Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)
160 Encryption Administrator’s Guide
53-1001201-04
Tape pool configuration
3
Modifying a tape pool
1. Log into the group leader as FabricAdmin.
2. Enter the cryptocfg
--modify -tapepool command followed by a tape pool label or number.
Then specify a new policy, encryption format, or both. The following example changes the
encryption format from Brocade native to DF-compatible.
FabricAdmin:switch>cryptocfg --modify -tapepool -label my_tapepool
-encryption_format DF_compatible
Operation succeeded.
3. Commit the transaction.
FabricAdmin:switch>cryptocfg --commit
Operation succeeded.
Impact of tape LUN configuration changes
LUN-level policies apply when no policies are configured at the tape pool level. The following
restrictions apply when modifying tape LUN configuration parameters:
• If you change a tape LUN policy from encrypt to cleartext or from cleartext to encrypt, or if you
change the encryption format from Brocade native to DF-compatible while data is written to or
read from a tape backup device, the policy change is not enforced until the current process
completes and the tape is unmounted, rewound, or overwritten. This mechanism prevents the
appending of cleartext data to cipher-text data on the tape.
• Make sure you understand the ramifications of changing the tape LUN encryption policy from
encrypt to cleartext or from cleartext to encrypt. Refer to “DF-compatibility support for tape
LUNs” on page 221 for information on the impact of policy changes when working in
DataFort-compatible encryption format.
• You cannot modify the key lifespan value. If you wish to modify the key lifespan, delete and
recreate the LUN with a different key lifespan value.
Impact of tape pool configuration changes
Tape pool-level policies overrule policy configurations at the LUN level, when no policies are
configured at the tape pool level. The following restrictions apply when modifying tape pool-level
configuration parameters:
• If you change the tape pool policy from encrypt to cleartext or from cleartext to encrypt or if you
change the encryption format from Brocade native to DF-compatible while data is written to or
read from a tape backup device, the policy change is not enforced until the current process
completes and the tape is unmounted, rewound, or overwritten. This mechanism prevents the
appending of cleartext data to cipher-text data on the tape.
• You cannot modify the tape pool label or the key lifespan value. If you wish to modify these
tape pool attributes, delete the tape pool and create a new tape pool with a different label and
key lifespan.