Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch

161

162

163

164

165

166

167

168

169

170

Encryption Administrator’s Guide 147

53-1001201-04

Crypto LUN configuration

CAUTION

In case of multiple paths for a LUN, each path is exposed as a CryptoTarget container in the

same encryption switch or blade or on different encryption switches or blades within the

encryption group. In this scenario you must remove the LUNs from all exposed CryptoTarget

containers before you commit the transaction. Failure to do so may result in a potentially

catastrophic situation where one path ends up being exposed through the encryption switch and

another path has direct access to the device from a host outside the protected realm of the

encryption platform. Refer to the section “Configuring a multi-path Crypto LUN” on page 152 for

more information.

Crypto LUN parameters and policies

The encryption parameters and policies in Table 9 can be specified for a disk or tape LUN, either

during LUN configuration (with the cryptocfg

--add LUN command) or at a later time (with the

cryptocfg

--modify LUN command). Some policies are applicable only to disk LUNs.

NOTE

LUN policies are configured at the LUN-level but apply to the entire HA or DEK cluster. For multi-path

LUNs exposed through multiple target ports and thus configured on multiple Crypto Target

containers on different encryption engines in an HA cluster or DEK cluster, the same LUN policies

must be configured. Failure to do so results in unexpected behavior and may lead to data corruption.

The tape policies specified at the LUN configuration level take effect if you do not create tape pools

or configure policies at the tape pool level.

TABLE 9 LUN parameters and policies

Policy name Command parameters Description

LUN state

Disk LUN: yes

Tape LUN: No

Modify? No

-lunstate encrypted |

cleartext

Sets the Encryption state for the LUN. Valid values are:

• cleartext - Default LUN state. Refer to policy configuration

considerations for compatibility with other policy settings.

• encrypted - Metadata on the LUN containing the key ID of the

DEK that was used for encrypting the LUN is used to retrieve

the DEK from the key vault. DEKs are used for encrypting and

decrypting the LUN.

Key ID

Disk LUN: yes

Tape LUN: No

Modify? No

-keyID Key_ID Specifies the key ID. Use this option only if the LUN was encrypted

but does not include the metadata containing the key ID for the

LUN. This is a rare case for LUNs encrypted in Native (Brocade)

mode. However for LUNS encrypted with DataFort v2.0, a key ID is

required, because these LUNs do not contain any metadata.