Thin provisioning support, Viewing time left for auto rekey – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual
Page 139
Fabric OS Encryption Administrator’s Guide (KMIP)
121
53-1002747-02
Viewing time left for auto rekey
2
•
If you are running a Fabric OS version earlier than v7.1.0, LUN status is shown as Not
Applicable.
•
Zero detect with encryption is not supported.
Thin provisioning support
Thin-provisioned logical unit numbers (LUNs) are increasingly used to support a pay-as-you-grow
strategy for data storage capacity. Also known as dynamic provisioning, virtual LUNs, or thin LUNs,
the same technology that allows storage administrators to allocate physical disk space to LUNs on
an as-needed basis creates limitations around certain data-at-rest encryption operations that use
the Brocade Encryption Switch or blade. Performing first-time encryption (FTE) (conversion of
cleartext to ciphertext) and data rekeying operations (applying new data encryption keys to
ciphertext data) on thin-provisioned LUNs results in an attempt by the encryption switch to
overwrite data up to the size of the logical size of the thin-provisioned LUN, rather than limiting
FTE/rekeying to the size of the physically allocated LUN size or to the data that has been written.
This generally triggers the allocation of additional blocks to the thin-provisioned LUN, using up the
amount of physical disk space that is available to the LUN and defeating the objective of using thin
provisioning.
Additionally, for thin-provision capable storage products that support space reclamation based on
data pattern recognition (for example, ‘string of zeros’), the encryption of such patterns will
interfere with the space reclamation functionality of the storage and should be avoided.
Certain types of storage, including 3PAR, have been successfully tested by limiting the use of thin
provisioning to “greenfield” LUNs, or LUNs that do not have any written data yet. Rekeying
operations on these LUNs, like FTE, are also not permitted. As these limitations are not feasible for
most environments, the recommendation from Brocade is that any encrypted LUNs be fully
provisioned with disk.
Viewing time left for auto rekey
You can view the time remaining until auto rekey is no longer active for a disk LUN. The information
is expressed as the difference between the next rekey date and the current date and time, and is
measured in days, hours, and minutes.
Although you cannot make changes directly to the table, you can modify the time left using CLI. For
more information, see the administrator’s guide supporting your key vault management system.
To view the time left for auto rekey, follow these steps:
1. Select Configure > Encryption from the menu task bar to display the Encryption Center
dialog box. (Refer to
2. Select a group, switch, or engine from the Encryption Center Devices table for which to view the
auto rekey information, then select Group/Switch/Engine > Targets from the menu task bar.
NOTE
You can also select a group, switch, or engine from the Encryption Center Devices table, then
click the Targets icon.
The Encryption Targets dialog box displays. (Refer to
3. Select a target disk device from the table, then click LUNs.