HP 1606 Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 153
Impact of tape LUN configuration changes, Force-enabling a disabled disk LUN for encryption
View all HP 1606 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 153 highlights
Crypto LUN configuration 3 Impact of tape LUN configuration changes LUN-level policies apply when no policies are configured at the tape pool level. The following restrictions apply when modifying tape LUN configuration parameters: • If you change a tape LUN policy from encrypt to cleartext or from cleartext to encrypt, or if you change the encryption format from Brocade native to DF-compatible while data is written to or read from a tape backup device, the policy change is not enforced until the current process completes and the tape is unmounted, rewound, or overwritten. This mechanism prevents the mixing of cleartext data to cipher-text data on the tape. • Make sure you understand the ramifications of changing the tape LUN encryption policy from encrypt to cleartext or from cleartext to encrypt. • You cannot modify the key lifespan value. If you wish to modify the key lifespan, delete and recreate the LUN with a different key lifespan value. Key lifespan values only apply to native-mode pools. When in DF-compatible mode, every new media receives a unique key, matching DataFort behavior. Force-enabling a disabled disk LUN for encryption You can force a disk LUN to become enabled for encryption when encryption is disabled on the LUN. A LUN may become disabled for various reasons, such as a change in policy from encrypt to cleartext when encrypted data (and metadata) exist on the LUN, a conflict between LUN policy and LUN state, or a missing DEK in the key vault. Force-enabling a LUN while metadata exist on the LUN may result in a loss of data and should be exercised with caution. Refer to "LUN policy troubleshooting" on page 204 for a description of conditions under which a LUN may be disabled, and for recommendations on re-enabling the LUN while minimizing the risk of data loss. This procedure must be performed on the local switch that is hosting the LUN. No commit is required to force-enable after executing this command. 1. Log into the switch that hosts the LUN as Admin or FabricAdmin. 2. Enter the cryptocfg --enable -LUN command followed by the CryptoTarget container name, the LUN Number, and the initiator PWWN. FabricAdmin:switch>cryptocfg --enable -LUN my_disk_tgt 0x0 \ 10:00:00:00:c9:2b:c9:3a Operation Succeeded Decommissioning LUNs A disk device needs to be decommissioned when any of the following occur: • The storage lease expires for an array, and devices must be returned or exchanged. • Storage is re-provisioned for movement between departments. • An array or device is removed from service. In all cases, all data on the disk media must be rendered inaccessible. LUN decommissioning deletes all information that could be used to recover the data. Upon a successful completion of a decommissioning operation the LUN is deleted from all the containers hosting it, and all the active paths to the LUNs are lost. Fabric OS Encryption Administrator's Guide 135 53-1001864-01