Brocade Fabric OS Encryption Administrator's Guide v6.3.0 (53-1001341-02, July 2009)
210 Encryption Administrator’s Guide
53-1001341-02
The NetApp Lifetime Key Manager
D
When LKM appliances are clustered, both LKMs in the cluster must be registered and configured
with the link keys before starting any crypto operations. If two LKM key vaults are configured, they
must be clustered. If only a single LKM key vault is configured, it may be clustered for backup
purposes, but it will not be directly used by the switch.
When dual LKMs are used with the encryption switch or blade, the dual LKMs must be clustered.
There is no enforcement done at the encryption switch or blade to verify whether or not the dual
LKMs are clustered, but key creation operations will fail if you register non-clustered dual LKMs
with the encryption switch or blade.
Regardless of whether you deploy a single LKM or clustered dual LKMs, register only the primary
key vault with the encryption switch or blade. You do not need to register a secondary key vault.
Use the following command to register an LKM key vault on the encryption switch or blade.
cryptocfg --reg -keyvault <cert label> <certfile> <hostname/ip address> primary
Disk keys and tape pool keys (Brocade native mode support)
DEK creation, retrieval, and update for disk and tape pool keys in Brocade native more are as
follows:
• DEK creation - The DEK is archived into the primary LKM. Upon successful archive of DEK onto
primary LKM, the DEK is read from secondary LKM until it is synchronized to the secondary
LKM, or a timeout of 10 seconds occurs (2 seconds with 5 retries). If successful, then the DEK
created can be used for encrypting disk LUNs or tape pool in Brocade native mode. If key
archival of the DEK to primary LKM fails, an error is logged and the operation is retried. If the
failure happens after archival of the DEK to the primary LKM, but before synchronization to the
secondary, a VAULT_OFFLINE error is logged and the operation is retried. Any DEK archived to
the primary in this case is not used.
• DEK retrieval - The DEK is retrieved from the primary LKM if the primary LKM is online and
reachable. If the registered primary LKM is not online or not reachable, the DEK is retrieved
from a clustered secondary LKM.
• DEK Update - DEK Update behavior is same as DEK Creation.
Tape LUN and DF -compatible tape pool support
• DEK Creation - The DEK is created and archived to the primary LKM only. Upon successful
archival of the DEK to the primary LKM, the DEK can be used for encryption of a Tape LUN or
DF-Compatible tape pool. The DEK is synchronized to a secondary LKM through LKM
clustering. If DEK archival to the primary LKM fails, DEK archival is retried to the clustered
secondary LKM. If DEK archival also fails to secondary LKM, an error is logged and the
operation is retried.
• DEK retrieval - The DEK is retrieved from primary LKM if primary is online and reachable. If
primary LKM is not online or not reachable, the DEK is retrieved from the clustered secondary
LKM.
• DEK update - DEK update behavior is same as DEK Creation.