Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual

Fabric OS Encryption Administrator’s Guide (KMIP)

3

53-1002747-02

Terminology

1

Opaque Key Vault

A storage location that provides untrusted key management functionality. Its contents
may be visible to a third party. DEKs in an opaque key vault are stored encrypted in a
master key to protect them.

Recovery cards

A set of smart cards that contain a backup master key. Each recovery card holds a
portion of the master key. The cards must be gathered and read together from a card
reader attached to a PC running the BNA client to restore the master key. Recovery
cards may be stored in different locations, making it very difficult to steal the master
key. The cards should not be stored together, as that defeats the purpose.

Redirection zone

When encryption is implemented, data traffic is routed to and from virtual initiators and
virtual targets. Redirection zones are automatically created to enable frame redirection
to the virtual initiators and virtual targets.

Rekeying

Rekeying refers to decrypting data with the current Data Encryption Key (DEK), and
encrypting it with a new DEK. This is done when the security of the current key is
compromised, or when a DEK is configured to expire in a specific time frame. The
rekeying operation can be used to encrypt existing data currently stored as cleartext. In
that case, there is no existing DEK, and the data does not have to be decrypted before it
is encrypted using the new DEK.

Trusted Key Vault

Very secure storage on a hardware appliance that establishes a trusted link with the
encryption device for secure exchange of DEKs. DEKs are encrypted with the link for
transit between the encryption device and the hardware appliance. At the hardware
appliance, the DEKs are re-encrypted, using master key created and maintained by
hardware appliance, and then stored in the trusted key vault.

Virtual Initiator

A logical entity that acts as a stand-in for a physical host when communicating with a
physical target LUN.

Virtual Target

A logical entity that acts as a stand-in for a physical target LUN when communicating
with a physical host. A virtual target is mapped one to one to a specific physical target.