Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

235

53-1002925-01

Enabling encrypted LUNs in the disabled state following zeroization

6

Following the encryption engine zeroization, and encryption engine cryptocfg commands (initEE,
regEE, enableEE), and with the SSKM key vault(s) link key re-established using the DH challenge
and response process, the SSKM key vault(s) should be in a connected status and the encryption
engine should be online. You can verify the status using the crypto

--

show

-

groupcfg command.

At this point, if encrypted LUNs are erroneously found to be in the “disabled” state, the following
steps can be used as a remedy.

1. Launch the StorageSecure Management Console (SSMC) and log in.

2. From the SSMC, log in to the SSKM key vaults and view the link report.

3. For configurations that already have two SSKM key vaults with an established key sharing

policy, remove the key sharing policy. To do this, right-click the key sharing policy in the link
report and select Remove.

4. After the key sharing policy is removed (or if it was not yet established), right-click one of the

key vaults in the SSMC and select Link.

NOTE

A Trustee Link must be previously established between the SSKM key vault pair prior to adding
a Key Sharing Policy. Refer to the KeySecure documentation for more information.

5. Add a Key Sharing Policy by selecting the alternate key vault node, and confirm.

On the View Link Report list, the Key Sharing policy will appear. When the Percent Complete
reaches 100.0, it signifies that the key vault nodes are in sync and the keys are fully shared.

6. From the Brocade Encryption Switch or DCX Backbone series chassis containing the blade,

perform a discover LUN using the cryptocfg

--

discoverLUN command for each container of the

affected encryption group.

FabricAdmin:switch> cryptocfg --discoverLUN my_disk_tgt0

Container name: my_disk_tgt

Number of LUN(s): 1

Host: 10:00:00:00:c9:2b:c9:3a

LUN number: 0x0

LUN serial number: 200000062B0F726D0C000000

Key ID state: Key ID not available

Key ID: 3a:21:6a:bd:f2:37:d7:ea:6b:73:f6:19:72:89:c6:4f

7. Verify the encrypted LUNs have a LUN state of encryption enabled using the cryptocfg

--

show

command. Use the

“-

stat” option to verify that the internal EE LUN state attribute is set to

encryption enabled.

FabricAdmin:switch> cryptocfg --show -LUN my_disk_tgt0 \

10:00:00:00:c9:2b:c9:3a -stat

EE node: 10:00:00:05:1e:41:9a:7e

EE slot: 0

Target: 20:0c:00:06:2b:0f:72:6d 20:00:00:06:2b:0f:72:6d

VT: 20:00:00:05:1e:41:4e:1d 20:01:00:05:1e:41:4e:1d

Number of host(s): 1

Configuration status: committed

Host: 10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a

VI: 20:02:00:05:1e:41:4e:1d 20:03:00:05:1e:41:4e:1d

LUN number: 0x0

LUN type: disk

LUN status: 0

Encryption mode: encrypt

Encryption format: native