Deleting a cryptotarget container, Moving a cryptotarget container – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 185
Fabric OS Encryption Administrator’s Guide (DPM)
165
53-1002922-01
CryptoTarget container configuration
3
Deleting a CryptoTarget container
You may delete a CryptoTarget container to remove the target port from a given encryption switch
or blade. Deleting a CryptoTarget container removes the virtual target and all associated LUNs from
the fabric.
Before deleting a container, be aware of the following:
•
Stop all traffic to the target port for which the CryptoTarget container is being deleted. Failure
to do so will cause data corruption (a mix of encrypted data and cleartext data will be written to
the LUN).
•
Deleting a CryptoTarget container while a rekey or first-time encryption session causes all data
to be lost on the LUNs that are being rekeyed. Ensure that no rekey or first-time encryption
sessions are in progress before deleting a container. Use the cryptocfg
--
show
-
rekey
-
all
command to determine the runtime status of the session. If for some reason, you need to
delete a container while rekeying, when you create a new container, be sure the LUNs added to
the container are set to cleartext. You can then start a new rekey session on clear text LUNs.
1. Log in to the group leader as Admin or FabricAdmin.
2. Enter the cryptocfg
--
delete
-
container command followed by the CryptoTarget container
name. The following example removes the CryptoTarget container “my_disk_tgt”.
FabricAdmin:switch> cryptocfg --delete -container my_disk_tgt
Operation Succeeded
3. Commit the transaction.
FabricAdmin:switch> cryptocfg --commit
Operation Succeeded
CAUTION
When configuring a multi-path LUN, you must remove all necessary CryptoTarget containers in
sequence before committing the transaction. Failure to do so may result in a potentially
catastrophic situation where one path ends up being exposed through the encryption switch and
another path has direct access to the device from a host outside the protected realm of the
encryption platform. Refer to the section
“Configuring a multi-path Crypto LUN”
more information.
Moving a CryptoTarget container
You can move a CryptoTarget container from one encryption engine to another. The encryption
engines must be part of the same fabric and the same encryption group, and the encryption
engines must be online for this operation to succeed. This operation permanently transfers the
encryption engine association of a given CryptoTarget container from an existing encryption engine
to an alternate encryption engine.
NOTE
If a CryptoTarget container is moved in a configuration involving FCR, the LSAN zones and manually
created redirect zones will need to be reconfigured with new VI and VT WWNs. Refer to the section
“Deployment in Fibre Channel routed fabrics”
on page 219 for instructions on configuring encryption
in an FCR deployment scenario.