Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)
Encryption Administrator’s Guide 75
53-1001201-04
Master keys
2
NOTE
There is a limit of 25 uncommitted LUN configuration changes. When adding more than 12 LUNs in
a multi-path environment, repeat steps step 8 through step 10 above, adding only 12 LUNs to each
target container at a time. Each commit operation, then, will commit 24 LUNs, 12 in each path.
Master keys
When an RKM or SKM key vault is used, a master key is used to encrypt the data encryption keys.
The master key status indicates whether a master key is used and whether it has been backed up.
Encryption is not allowed until the master key has been backed up.
Only the active master key can be backed up, and multiple backups are recommended. You can
back up or restore the master key to the key vault, to a file, or to a smart card set.
NOTE
It is extremely important to back up the master key. if the master key is lost, none of the data
encryption keys can be restored and none of the encrypted data can be decrypted.
Active master key
The active master key is used to encrypt newly-created data encryption keys (DEKs) prior to
sending them to the RSA Key Manager (RKM) or HP Secure Key Manager (SKM) to be stored. You
can restore the active master key under the following conditions:
• The active master key has been lost, which happens if all encryption engines in the group have
been zeroized or replaced with new hardware at the same time.
• You want multiple encryption groups to share the same active master key. Groups should share
the same master key if the groups share the same key vault and tapes (or disks) are going to
be regularly exchanged between the groups.
Alternate master key
The alternate master key is used to decrypt data encryption keys that were not encrypted with the
active master key. Restore the alternate master key for the following reasons:
• To read an old tape that was created when the group used a different active master key.
• To read a tape (or disk) from a different encryption group that uses a different active master
key.