Rebalancing an encryption engine, Master keys – Brocade Network Advisor SAN User Manual v12.3.0 User Manual
Page 893
Brocade Network Advisor SAN User Manual
841
53-1003154-01
Master keys
20
Rebalancing an encryption engine
To re-balance an encryption engine, complete the following steps:
1. Select Configure > Encryption from the menu task bar to display the Encryption Center
dialog box. (Refer to
2. Select an engine, then select Engine > Re-Balance from the menu task bar.
A warning message displays, noting the potential disruption of disk and tape I/O, and that the
operation may take several minutes.
3. Click Yes to begin rebalancing.
Master keys
Master keys belong to the group and are managed from Group Properties.
When an opaque key vault is used, a master key is used to encrypt the data encryption keys. The
master key status indicates whether a master key is used and whether it has been backed up.
Encryption is not allowed until the master key has been backed up.
Only the active master key can be backed up, and multiple backups are recommended. You can
back up or restore the master key to the key vault, to a file, or to a recovery card set. A recovery
card set is set of smart cards. Each recovery card holds a portion of the master key. The cards must
be gathered and read together from a card reader attached to a PC running the Management
application to restore the master key.
Although it is generally not necessary to create a new master key, you might be required to create
one due to the following:
•
The previous master key has been compromised.
•
Corporate policy might require a new master key every year for security purposes.
With regard to DPM, any DEK in the key vault that is either compromised, or needs to be
deactivated or destroyed, must first undergo the decommissioning procedure. For more
information, refer to
When you create a new master key, the former active master key automatically becomes the
alternate master key.
The new master key cannot be used (no new data encryption keys can be created, so no new
encrypted LUNs can be configured), until you back up the new master key. After you have backed
up the new master key, it is strongly recommended that all encrypted disk LUNs be rekeyed.
Rekeying causes a new data encryption key to be created and encrypted using the new active
master key, thereby removing any dependency on the old master key. Refer to
on page 849 for more information.
Master key actions are disabled if they are unavailable. For example:
•
The user does not have Storage Encryption Security permissions.
•
The Group Leader is not discovered or managed by the Management application.
NOTE
It is important to back up the master key because if the master key is lost, none of the data
encryption keys can be restored and none of the encrypted data can be decrypted.