Crypto lun configuration, Discovering a lun – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 193
Fabric OS Encryption Administrator’s Guide (SKM/ESKM)
173
53-1002923-01
Crypto LUN configuration
3
Crypto LUN configuration
A Crypto LUN is the LUN of a target disk or tape storage device that is enabled for and capable of
data-at-rest encryption. Crypto LUN configuration is done on a per-LUN basis. You configure the
LUN for encryption by explicitly adding the LUN to the CryptoTarget container and turning on the
encryption property and policies on the LUN. Any LUN of a given target that is not enabled for
encryption must still be added to the CryptoTarget container with the cleartext policy option.
•
The general procedures described in this section apply to both disk and tape LUNs. The
specific configuration procedures differ with regard to encryption policy and parameter setting.
•
You configure the Crypto LUN on the group leader. You need the Admin or FabricAdmin role to
perform LUN configuration tasks.
•
With the introduction of Fabric OS 7.1.0, the maximum number of uncommitted configuration
changes per disk LUN (or maximum paths to a LUN) is 512 transactions. This change in
commit limit is applicable only when using BNA.The commit limit when using the CLI remains
unchanged at 25.
•
There is a maximum of eight tape LUNs per Initiator in a container. The maximum number of
uncommitted configuration changes per tape LUN remains unchanged at eight.
CAUTION
When configuring a LUN with multiple paths (which means the LUN is exposed and configured on
multiple CryptoTarget containers located on the same Encryption switch or blade, or on different
encryption switches or blades), the same LUN policies must be configured on all LUN paths.
Failure to configure all LUN paths with the same LUN policies results in data corruption. If you are
configuring multi-path LUNs as part of a HA cluster or DEK cluster or as a stand-alone LUN
accessed by multiple hosts, follow the instructions described in the section
Discovering a LUN
When adding a LUN to a CryptoTarget container, you must specify a LUN Number. The LUN Number
needed for configuring a given Crypto LUN is the LUN Number as exposed to a particular initiator.
The Brocade encryption platform provides LUN discovery services through which you can identify
the exposed LUN number for a specified initiator. If you already know the exposed LUN numbers for
the various initiators accessing the LUN, you may skip the LUN discovery step and directly configure
the Crypto LUN.
1. Log in to the group leader as Admin or FabricAdmin.
2. Enter the cryptocfg
--
discoverLUN command followed by the CryptoTarget container Name.
FabricAdmin:switch> cryptocfg --discoverLUN my_disk_tgt
Container name: my_disk_tgt
Number of LUN(s): 1
Host: 10:00:00:00:c9:2b:c9:3a
LUN number: 0x0
LUN serial number: 200000062B0F726D0C000000
Key ID state: Key ID not available
Key ID: 3a:21:6a:bd:f2:37:d7:ea:6b:73:f6:19:72:89:c6:4f