Re-exporting a master key – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (DPM)

153

53-1002922-01

Re-exporting a master key

3

Re-exporting a master key

With the introduction of Fabric OS v7.0.0, you can export master keys to the key vault multiple
times instead of only once. The ability to export the master key more than once enables you to
recover the master key when needed. For example, prior to Fabric OS 7.0.0, if you forgot your
passphrase that was used to export the master key, you were not able to recover the master key
from the key vault. The ability to re-export the master key in this scenario alleviates this concern.

When the master key is exported to the key vault for the first time, it is stored with the actual
master key ID. Subsequent exports are provided with additional exported key IDs that are
generated by the Brocade Encryption Switch. Each additional time the master key is exported to the
key vault, a different key ID is saved.

The master key can be recovered from any export using the exported master key ID and the
corresponding passphrase.

Note the following:

•

If you are upgrading to Fabric OS v7.0.0 from an earlier version, (for example, Fabric OS v6.4.x),
you can recover the master key with the master key ID. Additional exports of the master key are
allowed with the exported master key IDs.

•

If you are downgrading from Fabric OS v7.0.0 to an earlier version (for example, Fabric OS
v6.4.x), you can recover the master key using the master key ID that is exported in Fabric OS
v7.0.0 and its corresponding passphrase. Downgrading to earlier versions allows the master
key to be recoverable with only the master key ID.

The

--

show

-

localEE command shows the actual master key IDs, along with the new master key

IDs. Also shown are all exported master key IDs associated with a given (actual) master key.

NOTE

You will need to remember the exported master key ID and passphrase you used while exporting the
master key ID.

A new subcommand is available to support exporting master key IDs for a given master key.

SecurityAdmin:switch> cryptocfg --show -mkexported_keyids <MK ID>

The following example lists the exported master key IDs for a given master key ID:

SecurityAdmin:switch> cryptocfg --show –mkexported_keyids

e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:92

e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:92

e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:93

e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:94

e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:95

e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:96

e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:97

e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:98

e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:99

e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:9a

e3:ae:aa:89:ec:12:0c:04:29:61:9c:99:44:a3:9b:9b

Operation succeeded.