Manual rekey, Latency in rekey operations, Rekey operations and firmware upgrades – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

204

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Rekeying best practices and policies

5

Manual rekey

Ensure that the link to the key management system is up and running before you attempt a manual
rekey.

Latency in rekey operations

Host I/O for regions other than the current rekey region has no latency during a rekey operation.
Host I/O for the region where the current rekey is happening has minimal latency (a few
milliseconds) because I/O is held until the rekey is complete. The I/O sync links (the Ethernet ports
labeled Ge0 and Ge1) must be configured, and must both be connected to the I/O sync LAN to
enable proper handling of rekey state synchronization in high availability (HA cluster)
configurations.

Allow rekey to complete before deleting a container

Do not delete a crypto container while rekey is in session or if rekey is not completed. If you want to
delete a container, use the command cryptocfg

--

show

-

rekey

–

all to display the status of rekey

sessions. If any rekey session is not 100% completed, do not delete the container. If you do delete
the container before rekey is complete, and subsequently add the LUN back as cleartext, all data
on the LUN is destroyed.

Rekey operations and firmware upgrades

All nodes in an encryption group must be at the same firmware level before starting a rekey or
first-time encryption operation. Make sure that existing rekey or first-time encryption operations
complete before upgrading any of the encryption products in the encryption group, and that the
upgrade completes before starting a rekey or first-time encryption operation.

Do not change LUN configuration while rekeying

Never change the configuration of any LUN that belongs to a CryptoTarget container/LUN
configuration while the rekeying process for that LUN is active. If you change the LUN’s settings
during manual or auto, rekeying or first-time encryption, the system reports a warning message
stating that the encryption engine is busy and a forced commit is required for the changes to take
effect. A forced commit command halts all active rekeying progresses running in all CryptoTarget
containers and corrupts any LUN engaged in a rekeying operation. There is no recovery for this type
of failure.

Brocade native mode in LKM/SSKM installations

When using Brocade native mode in LKM/SSKM installations, manual rekey is highly
recommended. If automatic rekey is desired, the key expiry date should be configured only when
the LUN is created. Never modify the expiry date after configuring a LUN. If you modify the expiry
time after configuring the LUN, the expiration date will not update properly.