beautypg.com

Dell POWEREDGE M1000E User Manual

Page 206

background image

174

Fabric OS Command Reference

53-1001764-02

cryptoCfg

2

LUN policies are configured per HA or DEK cluster. For multi-path LUNs exposed through
multiple target ports and thus configured on multiple CTCs on different EEs in an HA cluster or
DEK cluster, the same LUN policies must be configured. Refer to the Fabric OS Encryption
Administrator’s Guide
for more information.

The following LUN policy parameters can be optionally set:

-lunstate encrypted | cleartext

Sets the encryption state of a specified disk LUN. When set to encrypted,
metadata on the LUN containing the key ID of the DEK that was used for
encrypting the LUN is used to retrieve the DEK from the key vault. If the LUN
state is not specified, the default state is cleartext. This operand is not valid
for tape LUNs.

-keyID keyID

Specifies the Key ID. Use this operand only if the LUN was encrypted but does
not include the metadata containing the keyID for the LUN. This is a rare case
for LUNS encrypted in Brocade native mode. However for LUNS encrypted
with DataFort v2.0, a Key ID is required, because these LUNs do not contain
any metadata. This operand is not valid for tape LUNs.

-encryption_format native | DF_compatible

Specifies the LUN encryption format. Two encryption formats are supported:

native

The LUN uses the Brocade metadata format and algorithm for the
encryption and decryption of data. This is the default mode.

DF_compatible The LUN uses the NetApp DataFort metadata format and algorithm for

the encryption and decryption of data. Use of this format requires a
NetApp DataFort-compatible license to be present on the encryption
switch or the chassis that houses the encryption blade.

-encrypt | -cleartext

Enables or disables the LUN for encryption. By default, cleartext is enabled
(no encryption). When the LUN policy is changed from encrypt to cleartext,
the following policy parameters become disabled (default) and generate
errors when executed: -enable_encexistingdata, -enable_rekey, and
-key_lifespan. When a LUN is added in DF -compatible Encryption Format,
-cleartext is rejected as invalid.

-enable_encexistingdata | -disable_encexistingdata

Specifies whether or not existing data should be encrypted. The Encryption
policy must be enabled on the LUN before the -enable_encexistingdata can
be set and the LUN state must be set to -cleartext. By default, encryption of
existing data is disabled. If LUN policy is set to -encrypt, the encryption of
existing data must be enabled, or existing data is not preserved. This policy is
not valid for tape LUNs.

-enable_rekey time_period | -disable_rekey

Enables or disables the auto rekeying capability on the specified disk LUN.
This operand is not valid for tape LUNs. By default, the automatic rekey
feature is disabled. Enabling automatic rekeying is valid only if the LUN policy
is set to encrypt. You must specify a time_period in days when enabling auto
rekeying to indicate the interval at which automatic rekeying should take
place.