HP Cisco MDS 9134 Cisco MDS 9000 Family Storage Media Encryption Configuration - Page 138
Advanced Mode, Smartcards, Replace
View all HP Cisco MDS 9134 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 138 highlights
Key Management Operations Chapter 6 Cisco SME Key Management Send documentation comments to [email protected] Advanced Mode In Advanced security mode, the master key is stored on five smart cards. Depending on the quorum required to recover the master key, two or three of the five smart cards or two of the three smart cards will be required to unlock the master key. The master key is stored securely on a PIN-protected smart card. To replace a lost or damaged smart card, the quorum of Cisco SME Recovery Officers must be present with their smart cards to authorize the master key recovery. This ensures that the split-knowledge security policy of the master key is maintained throughout the lifetime of the Cisco SME cluster. This method guarantees that following the creation of the Cisco SME cluster in Advanced security mode, the master key can only be retrieved by the quorum of Cisco Recover Officers and both the replacement operation as well as the new smart card are authorized and authenticated by the quorum. The smart card replacement triggers a master key recreation (master key rekey) and a new version of the master key is generated for the cluster. The new set of master keyshares are stored in the smart cards. All the volume group keys are also synchronized with the new master key. In the unique key mode, a new tape volume group wrap key is generated for each volume group. The existing tape volume group wrap key is duplicated with the new master key and put in the archived state. In the shared key mode, a new tape volume group wrap key and tape volume group shared key are generated. The existing tape volume group wrap key is duplicated with the new master key and put in the archived state. The existing tape volume group shared key remains as it were. To replace a smart card (Advanced security mode), follow these steps: Step 1 Step 2 Select Smartcards to display the smart card information for the cluster. Select the smart card that you want to replace. Click Replace to launch the smart card replacement wizard. Step 3 Insert the new smart card. Click Next. 6-24 Cisco MDS 9000 Family Storage Media Encryption Configuration Guide OL-18091-01, Cisco MDS NX-OS Release 4.x