Initiating a manual rekey session – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

171

53-1002925-01

Data rekeying

3

NOTE

For a scheduled rekeying session to proceed, all encryption engines in a given HA cluster, DEK
cluster, or encryption group must be online, and I/O sync links must be configured. Refer to the
section

“Management LAN configuration”

on page 118 for more information.

1. Log in to the group leader as FabricAdmin.

2. Enable automatic rekeying by setting the

-

enable_rekey parameter followed by a time period

(in days). The following example enables the automatic rekeying feature on an existing LUN
with a 90-day rekeying interval. The data will automatically be re-encrypted every 90 days.

FabricAdmin:switch> cryptocfg --modify -LUN my_disk_tgt 0x0 \

10:00:00:00:c9:2b:c9:3a -enable_rekey 90

Operation Succeeded

3. Commit the configuration.

FabricAdmin:switch> cryptocfg --commit

Operation Succeeded

Initiating a manual rekey session

If auto rekeying is disabled, you can initiate a rekeying session manually at your own convenience.
You can initiate a rekeying session manually at your own convenience. All encryption engines in a
given HA cluster, DEK cluster, or encryption group must be online for this operation to succeed. The
manual rekeying feature is useful when the key is compromised and you want to re-encrypt existing
data on the LUN before taking action on the compromised key.

CAUTION

Do not commit this operation if there are any changes pending for the container in which the
rekey was started. If you attempt to do this, the system displays a warning stating that the
encryption engine is busy and a forced commit is required for the changes to take effect. A forced
commit in this situation will halt any rekey that is in-progress (in any container) and corrupt any
LUN that is running rekey at the time. There is no recovery for this type of failure.

1. Log in to the group leader as FabricAdmin.

2. Do LUN discovery by issuing the cryptocfg

--

discoverLUN command (before issuing the

cryptocfg

--

manual_rekey) command to avoid a potential I/O timeout because of a path state

change at the host.

3. Ensure that all encryption engines in the HA cluster, DEK cluster, or encryption group are online

by issuing the cryptocfg

--

show

-

groupmember

-

all command.

4. Enter the cryptocfg

--

manual_rekey command. Specify the CryptoTarget container name, the

LUN number and the initiator PWWN.

FabricAdmin:switch> cryptocfg --manual_rekey my_disk_tgt 0x0\

10:00:00:05:1e:53:37:99

Operation Succeeded

Please check the status of the operation using "cryptocfg --show -rekey"