Thin provisioned lun limitations during rekey, Resource allocation, Rekeying modes – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

170

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Data rekeying

3

Thin provisioned LUN limitations during rekey

•

The WRITE_SAME command will not be supported for the unmap operation.

•

The UNMAP command will be rejected during a rekey.

•

Rekey temporarily uses the last 512 blocks. As a result, these blocks will be marked as
provisioned by the thin provisioned LUN.

•

The first 16 blocks of the LUN will be mapped automatically (if it was unmapped), after the LUN
has been configured as an encrypted LUN.

Resource allocation

A maximum of ten concurrent rekey sessions are supported per Encryption Group, with a maximum
of ten concurrent rekey/encryption sessions per target container and 10 concurrent sessions per
physical initiator. If your configuration has two containers that are accessed by the same physical
initiator, you cannot have more than ten concurrent rekey or encryption sessions. This includes
both rekey (auto and manual) and first time encryption sessions.

When scheduled rekey or first time encryption sessions exceed the maximum allowable limit, these
sessions will be pending and a Temporarily out of resources message is logged. Whenever an
active rekey of first time encryption session completes, the next pending session is scheduled.

The system checks once every 15 minutes to determine if there are any rekey or first time
encryption sessions pending. If resources are available, the next session in the queue is processed.
There may be up to an hour lag before the next session in the queue is processed. It is therefore
recommended that you do not schedule more than 10 rekey or first-time encryption sessions.

Rekeying modes

Rekeying operations can be performed under the following conditions:

•

Offline rekeying: The hosts accessing the LUN are offline, or host I/O is halted.

•

Online rekeying: The hosts accessing the LUN are online, and host I/O is active.

Configuring a LUN for automatic rekeying

Rekeying options are configured at the LUN level either during LUN configuration with the
cryptocfg

--

add

-

LUN command, or at a later time with the cryptocfg

--

modify

-

LUN command.

For rekeying of a disk array LUN, the Crypto LUN is configured in the following way:

1. Set LUN policy as either cleartext or encrypt.

•

If cleartext is enabled (default), all encryption-related options are disabled and no DEK is
associated with the LUN. No encryption is performed on the LUN.

•

If the LUN policy is set to encrypt, encryption is enabled on the LUN and all other options
related to encryption are enabled. A DEK is generated and associated with the LUN.

2. Set the auto rekeying feature with the cryptocfg

--

enable_rekey command and specify the

interval at which the key expires and automatic rekeying should occur (time period in days)
Enabling automatic rekeying is valid only if the LUN policy is set to encrypt and the encryption
format is Brocade native. Refer to the section

“Crypto LUN parameters and policies”

on

page 147 for more information.