HP 8/8 Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 148
Also, the LBA 0 block size IO size from the host must be at least, block size for tape encryption.
View all HP 8/8 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 148 highlights
3 Crypto LUN configuration NOTE LUN policies are configured at the LUN-level but apply to the entire HA or DEK cluster. For multi-path LUNs exposed through multiple target ports and thus configured on multiple Crypto Target containers on different encryption engines in an HA cluster or DEK cluster, the same LUN policies must be configured. Failure to do so results in unexpected behavior and may lead to data corruption. The tape policies specified at the LUN configuration level take effect if you do not create tape pools or configure policies at the tape pool level. The Brocade encryption solutions supports up to a 1MB block size for tape encryption. Also, the LBA 0 block size (IO size from the host) must be at least 1k less than the maximum supported backend block size (usually 1MB). This is typically the case as label operations are small I/O operations. If this support requirement is not met, the Brocade encryption solution will not allow the backup operation to start to that tape. TABLE 6 LUN parameters and policies Policy name Command parameters Description LUN state Disk LUN: yes Tape LUN: No Modify? No -lunstate encrypted | cleartext Key ID Disk LUN: yes Tape LUN: No Modify? No -keyID Key_ID Sets the Encryption state for the LUN. Valid values are: • cleartext - Default LUN state. Refer to policy configuration considerations for compatibility with other policy settings. • encrypted - Metadata on the LUN containing the key ID of the DEK that was used for encrypting the LUN is used to retrieve the DEK from the key vault. DEKs are used for encrypting and decrypting the LUN. Specifies the key ID. Use this option only if the LUN was encrypted but does not include the metadata containing the key ID for the LUN. This is a rare case for LUNs encrypted in Native (Brocade) mode. However for LUNS encrypted with DataFort v2.0, a key ID is required, because these LUNs do not contain any metadata. Encryption format Disk LUN: yes Tape LUN: yes Modify? Yes -encryption_format native | DF_compatible Sets the encryption format. Valid values are: • Native - The LUN is encrypted or decrypted using the Brocade encryption format (metadata format and algorithm). This is the default setting. • DF_compatible - The LUN is encrypted or decrypted using the NetApp DataFort encryption format (metadata format and algorithm). Use of this format requires a NetApp DataFort-compatible license. NOTE: On tapes written in DataFort format, the encryption switch or blade cannot read and decrypt files with a block size of one MB or greater. Encryption policy Disk LUN: yes Tape LUN: Yes Modify? Yes -encrypt | -cleartext Enables or disables a LUN for encryption. Valid values are: • cleartext - Encryption is disabled. This is the default setting. When the LUN policy is set to cleartext the following policy parameters are invalid and generate errors when executed: -enable_encexistingdata -enable_rekey, and -key_lifespan. When a LUN is added in DataFort- compatible encryption format, cleartext is not a valid policy option. • encrypt - The LUN is enabled to perform encryption. Existing data encryption Disk LUN: yes Tape LUN: No Modify? Yes -enable_encexistingdata | -disable_encexistingdata Specifies whether or not existing data on the LUN should be encrypted. By default, encryption of existing data is disabled. Encryption policy must be set to -enable_encexistingdata, and the LUN state must be set to cleartext (default). If the encryption policy is cleartext, the existing data on the LUN will be overwritten. 130 Fabric OS Encryption Administrator's Guide 53-1001864-01