Manualshelf

Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch
211212213214215216217218219220
194 Encryption Administrator’s Guide
53-1001201-04
DF compatibility for tapes
5
Tape key expiry
When the tape key expires in the middle of a write operation on the tape, the key is used for the
duration of that write operation to append the data on the tape media. When the backup
application rewinds the media and starts writing to block zero again, a new key is created and used
for subsequent operations. The expired key thereafter is marked as read only and used only for
restore of data from already encrypted tapes.
DF compatibility for tapes
All versions of NetApp DataFort (DF) tape metaheaders and block formats are supported for
reading, decrypting, and decompressing the tapes.
Only DF version 2.x- and 3.x-compatible tape block formats and metaheaders are supported for
writing and encrypting tapes in DF-compatible format. A DF-compatible license is required.
DF compatibility for disk LUNs
Most versions of NetApp DataFort (DF) disk metaheaders and block formats are supported for
reading, decrypting, and decompressing the disk LUNs. DF 1.x version tapes are not supported for
reading.
Only DF version 3.x-compatible disk block formats and metaheaders are supported for writing and
encrypting disk LUNs in DF-compatible format. A DF-compatible license is required.
Key vault high availability
When two key vaults are used for high availability, both key vaults must be configured on the
encryption engine before enabling the Crypto LUNs for encryption. In this way, archiving of DEKs is
synchronized between the two key vaults. For RKM, the primary key vault must be active for key
archival with RKM. For LKM, one key vault must be active, but it may be either the primary or
secondary key vault.
It is recommended to replicate or back up the DEK database of the key vault server. Follow the
replication or back up procedure provided by the key vault vendor. When one key vault is replaced
due to failure, the DEK database must be restored from the backup or replication source before
registering the replacement key vault on the encryption device.