Active master key, Alternate master key – Brocade Network Advisor SAN + IP User Manual v12.3.0 User Manual
Page 1195
Brocade Network Advisor SAN + IP User Manual
1123
53-1003155-01
Master keys
25
When you create a new master key, the former active master key automatically becomes the
alternate master key.
The new master key cannot be used (no new data encryption keys can be created, so no new
encrypted LUNs can be configured), until you back up the new master key. After you have backed
up the new master key, it is strongly recommended that all encrypted disk LUNs be rekeyed.
Rekeying causes a new data encryption key to be created and encrypted using the new active
master key, thereby removing any dependency on the old master key. Refer to
on page 1131 for more information.
Master key actions are disabled if they are unavailable. For example:
•
The user does not have Storage Encryption Security permissions.
•
The Group Leader is not discovered or managed by BNAthe Management application.
NOTE
It is important to back up the master key because if the master key is lost, none of the data
encryption keys can be restored and none of the encrypted data can be decrypted.
Active master key
The active master key is used to encrypt newly created data encryption keys (DEKs) prior to sending
them to a key vault to be stored. You can restore the active master key under the following
conditions:
•
The active master key has been lost, which happens if all encryption engines in the group have
been zeroized or replaced with new hardware at the same time.
•
You want multiple encryption groups to share the same active master key. Groups should
share the same master key if the groups share the same key vault and if tapes (or disks) are
going to be exchanged regularly between the groups.
Alternate master key
The alternate master key is used to decrypt data encryption keys that were not encrypted with the
active master key. Restore the alternate master key for the following reasons:
•
To read an old tape that was created when the group used a different active master key.
•
To read a tape (or disk) from a different encryption group that uses a different active
master key.