Read Me First HP StorageWorks Encryption SAN Switch (AR944-96001, April 2009)
Select a target port that needs to be included in the encryption path. Verify existing available
target ports/paths that share LUNs with this target port (in the same fabric or other fabrics).
Identify all multi-path target ports for a given LUN that is part of an encryption target.
a.
b. Create target containers, one at a time, for all the identified multi-path target ports.
c. Repeat steps a and b for each target port that needs including in the encryption path.
d. HP strongly recommends that there is no more than one path to the same LUN from the same
Encryption Engine (EE). If more than one path for the EE is needed, disable all the paths,
except for one, during re-key operation or First Time Encryption (FTE) operation.
e. Identify all initiators that have access to a shared LUN that will hold encrypted data from all
the target ports.
f. Add and commit each identified initiator to the appropriate container. The initiators will then
be configured properly when they access the LUNs. This avoids potential data loss.
g. When adding LUNs to the container, do not include more than one initiator at a time if there
are multiple initiators accessing the same shared LUN on each path.
4. LUN policy setting
The following rules apply to all LUNs that are either part of a High Availability (HA) cluster or
DEK cluster or a standalone LUN accessed by multiple hosts.
a. When adding multi-path LUNs, make sure the same LUN policies (cleartext, encrypt,
or enc_existingdata are the most important LUN policies) are configured on all paths
and from all initiators accessing that LUN.
b. When adding Encrypted LUNs, make sure the lunstate option is set to encrypted. This ensures
that the metadata on the LUN is used to correctly retrieve the Data Encryption Key (DEK)
from the key vault.
c. For important existing data, configure the enable_encexistingdata option, so that all
the existing data on the LUN is encrypted first. This is known as First time encryption (FTE)
operation.
d. Perform FTE on a single LUN path and wait for it to finish before adding more initiators
paths.
e. Configure the LUN with the same policies in all containers in sequence, and do a commit
operation.
5. Paths to a shared LUN must be identified correctly. When identifying a shared LUN on multiple-
paths, ensure that the LUN serial number is identical on all the concerned paths. It is the LUN
serial number that uniquely identifies a LUN.
6. The EE automatically creates redirect zones as soon as the host/target pair is configured for en-
cryption. Do not delete or modify redirect zones, as this may result in data loss.
7. When a host or target port is moved to a different switch port, issue the cryptocfg –commit
command immediately after the move.
8. When a LUN is configured for encryption, the EE automatically writes some metadata in the first
few blocks of the disk LUN. If this metadata needs to be erased, modify the LUN policy to
cleartext and the EE will overwrite the metadata. Erasing the metadata also erases the data
on the LUN.
Guidelines for connecting and enabling encryption using a B-series encryption switch or blade
For additional guidelines and details, refer to the B-series Fabric OS Encryption Administrator’s Guide
on the HP website: http://h18006.www1.hp.com/storage/saninfrastructure/switches/
encrypt_sanswitch.html
1. HP highly recommends that the entire encryption configuration is performed by a single adminis-
trator in a given fabric. Failure to have one administrator configuring the entire encryption con-
figuration may result in mis-configurations that are hard to troubleshoot.
2