HP 8/40 Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 163
First time encryption, Resource allocation, Configuring a LUN for first time encryption
View all HP 8/40 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 163 highlights
First time encryption 3 First time encryption First time encryption, also referred to as encryption of existing data, is similar to the re-keying process described in the previous section, except that there is no expired key and the data present in the LUN is cleartext to begin with. In a first time encryption operation, cleartext data is read from a LUN, encrypted with the current key and written back to the same LUN at the same logical block address (LBA) location. This process effectively encrypts the LUN and is referred to as "in-place encryption." Resource allocation System resources for first time encryption sessions are shared with re-key sessions. There is an upper limit of twelve sessions with two concurrent sessions per target. Refer to the re-key "Resource allocation" on page 145 section for details. First time encryption modes First-time encryption can be performed under the following conditions: • Offline encryption - The hosts accessing the LUN are offline or host I/O is halted while encryption is in process. • Online encryption - The hosts accessing the LUN are online and host I/O is active during the encryption operation. Configuring a LUN for first time encryption First time encryption options are configured at the LUN level either during LUN configuration with the cryptocfg --add -LUN command, or at a later time with the cryptocfg --modify -LUN command. 1. Set the LUN policy to encrypt to enable encryption on the LUN. All other options related to encryption are enabled. A DEK is generated and associated with the LUN. 2. Enable first time encryption by setting the -enable_encexistingdata parameter. The existing data on the disk is encrypted using the configured DEK. 3. Optionally set the auto re-keying feature with the cryptocfg --enable_rekey command and specify the interval at which the key expires and automatic re-keying should take place (time period in days) Enabling automatic re-keying is valid only if the LUN policy is set to encrypt and the encryption format is Brocade native. Refer to the section "Crypto LUN parameters and policies" on page 129 for more information. The following example configures a LUN for first time encryption with re-keying scheduled at a 6-month interval. You must commit the operation to take effect. FabricAdmin:switch>cryptocfg --add -LUN my_disk_tgt 0x0 \ 10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a -encrypt \ -enable_encexistingdata -enable_rekey 180 Operation Succeeded Fabric OS Encryption Administrator's Guide 145 53-1001864-01