Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipmentEncryption Switch

191

192

193

194

195

196

197

198

199

200

176 Fabric OS Encryption Administrator’s Guide (DPM)

53-1002720-02

Decommissioning LUNs

If a LUN is removed when undergoing decommission or is in a decommission failed state, or if a

container hosting the LUN is deleted, you must use the

-force option on the commit operation

(cryptocfg

--commit -force). Failure to do so causes the commit operation to fail and a

decommission in progress error displays.

Upon a successful completion of a decommissioning operation, the LUN is deleted from all

containers hosting it, and all active paths to the LUNs are lost.

NOTE

In a mixed encryption group consisting of nodes running Fabric OS 7.0.0 and an earlier Fabric OS

version (for example, Fabric OS 6.4.2), the decommission operation will complete successfully and

the LUNs will be removed from the hosted containers; however, the list of decommissioned key IDs

might not be displayed correctly from all nodes in the encryption group. To resolve this, ensure that

the Fabric OS version running on all nodes in an encryption group is the same version. Otherwise

some of the crypto commands might not work as expected.

Complete the following procedure to decommission a disk LUN.

1. Log in as Admin or FabricAdmin to the node that hosts the container.

2. Enter the cryptocfg

--decommission command.

FabricAdmin:switch> cryptocfg --decommission -container disk_ct0 -initiator

21:01:00:1b:32:29:5d:1c -LUN 0

3. Enter cryptocfg --show -decommissionedkeyids to obtain a list of all currently

decommissioned key IDs to be deleted after decommissioning key IDs manually from the key

vault.

FabricAdmin:switch> cryptocfg --show -decommissionedkeyids

4. Enter the cryptocfg --show -vendorspecific_keyid <key_id> command to list the

vendor-specific key information for a given key ID.

FabricAdmin:switch> cryptocfg --show -vendorspecific_keyid

AA:8B:91:B0:35:6F:DA:92:8A:72:B3:97:92:1B:CA:B4

uuid = b7e07a6a-db64-40c2-883a-0bc6c4e923e6

5. Manually delete the listed key IDs from the key vault.

6. Enter the cryptocfg

--delete -decommissionedkeyids command to purge all key IDs

associated with a decommissioned LUN.

FabricAdmin:switch> cryptocfg --delete -decommissionedkeyids

7. En te r t h e cryptocfg --show -decommissionedkeyids command to verify that the deleted

key IDs are no longer listed.

The cache is also cleared when cryptocfg

--zeroizeEE is executed on the encryption engine.

NOTES:

• When a decommissioned LUN is reused and the decommissioned key IDs are listed using the

cryptocfg

--show -decommissionedkeyids command, the entire list of decommissioned key

IDs since the first time the LUN was used is displayed.