Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch

161

162

163

164

165

166

167

168

169

170

150 Encryption Administrator’s Guide

53-1001201-04

Crypto LUN configuration

For specific handling of encryption policy changes when using DF-compatible encryption format,

refer to Appendix D “DF-compatibility support for disk LUNs” on page 217 and “DF-compatibility

support for tape LUNs” on page 221.

Force-enabling a disabled LUN for encryption

You can force a LUN to become enabled for encryption when encryption is disabled on the LUN. A

LUN may become disabled for various reasons, such as a change in policy from encrypt to cleartext

when encrypted data (and metadata) exist on the LUN, a conflict between LUN policy and LUN

state, or a missing DEK in the key vault. Force-enabling a LUN while metadata exist on the LUN may

result in a loss of data and should be exercised with caution. Refer to Appendix B, “LUN policy

troubleshooting” on page 214 for a description of conditions under which a LUN may be disabled,

and for recommendations on re-enabling the LUN while minimizing the risk of data loss.

This procedure must be performed on the local switch that is hosting the LUN. No commit is

required to force-enable after executing this command.

1. Log into the switch that hosts the LUN as Admin or FabricAdmin.

2. Enter the cryptocfg

--enable -LUN command followed by the CryptoTarget container name,

the LUN Number, and the initiator PWWN.

FabricAdmin:switch>cryptocfg --enable -LUN my_disk_tgt 0x0 \

10:00:00:00:c9:2b:c9:3a

Operation Succeeded

Configuring a tape LUN

This example shows how to configure a tape storage device. The basic setup procedure is the

same as for disk devices. Only a subset of configuration options and policy settings are available

for tape LUNs. Refer to Table 9 on page 147 for tape LUN configuration options.

1. Create a zone that includes the initiator (host) and the target port. Refer to the section

“Creating an initiator - target zone” on page 139 for instructions.

2. Create a CryptoTarget container of type tape. Refer to the section “Creating a CryptoTarget

container” on page 140 for instructions.

a. Create the container.

FabricAdmin:switch>cryptocfg --create -container tape my_tape_tgt \

10:00:00:05:1e:41:9a:7e 20:0c:00:06:2b:0f:72:6d 20:00:00:06:2b:0f:72:6d

Operation Succeeded

b. Add an initiator to the CryptoTarget container “my_tape_tgt”.

FabricAdmin:switch>cryptocfg --add -initiator my_tape_tgt \

10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a

Operation Succeeded

c. Commit the transaction

FabricAdmin:switch>cryptocfg --commit

Operation Succeeded

3. Configure the Crypto tape LUN. Refer to the section “Configuring a Crypto LUN” on page 145

for instructions.