Generating and backing up the master key – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 166

Advertising
background image

146

Fabric OS Encryption Administrator’s Guide (DPM)

53-1002922-01

Generating and backing up the master key

3

SecurityAdmin:switch> cryptocfg --reg -keyvault <CA certificate file>

<DPM IP>

primary

NOTE

If you are using an DPM cluster for high availability, the IP address specified as

<DPM IP>

is the

virtual IP address of the DPM cluster.

4. As the switches come up, enable the encryption engines.

SecurityAdmin:switch> cryptocfg --enableEE

Operation succeeded.

Generating and backing up the master key

You must generate a master key on the group leader, and export it to a secure backup location so
that it can be restored, if necessary. The master key is used to encrypt DEKs for transmission to
and from a DPM.

The backup location may be a DPM, a local file, or a secure external SCP-capable host. All three
options are shown in the following procedure. Note that the Brocade SAN Management application
provides the additional option of backing up the master key to system cards.

1. Generate the master key on the group leader.

SecurityAdmin:switch> cryptocfg --genmasterkey

Master key generated. The master key should be

exported before further operations are performed.

2. Export the master key to the key vault. Make a note of the key ID and the passphrase. You will

need the Key ID and passphrase should you have to restore the master key from the key vault.

SecurityAdmin:switch> cryptocfg --exportmasterkey

Enter the passphrase: passphrase

Master key exported. Key ID: 8f:88:45:32:8e:bf:eb:44:c4:bc:aa:2a:c1:69:94:2

3. Save the master key to a file.

SecurityAdmin:switch> cryptocfg --exportmasterkey -file

Master key file generated.

4. Export the master key to an SCP-capable external host:

SecurityAdmin:switch> cryptocfg --export -scp -currentMK \

192.168.38.245 mylogin GL_MK.mk

Password:

Operation succeeded.

5. Display the group configuration.

SecurityAdmin:switch> cryptocfg --show -groupcfg

Encryption Group Name: brocade

Failback mode:

Manual

Heartbeat misses: 3

Heartbeat timeout: 2

Key Vault Type:

DPM

Primary Key Vault:

Advertising
Popular Brands
Popular manuals