Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch

Encryption Administrator’s Guide 3

53-1001201-04

Terminology

The following are definitions of terms used extensively in this document.

ciphertext

Encrypted data.

cleartext

Unencrypted data.

CryptoModule

An alternative term for encryption engine. The term CryptoModule is used primarily in

the context of FIPS authentication.

Data Encryption Key (DEK)

An encryption key generated by the encryption engine. The DEK is used to encrypt

cleartext received from a host before it is sent to a target LUN, and to decrypt that data

when it is retrieved by the host.

Data Encryption Key Cluster

(DEK Cluster)

A cluster of encryption engines which can host all paths to a LUN and share the same

data encryption key (DEK) set. The encryption engines can be in the same or different

fabrics. DEK clusters enable host MPIO failover.

Encryption Engine

The entity within a node that performs encryption operations, including the generation

of Data Encryption Keys.

Encryption Group

A collection of one or more DEK clusters, HA clusters, or both, which share the same

key vault and device configuration, and is managed as a single group.

Failback

In the context of this implementation of encryption, failback refers to behavior after a

failed encryption switch recovers. Devices that were transferred to another switch by

failover processing may automatically be transferred back, or they may be manually

switched back. This is determined as a configuration option.

Failover

In the context of this implementation of encryption, failover refers to the automatic

transfer of devices hosted by one encryption switch to another encryption switch within

a high availability cluster (HA cluster).

Group Leader

A group leader is a special node within an encryption group which acts as a group and

cluster manager, and manages and distributes all group-wide and cluster-wide

configurations to all members of the group or cluster.

High Availability Cluster

(HA Cluster)

A collection of peer-level encryption engines that provide failover capabilities within a

fabric.

Key Encryption Key

A key used to encrypt and decrypt Data Encryption Keys (DEKs) within encryption

devices so that DEKs are transmitted in a secure manner outside of the encryption

engines, and stored persistently inside key vaults.

Link Key

A shared secret exchanged between an encryption engine and a FIPS 140-2 level 3

certified key management appliance and key vault. The link key is used to encrypt Data

Encryption Keys (DEKs) in transit to and from the key vault. The key management

appliance decrypts the DEKs and stores them encrypted with its own master key.

Master Key

An encryption key used to encrypt and decrypt DEKs when storing DEKs into opaque

key vaults such as RAS RKM. There is one master key per encryption group. That means

all node encryption engines within an encryption group use the same master key to

encrypt and decrypt the DEKs.

Node

In terms of encryption, a switch, DCX, or DCX-4S through which users can manage an

encryption engine.

Opaque Key Vault

A storage location that provides untrusted key management functionality. Its contents

may be visible to a third party. DEKs in an opaque key vault are stored encrypted in a

master key to protect them.

Redirection zone

When encryption is implemented, data traffic is routed to and from virtual initiators and

virtual targets. Redirection zones are automatically created to enable frame redirection

to the virtual initiators and virtual targets.