HP 8/80 Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 152
Modifying Crypto LUN parameters, LUN modification considerations, For tape LUNs
View all HP 8/80 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 152 highlights
3 Crypto LUN configuration Modifying Crypto LUN parameters You can modify one or more policies of an existing Crypto LUN with the cryptocfg --modify -LUN command. If the modification applies to multiple LUNs, you may specify a LUN number range. NOTE A maximum of 25 LUNs can be added or modified in a single commit operation. Attempts to commit configurations or modifications that exceed this maximum fail with a warning. Note that there is a five second delay before the commit operation takes effect. Make sure the LUNs in previously committed LUN configurations and LUN modifications have a LUN state of Encryption Enabled before creating and committing another batch of 25 LUN configurations or LUN modifications. The following example disables automatic re-keying operations on the disk LUN "my_disk_tgt." 1. Log into the group leader as Admin or FabricAdmin. 2. Enter the cryptocfg --modify -LUN command followed by the CryptoTarget container name, the LUN Number, the initiator PWWN, and the parameter you wish to modify. FabricAdmin:switch>cryptocfg --modify -LUN my_disk_tgt 0x0 10:00:00:00:c9:2b:c9:3a -disable_rekey Operation Succeeded 3. Commit the configuration. FabricAdmin:switch>cryptocfg --commit Operation Succeeded CAUTION When configuring a LUN with multiple paths, do not commit the configuration before you have modified all the LUNs with identical policy settings and in sequence for each of the Crypto Target containers for each of the paths accessing the LUNs. Failure to do so results in data corruption. Refer to the section "Configuring a multi-path Crypto LUN" on page 141. LUN modification considerations Make sure you understand the ramifications of modifying LUN policy parameters (such as encrypt/cleartext) for LUNs that are online and already being utilized. The following restrictions apply when modifying LUN policy parameters for disk LUNs: • When you change LUN policy from encrypt to cleartext, you will wipe out all encrypted data stored on the LUN the next time data is written to that LUN. The following policy parameters are disabled: -enable_encexistingdata, -enable_rekey. • When you change the LUN policy back to encrypt, for example, by force-enabling the LUN, -enable_encexistingdata and -enable_rekey are disabled by default, and you must configure both options again. • When you add a LUN as cleartext and later you want to change the LUN policy from cleartext to encrypt, you must set the -enable_encexistingdata option. If you do not, all data on that LUN is lost, and cannot be recovered. For tape LUNs -enable_encexistingdata and -enable_rekey are not valid and therefore cannot be modified. The -key_lifespan parameter is valid for tape LUNs but it cannot be modified after it is set. When you attempt to execute these parameters while modifying a tape LUN, the system returns an error. 134 Fabric OS Encryption Administrator's Guide 53-1001864-01