Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)
74 Encryption Administrator’s Guide
53-1001201-04
Configuring encrypted storage in a multi-path environment
2
NOTE
The Re-keying interval can only be changed for disk LUNs. For tape LUNs, expiration of the
re-keying interval simply triggers the generation of a new key, to be used on future tape
volumes. Tapes that are already made are not re-keyed. To re-key a tape, you would need to
read the tape contents using a host application that decrypts the tape contents using the old
key, and then re-write the tape, which re-encrypts the data with the new key.
9. Click OK.
The selected tape LUNs are added to the encryption target container.
Configuring encrypted storage in a multi-path environment
This example assumes one host accessing one storage device using two paths:
• The first path is from host port A to target port A, using encryption engine A for encryption.
• The second path is from host port B to target port B, using encryption engine B for encryption.
Encryption engines A and B are in switches that are already part of encryption group X.
The following is the procedure for configuring this scenario using DCFM.
1. Zone host port A and target port A, using the Configure > Zoning dialog box.
2. Zone host port B and target port B, using the Configure > Zoning dialog box.
3. Open the Configure Encryption dialog box by selecting Configure > Encryption from DCFM’s
main menu.
4. Click the View By Encryption Groups button to display the encryption groups.
5. Select encryption group X, then click the Encryption Targets button.
6. Click the Add button to start the Configure Storage Encryption wizard. Use the Configure
Storage Encryption wizard to create a target container for encryption engine A with target port
A and host port A.
7. Ru n t h e Configure Storage Encryption wizard again to create a target container for encryption
engine B with target port B and host port B.
Up to this point, DCFM has been automatically committing changes as they are made. The
targets and hosts are now fully configured; only the LUN configuration remains.
8. In the Encryption Targets dialog box, select target port A, click LUNs, then click Add. Select the
LUNs to be encrypted and the encryption policies for the LUNs.
9. Select target port B, click LUNs, then click Add. Select the LUNs to be encrypted and the
encryption policies for the LUNs, making sure that the encryption policies match the policies
specified in the other path.
10. Click Commit to make the LUN configuration changes effective in both paths simultaneously.
DCFM does not automatically commit LUN configuration changes, so that matching changes can
be made in a multi-path environment and then committed together. This prevents cases where one
path may be encrypting and another path is not encrypting, resulting in potentially corrupted data.
However, you must remember to click the Commit button after any LUN configuration changes,
even in non-multi-path environments. (The Encryption Targets dialog box displays a reminder if you
attempt to close the dialog box without committing LUN configuration changes.)