HP 8/40 Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 165
Configuring a LUN for automatic re-keying, Crypto LUN parameters and policies
View all HP 8/40 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 165 highlights
Data re-keying 3 Configuring a LUN for automatic re-keying Re-keying options are configured at the LUN level either during LUN configuration with the cryptocfg --add -LUN command, or at a later time with the cryptocfg --modify -LUN command. For re-keying of a disk array LUN, the Crypto LUN is configured in the following way: • Set LUN policy as either cleartext or encrypt. • If cleartext is enabled (default), all encryption-related options are disabled and no DEK is associated with the LUN. No encryption is performed on the LUN. • If the LUN policy is set to encrypt, encryption is enabled on the LUN and all other options related to encryption are enabled. A DEK is generated and associated with the LUN. • Set the auto re-keying feature with the cryptocfg --enable_rekey command and specify the interval at which the key expires and automatic re-keying should take place (time period in days) Enabling automatic re-keying is valid only if the LUN policy is set to encrypt and the encryption format is Brocade native. Refer to the section "Crypto LUN parameters and policies" on page 129 for more information. • When using Brocade native mode in LKM installations, manual rekey is highly recommended. If auto rekey is desired, the key expiry date should be configured only when the LUN is created. Never modify the expiry date after configuring a LUN. If you modify the expiry time after configuring the LUN, the expiration date will not update properly. NOTE For a scheduled re-keying session to proceed, all encryption engines in a given HA cluster, DEK cluster, or encryption group must be online, and IO sync links must be configured. Refer to the section "Management LAN configuration" on page 97 for more information. 1. Log into the group leader as FabricAdmin. 2. Enable automatic re-keying by setting the -enable_rekey parameter followed by a time period (in days). The following example enables the automatic re-keying feature on an existing LUN with a 90-day re-keying interval. The data will automatically be re-encrypted every 90 days. FabricAdmin:switch>cryptocfg --modify -LUN my_disk_tgt 0x0 \ 10:00:00:00:c9:2b:c9:3a -enable_rekey 90 Operation Succeeded 3. Commit the configuration. FabricAdmin:switch>cryptocfg --commit Operation Succeeded Fabric OS Encryption Administrator's Guide 147 53-1001864-01