Administrator's Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) Instruction Manual
40 Fabric OS Encryption Administrator’s Guide (SKM/ESKM)
53-1002923-01
Encryption preparation
2
ESKM/SKM key vault deregistration
Deregistration of either the primary or secondary ESKM/SKM key vault from an encryption switch
or blade is allowed independently.
• Deregistration of Primary ESKM: You can deregister the primary ESKM/SKM from an
encryption switch or blade without deregistering the backup or secondary ESKM/SKM for
maintenance or replacement purposes. Future key operations will use only the secondary
ESKM/SKM until the primary ESKM/SKM is reregistered on the Brocade Encryption Switch or
blade.
When the primary ESKM/SKM is replaced with a different ESKM/SKM, you must first
synchronize the DEKs from the secondary ESKM/SKM before reregistering the primary
ESKM/SKM.
• Deregistration of Secondary ESKM: You can deregister the secondary ESKM/SKM
independently. Future key operations will use only the primary ESKM/SKM until the secondary
ESKM/SKM is reregistered on the encryption switch or blade.
When the secondary ESKM/SKM is replaced with a different ESKM/SKM, you must first
synchronize the DEKs from primary ESKM/SKM before reregistering the secondary
ESKM/SKM.
Encryption preparation
Before you use the encryption setup wizard for the first time, you should have a detailed
configuration plan in place and available for reference. The encryption setup wizard assumes the
following:
• You have a plan in place to organize encryption devices into encryption groups.
• If you want redundancy and high availability in your implementation, you have a plan to create
high availability (HA) clusters of two encryption switches or blades to provide failover support.
• All switches in the planned encryption group are interconnected on an I/O synch LAN.
• The management ports on all encryption switches and DCX Backbone Chassis CPs that have
encryption blades installed, have a LAN connection to the SAN management program and are
available for discovery.
• A supported key management appliance is connected on the same LAN as the encryption
switches, DCX Backbone Chassis CPs, and the SAN Management program.
• An external host is available on the LAN to facilitate certificate exchange.
• Switch KAC certificates have been signed by a CA and stored in a known location.
• Key management system (key vault) certificates have been obtained and stored in a known
location.