Manualshelf

Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch
31323334353637383940
Encryption Administrator’s Guide 13
53-1001201-04
Master key management
1
Master key management
Communications with The RKM and SKM key management systems are encrypted using a master
key that is created by the encryption engine on the encryption switch.
Master key generation
A master key must be generated by the group leader encryption engine. The master key can be
generated once by the group leader, and propagated to the other members of an encryption group.
Master key backup
It is essential to back up the master key immediately after it is generated. The master key may be
backed up to any of the following,
To a file as an encrypted key.
To the key management system as an encrypted key record.
To a set of recovery smart cards. This option is only available if the switch is managed by the
Data Center Fabric Manager (DFCM), and if a card reader is available for attachment to the
DCFM workstation.
The use of smart cards provides the highest level of security. When smart cards are used, the key
is split and written on up to five cards, and the cards may be kept and stored by up to five
individuals, and all are needed to restore the master key.
Encryption switch initialization
Each encryption switch must be pre-initialized to be able to participate in a secure encryption
environment. Pre-initialization establishes critical security parameters (CSPs), certificates, and key
pairs that are used to mutually authenticate each participating entity. Certificates and key pairs are
needed to enable the following:
Communication between the encryption engine and the switch control processor (CP).
Communication between group leaders and nodes in an encryption group.
Communication with key vaults.
Exporting, importing, and loading certificates
Certain certificates generated within an encryption switch or blade need to be exchanged manually
with key vaults and with other encryption switches or blades to enable mutual authentication.
Refer to “Checking encryption engine status” in Chapter 3, “Encryption configuration using the
CLI,” for a description of the certificates and exchange procedures.