Data rekeying, Resource allocation, Rekeying modes – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual
Page 225
Fabric OS Encryption Administrator’s Guide (KMIP)
207
53-1002747-02
Data rekeying
3
•
Because windows host utility “sdelete –c” sends WRITE command with zeros to unmap LBAs,
and which is currently not supported on the Brocade Encryption Switch, this utility will not be
able to unmap LBAs.
•
Rekey temporarily uses the last 512 blocks. As a result, these blocks will be marked as
provisioned by the thin provisioned LUN.
•
The first 16 blocks of the LUN will be mapped automatically (if it was unmapped), after the LUN
has been configured as an encrypted LUN.
Data rekeying
In a rekeying operation, encrypted data on a LUN is decrypted with the current key, re-encrypted
with a new key and written back to the same LUN at the same logical block address (LBA) location.
This process effectively re-encrypts the LUN and is referred to as “in-place rekeying.”
It is recommended that you limit the practice of rekeying to the following situations:
•
Key compromise as a result of a security breach.
•
As a general security policy to be implemented as infrequently as every six months or once per
year.
Rekeying is only applicable to disk array LUNs or fixed block devices. There is no rekeying support
for tape media. If there is a need to re-encrypt encrypted tape contents with a new key, the process
is equivalent to restoring the data from tape backup. You decrypt the data with the old DEK and
subsequently back up the tape contents to tape storage, which will have the effect of encrypting
the data with the new DEK.
Resource allocation
A maximum of ten concurrent rekey sessions are supported per Encryption Group, with a maximum
of 10 concurrent rekey/encryption sessions per target container and 10 concurrent sessions per
physical initiator. If your configuration has two containers that are accessed by the same physical
initiator, you cannot have more than 10 concurrent rekey or encryption sessions. This includes both
rekey (auto and manual) and first-time encryption sessions.
When scheduled rekey or first-time encryption sessions exceed the maximum allowable limit, these
sessions will be pending and a Temporarily out of resources message is logged. Whenever an
active rekey of first-time encryption session completes, the next pending session is scheduled.
The system checks once every 15 minutes to determine if there are any rekey or first-time
encryption sessions pending. If resources are available, the next session in the queue is processed.
There may be up to an hour lag before the next session in the queue is processed. It is therefore
recommended that you do not schedule more than 10 rekey or first-time encryption sessions.
Rekeying modes
Rekeying operations can be performed under the following conditions:
•
Offline rekeying:The hosts accessing the LUN are offline, or host I/O is halted.
•
Online rekeying:The hosts accessing the LUN are online, and host I/O is active.