Master key management, Master key generation, Master key backup – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (DPM)

11

53-1002922-01

Master key management

1

Master key management

Communications with opaque key vaults are encrypted using a master key that is created by the
encryption engine on the encryption switch. Currently, this includes the key vaults of all supported
key management systems except NetApp LKM.

Master key generation

A master key must be generated by the group leader encryption engine. The master key can be
generated once by the group leader, then propagated to the other members of an encryption group.

Master key backup

It is essential to back up the master key immediately after it is generated. The master key may be
backed up to any of the following:

•

A file as an encrypted key.

•

The key management system as an encrypted key record.

•

A set of recovery smart cards. This option is available only if the switch is managed by the
Brocade Network Advisor (BNA) application (also referred to as the Management application),
and if a card reader is available for attachment to the BNA workstation.

The use of smart cards provides the highest level of security. When smart cards are used, the
key is split and written on up to 10 cards. Each card may be kept and stored by a different
individual. A quorum of key holders is needed to restore the key. If five key holders exist and
the quorum is set to three, then any three of the five key holders is needed to restore the key.

Support for virtual fabrics

The Brocade Encryption Switch does not support the logical switch partitioning capability and, thus,
cannot be partitioned, but the switch can be connected to any Logical Switch partition or Logical
Fabric using an E_Port.

The FS8-18 Encryption Blades are supported only in a default switch partition. All FS8-18 blades
must be placed in a default switch partition in a DCX Backbone chassis. The encryption resource
from the default switch partition/fabric can be shared with other logical switch partitions/fabrics or
other fabrics only through external device sharing using FCR or EX_Ports through a base
switch/fabric. A separate port blade must be used in the base switch/fabric for EX_Port
connectivity from the logical switch partition (default switch partition) of FS8-18 blades and
host/target fabrics. The EX_Port can be on any external FCR switch.

NOTE

Refer to the Fabric OS Administrator’s Guide for details on how to configure the Brocade DCX
Backbones in virtual fabrics environments, including configuration of default switch partition and
any other logical switch partitions.