Brocade Fabric OS Encryption Administrator's Guide v6.3.0 (53-1001341-02, July 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch

241

242

243

244

245

246

247

248

249

250

230 Encryption Administrator’s Guide

53-1001341-02

The HP Secure Key Manager

Configured primary and secondary HPSKM appliances must be registered with the Brocade

encryption switch or blade to begin key operations. The user can register only a single SKM if

desired. In that case, the HA features are lost, but the archived keys are backed up to any other

non-registered cluster members. Beginning with Fabric OS version 6.3.0, the primary and

secondary appliances must be clustered.

Both the SKM Appliances in the cluster can be registered using the following command.

cryptocfg --reg -keyvault <cert label> <certfile> <hostname/ip address> <primary |

secondary>

Disk keys and tape pool keys support

DEK creation, retrieval, and update for disk and tape pool keys are as follows:

• DEK creation - The DEK is first archived to the virtual IP address of the SKM cluster. The

request gets routed to the primary or secondary SKM, and is synchronized with other SKMs in

the cluster. If archival is successful, the DEK is read from both the primary or secondary SKMs

in the cluster until the DEK is read successfully from both. If successful, then the DEK created

can be used for encrypting disk LUNs or tape pool in Brocade native mode. If key archival of

the DEK to the SKM cluster fails, an error is logged and the operation is retried. If the failure

happens after archival to one of the SKMs, but synchronization to all SKMS in the cluster times

out, then an error is logged and the operation is retried. Any DEK archived in this case is not

used.

• DEK retrieval - The DEK is retrieved from the SKM cluster using the cluster’s virtual IP address.

if DEK retrieval fails, it is retried.

• DEK Update - DEK Update behavior is same as DEK Creation.

Tape LUN support

• DEK Creation - The DEK is created and archived to the SKM cluster using the cluster’s virtual

IP address. The DEK is synchronized with other SKMs in the cluster. Upon successful archival

of the DEK to the SKM cluster, the DEK can be used for encryption of the tape LUN. If archival

of the DEK to the SKM cluster fails, an error is logged and the operation is retried.

• DEK retrieval - The DEK is retrieved from the SKM cluster using the cluster’s virtual IP address.

if DEK retrieval fails, it is retried.

• DEK update - DEK update behavior is same as DEK Creation.

SKM Key Vault Deregistration

Deregistration of either Primary or Secondary LKM KV from an encryption switch or blade is

allowed independently.

• Deregistration of Primary SKM - You can deregister the Primary SKM from an encryption switch

or blade without deregistering the backup or secondary SKM for maintenance or replacement

purposes. However, when the primary SKM is deregistered, key creation operations will fail

until either primary SKM is reregistered or the secondary SKM is deregistered and reregistered

as Primary SKM.

When the Primary SKM is replaced with a different SKM, you must first synchronize the DEKs

from the secondary SKM before reregistering the primary SKM.