Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)
118 Encryption Administrator’s Guide
53-1001201-04
Key vault configuration
3
RKM key vault High Availability handling
It is strongly recommended that you deploy two RKM key vaults, a primary and a secondary key
vault, for redundancy purposes, However, the RKM key vault has no notion of High Availability,
which means, archival and retrieval operations may be performed on redundant key vaults under
normal operating conditions, but the systems have no knowledge of each other and can fall out of
sync under error conditions. To prevent this from happening, both primary and secondary RKM key
vaults must be installed and registered with the encryption group members before you configure
any CryptoTarget containers or LUNs.
NOTE
Installing or registering either a primary or secondary RKM key vault after configuring CryptoTarget
containers or LUNs results in out-of-sync operation of the two key vaults. This causes disruptive
behavior and possibly data corruption.
To configure a backup (secondary) RKM key vault, repeat the entire procedure described in the
section “RKM configuration scenario” on page 114 on an alternate RKM backup server. When
registering the backup RKM key vault on the group leader, specify the RKM as the “secondary” key
vault.
When primary and secondary key vaults are configured, the following rules apply to data encryption
key (DEK) archival and retrieval operations:
• For DEK archival operations:
• The master key is archived to both primary and backup key vaults before the master key is
used for cryptographic operations.
• If the key archival to the primary key vault fails because of temporary (non-fatal) key vault
failure, the key archival operation aborts and generates a RASLOG ERROR. The key
archival operation does not continue until the primary key vault is back online.
• For DEK retrieval operations:
• Under normal operating conditions, the master key is retrieved from the primary key vault.
If the operation succeeds, there are no issues.
• If key retrieval from the primary key vault fails, the master key is retrieved from the backup
key vault. If the operation succeeds, there are no issues.
• if key retrieval from both primary and backup key vaults fails, the system logs a RASLOG
ERROR and aborts the key retrieval operation.
NOTE
In the event of an unrecoverable failure of one of the RKMs, replace the RKM. To avoid potential
data corruption due to multiple master keys, it is of utmost importance that you synchronize the
replacement RKM with the key database from the working key vault or from the archived database.
Both key vaults must be in sync with respect to the key database before you can register the
replacement key vault with the encryption group. Refer to the RKM server product documentation
for instructions on synchronizing the databases.