Table 23 – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

268

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

DF-compatibility support for disk LUNs

B

TABLE 23

Support matrix for disk LUNs for various configuration and modify options

LUN
encryption
format

LUN state

LUN policy

Encrypt existing data

Key ID

Metadata
on LUN

Results

Native
(Brocade)

Encrypted

Encrypt

NA when
LUN State = encrypt

NA

Yes

No error. If the LUN was previously
DF-encrypted, the LUN is set to Read Only until
you either remove the LUN and add it back
with the native Brocade encryption format, or
issue the runtime CLI command to force the
change.

Native
(Brocade)

Encrypted

Encrypt

NA when
LUN State = encrypt

None

No

The data encryption key is retrieved from the
key vault based on the LUN serial number, and
used for further encryption and decryption. An
attempt is made to write the metadata. If the
key cannot be retrieved for this LUN based on
the LUN serial number, then the LUN is
disabled for encryption. You need to either
modify the LUN state to cleartext or provide
the key ID in the LUN setup. You can also use
the runtime cryptocfg --enable -LUN
command to force the change, in which case a
new key is generated and an attempt is made
to write metadata.

Native
(Brocade)

Encrypted

Encrypt

NA when
LUN State = encrypt

Provided No

No error.

Native
(Brocade)

Encrypted

Cleartext

NA when
LUN State = encrypt

NA

Yes

The LUN is disabled for encryption. Metadata
is present on the LUN and the LUN is in
encrypted state. You need to either modify the
LUN policy to encrypt, or use the runtime
cryptocfg --enable -LUN command to force
the change from encrypt to cleartext.

Native
(Brocade)

Encrypted

Cleartext

NA when
LUN State = encrypt

None

No

No error.

Native
(Brocade)

Encrypted

Cleartext

NA when
LUN State = encrypt

Provided No

The KeyID is not valid when this combination is
used in cryptocfg --modify -LUN. When
issuing cryptocfg --add -LUN, this is an invalid
combination

Native
(Brocade)

Cleartext

Encrypt

Yes

NA

Yes

The LUN is disabled for encryption. Metadata
is present on the LUN and the LUN is in
encrypted state. You need to either modify the
LUN state to “encrypted” or use the runtime
cryptocfg --enable -LUN command to force
the change from the current state of the LUN
to encrypt.

Native
(Brocade)

Cleartext

Encrypt

Yes

None

No

No error. First time encryption started to
convert the LUN from cleartext to encrypt.

Native
(Brocade)

Cleartext

Encrypt

Yes

Provided No

No Error. Key ID is ignored.