Tape block zero handling, Tape key expiry, Configuring cryptotarget containers and luns – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual
Page 253
Fabric OS Encryption Administrator’s Guide (KMIP)
235
53-1002747-02
Tape block zero handling
5
Tape pool configuration is used only when labeling of tape media is done on the first write for the
tape media. After tape labeling is done and metadata written, the tape pool configuration is no
longer used. Tape pool configuration is not required for restoring data from the encrypted tape
belonging to the tape pool, because the key ID is present in the metadata.
When the tape pool label configured on the encryption device does not match with any label that
the backup application sends as part of the first write (tape labeling) to the tape media, the tape
pool level policies are ignored and default LUN level policies are applied.
Tape block zero handling
The block zero of the tape media is not encrypted and the data in the block zero is sent as cleartext
along with the block zero metadata header prefixed to the data to the tape device.
Tape key expiry
When the tape key of native pools expires in the middle of a write operation on the tape, the key is
used for the duration of any write operation to append the data on the tape media. On any given
tape medium, the same key is used for all written blocks, regardless of the time in between append
operations.
With the exception of native pools, whenever you rewind a tape and write to block zero, a new key
will be generated that is unique to that tape. Only with native pools will the same key be used to
write to multiple media. This key has a user-determined lifespan, which applies to the elapsed time
between write operations to new tapes (after rewind).
Note the following:
•
Key expiration does not apply to append operations, no matter how long in the future.
•
Key expiration never applies to read operations.
•
Key expiration never applies to LUN-based policies. A new key is generated every time a tape
media is rewound and written to block zero (label), regardless of whether the specified key life
span has expired.
Configuring CryptoTarget containers and LUNs
The following are best practices to follow when configuring CryptoTarget containers and crypto
LUNs:
•
Host a target port on only one encryption switch, or one HA cluster. All LUNs visible through the
target port are hosted on the same encryption switch, and are available for storing cipher text.
•
Be sure all nodes in a given DEK or HA cluster are up and enabled before creating an
encrypted LUN. If a node in the DEK or HA cluster is down, or the encryption engine is down or
not enabled when an encrypted LUN is added to the CryptoTarget container, write operations
will hang when writing metadata to the LUN, and I/O will timeout. Data integrity is not
guaranteed in this condition.