Decommissioning in an eg containing mixed modes, Decommissioning a multi-path lun, Disk metadata – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

198

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Decommissioning in an EG containing mixed modes

5

Decommissioning in an EG containing mixed modes

If you have an encryption group (EG) that contains mixed nodes, (for example, one member node is
running Fabric OS 7.0.0 and another member node is running Fabric OS 6.4.2), you might notice
that after you decommission a LUN, the decommissioned Key IDs might not be displayed on the
node running v6.4.2, even though the decommission operation was successful.

In a mixed encryption group consisting of nodes running Fabric OS 7.0.0 and an earlier Fabric OS
version, such as 6.4.x, the decommission operation will complete successfully and the LUNs will be
removed from the hosted containers; however, the list of decommissioned key IDs might not be
displayed correctly from all nodes in the encryption group. To resolve this, ensure that the Fabric OS
version running on all nodes in an encryption group is the same version. Otherwise some of the
crypto commands might not work as expected.

Decommissioning a multi-path LUN

When issuing a decommission command on a multi-path LUN on the Group Leader of an
encryption group, make sure you do not issue a second decommission request from another path
to the same LUN from a member node. Doing so causes a timeout with an accompanying message,
"EE(s) is busy. Please try it later."

You can avoid this scenario by making sure that a second decommission operation is not
requested on a node where the LUN state is shown as “Commit in progress.”

If you are in a position whereby you receive the error message, simply re-issue the decommission
request.

Disk metadata

If possible, 32 bytes of metadata are added to every block in LBA range 1 to 16 for both the native
Brocade format and DF-compatible formats. This metadata is not visible to the host. The Host I/Os
for the metadata region of the LUN are handled in the encryption switch software, and some
additional latency should be expected.

NOTE

For encrypted LUNs, data in LBA 0 will always be in cleartext.

Tape metadata

One kilobyte of metadata is added per tape block for both the native Brocade format and
DF-compatible formats. Tape block size (as configured by host) is modified by the encryption device
to accommodate 1K metadata per block. A given tape can have a mix of compressed and
uncompressed blocks. Block lengths are as follows.

Encrypted/Compressed
Tape Block Format

Compressed and encrypted tape block data + 1K metadata + ASCII 0 pad = block
length of tape.

Encrypted Tape Block
Format (No Compression)

Encrypted tape block data + 1K metadata = block length of tape.