Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch

121

122

123

124

125

126

127

128

129

130

Encryption Administrator’s Guide 107

53-1001201-04

Key vault configuration

Fabric OS 6.2.0 supports three third-party key management and archival solutions, the NetApp

Lifetime Key Management (LKM) appliance, the RSA Key Manager (RKM), and the Hewlett Packard

Secure Key Manager (SKM).

Key vault configuration is performed on the group leader. Once the key vault is set up, it is shared

among all members of the encryption group.

You must complete the basic encryption group configuration before setting up a key vault.

Setting up an LKM key vault

Setting up an LKM key vault consists of the following steps:

• Authenticating the NetApp LKM appliance (both primary and secondary if deployed in HA

fashion) with the group leader by registering certificates containing the public key and IP

address with the group leader. The group leader automatically distributes the certificate and

the IP address of the NetApp LKM appliance to all group members.

• Authenticating each member node with the NetApp LKM appliance (both primary and

secondary if deployed in HA fashion). For each node in the encryption group, the IP address

and the certificate containing the public key are registered with the NetApp LKM appliance.

The registered certificate is a special purpose KAC Certificate that contains license information

related to the LKM.

• Establishing a “trusted link” between the NetApp LKM appliance and each member node. As

part of the trusted link establishment, a shared secret called a link key is passed between the

two entities, The link key is subsequently used for encrypting the DEKs for archival to the

NetApp LKM appliance or for decrypting the encrypted DEKs for retrieval from the NetApp LKM

appliance.

LKM configuration scenario

The following scenario describes the steps for configuring a primary NetApp LKM key vault that can

be shared by the members of the encryption group "brocade." The encryption group has one group

leader and one member node.

1. Log into the group leader as Admin or SecurityAdmin.

2. Set the LKM key vault type by entering the cryptocfg --set -keyvault command with the LKM

option. Successful execution sets the key vault type for the entire encryption group.

SecurityAdmin:switch>cryptocfg --set -keyvault LKM

Set key vault status: Operation Succeeded.

3. Install the NetApp DataFort Management Console (DMC). Refer to the product documentation

for installation instructions.

a. Attach a USB card reader.

b. Install the DMC on a Windows host.