HP 8/8 Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 89
Zeroizing an encryption engine
View all HP 8/8 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 89 highlights
Zeroizing an encryption engine 2 Zeroizing an encryption engine Zeroizing is the process of erasing all data encryption keys and other sensitive encryption information in an encryption engine. You can zeroize an encryption engine manually to protect encryption keys. No data is lost because the data encryption keys for the encryption targets are stored in the key vault. Zeroizing has the following effects: • All copies of data encryption keys kept in the encryption switch or encryption blade are erased. • Internal public and private key pairs that identify the encryption engine are erased and the encryption switch or the encryption blade is in the FAULTY state. • All encryption operations on this engine are stopped and all virtual initiators (VI) and virtual targets (VT) are removed from the fabric's name service. • The master key (for other key vaults) is erased from the encryption engine. Once enabled, the encryption engine is able to restore the necessary data encryption keys from the key vault when the the master key is restored. • If the encryption engine was part of an HA cluster, targets fail over to the peer which assumes the encryption of all storage targets. Data flow will continue to be encrypted. • If there is no HA backup, host traffic to the target will fail as if the target has gone offline. The host will not have unencrypted access to the target. There will be no data flow at all because the encryption virtual targets will be offline. NOTE Zeroizing an engine affects the I/Os but all target and LUN configuration is intact. Encryption target configuration data is not deleted. You can zeroize an encryption engine only if it is enabled (running) or disabled, but ready to be enabled. If the encryption engine is not in one of these states, an error message displays. When using an opaque key vault, if all the encryption engines in an encryption group are zeroized, the encryption group loses the master key required to read data encryption keys from the key vault. After the encryption engines are rebooted and re-enabled, you must restore the master key from a backup copy, or alternatively you can also generate a new master key and back it up. Restoring the master key from a backup copy or generating a new master key and backing it up indicates that all previously generated DEKs will not be decryptable, unless the original master key used to encrypt them is restored. Use the Restore Master key wizard from the Encryption Group Properties dialog box to restore the master key from a backup copy. 1. Select Configure > Encryption from the menu bar. The Encryption Center dialog box displays. 2. Select the encryption engine. 3. Right-click, or select Engine from the menu bar, and select Zeroize. A confirmation dialog box describing consequences and actions required to recover launches. Fabric OS Encryption Administrator's Guide 71 53-1001864-01