Decommissioning replicated luns – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

176

Fabric OS Encryption Administrator’s Guide (DPM)

53-1002922-01

Decommissioning replicated LUNs

3

Complete the following procedure to decommission a disk LUN.

1. Log in as Admin or FabricAdmin to the node that hosts the container.

2. Enter the cryptocfg

--

decommission command.

FabricAdmin:switch> cryptocfg --decommission -container disk_ct0 -initiator

21:01:00:1b:32:29:5d:1c -LUN 0

3. Enter cryptocfg

--

show

-

decommissionedkeyids to obtain a list of all currently

decommissioned key IDs to be deleted after decommissioning key IDs manually from the key
vault.

FabricAdmin:switch> cryptocfg --show -decommissionedkeyids

4. Enter the cryptocfg

--

show

-

vendorspecific_keyid <key_id> command to list the

vendor-specific key information for a given key ID.

FabricAdmin:switch> cryptocfg --show -vendorspecific_keyid

AA:8B:91:B0:35:6F:DA:92:8A:72:B3:97:92:1B:CA:B4

uuid = b7e07a6a-db64-40c2-883a-0bc6c4e923e6

5. Manually delete the listed key IDs from the key vault.

6. Enter the cryptocfg

--

delete

-

decommissionedkeyids command to purge all key IDs

associated with a decommissioned LUN.

FabricAdmin:switch> cryptocfg --delete -decommissionedkeyids

7. Enter the cryptocfg

--

show

-

decommissionedkeyids command to verify that the deleted

key IDs are no longer listed.

The cache is also cleared when cryptocfg

--

zeroizeEE is executed on the encryption engine.

NOTE:

•

When a decommissioned LUN is reused and the decommissioned key IDs are listed using the
cryptocfg

--

show

-

decommissionedkeyids command, the entire list of decommissioned key

IDs since the first time the LUN was used is displayed.

•

If you are running Fabric OS 7.1.0, and you want to downgrade to an earlier Fabric OS version,
(for example, Fabric OS 7.0.x), after decommissioning a disk LUN, it is recommended that you
remove the decommissioned key ID from the key vault before performing the downgrade.
Otherwise, if the LUN is added back for encryption, the LUN will go to the disabled state as the
key state is decommissioned in the key vault.

Decommissioning replicated LUNs

When trying to re-use primary R1 or secondary R2 replicated LUNs, you must first decommission
the LUNs. When trying to re-use a decommissioned LUN, you must:

1. Delete the keys from the key vault.

2. Add the LUN back into the container as cleartext.

3. Modify the LUN to encrypted.

The following scenarios are provided: