with a decommissioned LUN.

FabricAdmin:switch>cryptocfg --delete -decommissionedkeyids

7. Enter the cryptocfg

--

show

-

decommissionedkeyids command to verify that the deleted

key IDs are no longer listed.

The cache is also cleared when cryptocfg

--

zeroizeEE is executed on the encryption engine.

NOTE:

•

When a decommissioned LUN is reused and the decommissioned key IDs are listed using the
cryptocfg

--

show

-

decommissionedkeyids command, the entire list of decommissioned key

IDs since the first time the LUN was used is displayed.

•

If you are running Fabric OS 7.1.0 or later, and you want to downgrade to an earlier Fabric OS
version, (for example, Fabric OS 7.0.x), after decommissioning a disk LUN, it is recommended
that you remove the decommissioned key ID from the key vault before performing the
downgrade. Otherwise, if the LUN is added back for encryption, the LUN will go to the disabled
state as the key state is decommissioned in the key vault.