beautypg.com

Active master key, Alternate master key – Brocade Network Advisor SAN + IP User Manual v12.3.0 User Manual

Page 1195

background image

Brocade Network Advisor SAN + IP User Manual

1123

53-1003155-01

Master keys

25

When you create a new master key, the former active master key automatically becomes the
alternate master key.

The new master key cannot be used (no new data encryption keys can be created, so no new
encrypted LUNs can be configured), until you back up the new master key. After you have backed
up the new master key, it is strongly recommended that all encrypted disk LUNs be rekeyed.
Rekeying causes a new data encryption key to be created and encrypted using the new active
master key, thereby removing any dependency on the old master key. Refer to

“Creating a new

master key”

on page 1131 for more information.

Master key actions are disabled if they are unavailable. For example:

The user does not have Storage Encryption Security permissions.

The Group Leader is not discovered or managed by BNAthe Management application.

NOTE

It is important to back up the master key because if the master key is lost, none of the data
encryption keys can be restored and none of the encrypted data can be decrypted.

Active master key

The active master key is used to encrypt newly created data encryption keys (DEKs) prior to sending
them to a key vault to be stored. You can restore the active master key under the following
conditions:

The active master key has been lost, which happens if all encryption engines in the group have
been zeroized or replaced with new hardware at the same time.

You want multiple encryption groups to share the same active master key. Groups should
share the same master key if the groups share the same key vault and if tapes (or disks) are
going to be exchanged regularly between the groups.

Alternate master key

The alternate master key is used to decrypt data encryption keys that were not encrypted with the
active master key. Restore the alternate master key for the following reasons:

To read an old tape that was created when the group used a different active master key.

To read a tape (or disk) from a different encryption group that uses a different active
master key.