Turn off compression on extension switches, Rekeying best practices and policies, Manual rekey – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (DPM)

239

53-1002922-01

Turn off compression on extension switches

5

Turn off compression on extension switches

We recommend disabling data compression on FCIP links that might carry encrypted traffic to
avoid potential performance issues as compression of encrypted data might not yield desired
compression ratio. We also recommend that tape pipelining and fastwrite also be disabled on the
FCIP link if it is transporting encrypted traffic.

Rekeying best practices and policies

Rekeying should be done only when necessary. In key management systems, DEKs are never
exposed in an unwrapped or unencrypted state. For all opaque key management systems, you
must rekey if the master key is compromised. The practice of rekeying should be limited to the
following cases:

•

Master key compromise in the case of opaque key vaults.

•

Insider security breaches.

•

As a general security policy as infrequently as every six months or once per year.

Manual rekey

Ensure that the link to the key management system is up and running before you attempt a manual
rekey.

Latency in rekey operations

Host I/O for regions other than the current rekey region has no latency during a rekey operation.
Host I/O for the region where the current rekey is happening has minimal latency (a few
milliseconds) because I/O is held until the rekey is complete. The I/O sync links (the Ethernet ports
labeled Ge0 and Ge1) must be configured, and must both be connected to the I/O sync LAN to
enable proper handling of rekey state synchronization in high availability (HA cluster)
configurations.

Allow rekey to complete before deleting a container

Do not delete a crypto container while rekey is in session or if rekey is not completed. If you want to
delete a container, use the command cryptocfg

--

show

-

rekey

–

all to display the status of rekey

sessions. If any rekey session is not 100% completed, do not delete the container. If you do delete
the container before rekey is complete, and subsequently add the LUN back as cleartext, all data
on the LUN is destroyed.

Rekey operations and firmware upgrades

All nodes in an encryption group must be at the same firmware level before starting a rekey or
first-time encryption operation. Make sure that existing rekey or first-time encryption operations
complete before upgrading any of the encryption products in the encryption group, and that the
upgrade completes before starting a rekey or first-time encryption operation.