Brocade Fabric OS Encryption Administrator's Guide v6.3.0 (53-1001341-02, July 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch

131

132

133

134

135

136

137

138

139

140

Encryption Administrator’s Guide 115

53-1001341-02

Crypto LUN configuration

For specific handling of encryption policy changes when using DF-compatible encryption format,

refer to Appendix D “DF-compatibility support for disk LUNs” on page 195 and “DF-compatibility

support for tape LUNs” on page 199.

Force-enabling a disabled disk LUN for encryption

You can force a disk LUN to become enabled for encryption when encryption is disabled on the

LUN. A LUN may become disabled for various reasons, such as a change in policy from encrypt to

cleartext when encrypted data (and metadata) exist on the LUN, a conflict between LUN policy and

LUN state, or a missing DEK in the key vault. Force-enabling a LUN while metadata exist on the LUN

may result in a loss of data and should be exercised with caution. Refer to Chapter 6, “LUN policy

troubleshooting” on page 185 for a description of conditions under which a LUN may be disabled,

and for recommendations on re-enabling the LUN while minimizing the risk of data loss.

This procedure must be performed on the local switch that is hosting the LUN. No commit is

required to force-enable after executing this command.

1. Log into the switch that hosts the LUN as Admin or FabricAdmin.

2. Enter the cryptocfg

--enable -LUN command followed by the CryptoTarget container name,

the LUN Number, and the initiator PWWN.

FabricAdmin:switch>cryptocfg --enable -LUN my_disk_tgt 0x0 \

10:00:00:00:c9:2b:c9:3a

Operation Succeeded

Configuring a tape LUN

This example shows how to configure a tape storage device. The basic setup procedure is the

same as for disk devices. Only a subset of configuration options and policy settings are available

for tape LUNs. Refer to Table 8 on page 113 for tape LUN configuration options.

1. Create a zone that includes the initiator (host) and the target port. Refer to the section

“Creating an initiator - target zone” on page 104 for instructions.

2. Create a CryptoTarget container of type tape. Refer to the section “Creating a CryptoTarget

container” on page 105 for instructions.

a. Create the container, allowing the encryption format to default to Native.

FabricAdmin:switch>cryptocfg --create -container tape my_tape_tgt \

10:00:00:05:1e:41:9a:7e 20:0c:00:06:2b:0f:72:6d 20:00:00:06:2b:0f:72:6d

Operation Succeeded

b. Add an initiator to the CryptoTarget container “my_tape_tgt”.

FabricAdmin:switch>cryptocfg --add -initiator my_tape_tgt \

10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a

Operation Succeeded

c. Commit the transaction.

FabricAdmin:switch>cryptocfg --commit

Operation Succeeded

3. Configure the Crypto tape LUN. Refer to the section “Configuring a Crypto LUN” on page 110

for instructions.