Crypto lun parameters and policies – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 189

Advertising
background image

Fabric OS Encryption Administrator’s Guide (DPM)

169

53-1002922-01

Crypto LUN configuration

3

Number of host(s): 1

Configuration status: committed

Host: 10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a

VI: 20:02:00:05:1e:41:4e:1d 20:03:00:05:1e:41:4e:1d

LUN number: 0x0

LUN type: disk

LUN status: 0

Encryption mode: encrypt

Encryption format: native

Encrypt existing data: enabled

Rekey: disabled

Key ID: not available

Operation Succeeded

Crypto LUN parameters and policies

Table 6

shows the encryption parameters and policies that can be specified for a disk or tape LUN,

during LUN configuration (with the cryptocfg

--

add

-

LUN command). Some policies are applicable

only to disk LUNs, and some policies are applicable only to tape LUNs. It is recommended that you
plan to configure all the LUN state and encryption policies with the cryptocfg

--

add

-

LUN

command. You can use the cryptocfg

--

modify

-

LUN command to change some of the settings,

but not all options can be modified.

NOTE

LUN policies are configured at the LUN level, but apply to the entire HA or DEK cluster. For multi-path
LUNs that are exposed through multiple target ports and thus configured on multiple CryptoTarget
containers on different encryption engines in an HA cluster or DEK cluster, the same LUN policies
must be configured. Failure to do so results in unexpected behavior and may lead to data corruption.

The tape policies specified at the LUN configuration level take effect if you do not create tape pools
or configure policies at the tape pool level. The Brocade encryption solutions supports up to a 1 MB
block size for tape encryption. Also, the Logical Block Address (LBA) 0 block size (I/O size from the
host) must be at least 1 K less than the maximum supported backend block size (usually 1 MB).
This is typically the case, as label operations are small I/O operations. If this support requirement
is not met, the Brocade encryption solution will not allow the backup operation to start to that tape.

NOTE

LBA 0 is not encrypted. Data sent to this block address is always sent as clear text.

TABLE 6

LUN parameters and policies

Policy name

Command parameters

Description

LUN state
Disk LUN: yes
Tape LUN: No
Modify? No

-

lunstate encrypted |

cleartext

Sets the Encryption state for the LUN. Valid values are:

cleartext - Default LUN state. Refer to policy configuration
considerations for compatibility with other policy settings.

encrypted - Metadata on the LUN containing the key ID of the
DEK that was used for encrypting the LUN is used to retrieve
the DEK from the key vault. DEKs are used for encrypting and
decrypting the LUN.

Key ID
Disk LUN: yes
Tape LUN: No
Modify? No

-

keyID Key_ID

Specifies the key ID. Use this option only if the LUN was encrypted
but does not include the metadata containing the key ID for the
LUN. This is a rare case for LUNs encrypted in Native (Brocade)
mode.

Advertising
Popular Brands
Popular manuals