Administrator's Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

ManualsBrandsBrocade ManualsComputer AccessoriesFabric OS Encryption

171

172

173

174

175

176

177

178

179

180

Fabric OS Encryption Administrator’s Guide (LKM/SSKM) 161

53-1002925-01

Force-enabling a disabled disk LUN for encryption

7. En a bl e t h e LU N .

FabricAdmin:switch> cryptocfg --enable -LUN <crypto target container name>

8. Modify the LUN to encrypted.

FabricAdmin:switch> cryptocfg --modify -LUN <crypto target container name>

<LUN Num> <Initiator PWWN> 0 -lunstate encrypted -encryption_format native

-encrypt

9. Enter the cryptocfg --enable -LUN command followed by the CryptoTarget container name,

the LUN Number, and the initiator PWWN.

FabricAdmin:switch> cryptocfg --enable -LUN my_disk_tgt 0x0 \

10:00:00:00:c9:2b:c9:3a

Operation Succeeded

Force-enabling a disabled disk LUN for encryption

You can force a disk LUN to become enabled for encryption when encryption is disabled on the

LUN. A LUN may become disabled for various reasons, such as a change in policy from encrypt to

cleartext when encrypted data (and metadata) exist on the LUN, a conflict between LUN policy and

LUN state, or a missing DEK in the key vault. Force-enabling a LUN while metadata exist on the LUN

may result in a loss of data and should be exercised with caution. Refer to Chapter 6, “LUN policy

troubleshooting” on page 244 for a description of conditions under which a LUN may be disabled,

and for recommendations on re-enabling the LUN while minimizing the risk of data loss.

This procedure must be performed on the local switch that is hosting the LUN. No commit is

required to force-enable after executing this command.

1. Log in to the switch that hosts the LUN as Admin or FabricAdmin.

2. Enter the cryptocfg

--enable -LUN command followed by the CryptoTarget container name,

the LUN Number, and the initiator PWWN.

FabricAdmin:switch> cryptocfg --enable -LUN my_disk_tgt 0x0 \

10:00:00:00:c9:2b:c9:3a

Operation Succeeded

Tape pool configuration

Tape pools are used by tape backup application programs to group all configured tape volumes into

a single backup to facilitate their management within a centralized backup plan. A tape pool is

identified by either a name or a number, depending on the backup application. Tape pools have the

following properties:

• They are configured and managed per encryption group at the group leader level.

• All encryption engines in the encryption group share the same tape pool policy definitions.

• Tape pool definitions are only used when writing tapes. The tape contains enough information

(encryption method and key ID) to enable any encryption engine to read the tape.

• Tape pool names and numbers must be unique within the encryption group.