Steps for connecting to an lkm/sskm appliance – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

121

53-1002925-01

Steps for connecting to an LKM/SSKM appliance

3

From the standpoint of external SAN management application operations, the FIPS crypto officer,
FIPS user, and node CP certificates are transparent to users. The KAC certificates are required for
operations with key managers. In most cases, KAC certificate signing requests must be sent to a
Certificate Authority (CA) for signing to provide authentication before the certificate can be used. In
all cases, signed KACs must be present on each switch.

1. Initialize the Brocade Encryption Switch node.

SecurityAdmin:switch> cryptocfg --initnode

Operation succeeded.

2. Initialize the new encryption engine.

SecurityAdmin:switch> cryptocfg --initEE [slotnumber]

Operation succeeded.

3. Zeroize all critical security parameters (CSPs) on the encryption engine.

SecurityAdmin:switch> cryptocfg --zeroizeEE [slotnumber]

This will zeroize all critical security parameters

ARE YOU SURE (yes, y, no, n): [no]y

Operation succeeded.

4. Register the encryption engine.

SecurityAdmin:switch> cryptocfg --regEE [slotnumber]

Operation succeeded.

5. Enable the encryption engine.

SecurityAdmin:switch> cryptocfg --enableEE [slotnumber]

Operation succeeded.

6. Check the encryption engine state using following command to ensure encryption engine is

online:

SecurityAdmin:switch> cryptocfg --show -localEE

Steps for connecting to an LKM/SSKM appliance

The NetApp Lifetime Key Manager (LKM/SSKM) resides on an FIPS 140-2 Level 3-compliant
network appliance. The encryption engine and LKM/SSKM appliance communicate over a trusted
link. A trusted link is a secure connection established between the Encryption switch or blade and
the NetApp LKM/SSKM appliance, using a shared secret called a link key. One link key per
encryption switch is established with each LKM/SSKM appliance. On a Brocade DCX Backbone
chassis or with one or two FS8-18 encryption blades, only one link key is established with each
LKM/SSKM appliance, and the link key is shared between the blades.

DEKs are encrypted by the encryption engine, using its link key, and passed to LKM/SSKM over a
secure connection. LKM/SSKM decrypts the DEKs and encrypts them on the LKM/SSKM
appliance. When the encryption engine needs a DEK from the LKM/SSKM key vault, it passes a
request that includes a key ID and other parameters needed by LKM/SSKM to locate the correct
key. LKM/SSKM locates the DEK, decrypts it, then encrypts it using the its key for transfer to the
encryption engine.