Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 206

Advertising
background image

186

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002923-01

Decommissioning LUNs

3

If a LUN is removed when undergoing decommission or is in a decommission failed state, or if a
container hosting the LUN is deleted, you must use the

-

force option on the commit operation

(cryptocfg

--

commit

-

force). Failure to do so causes the commit operation to fail and a

decommission in progress error displays.

Upon a successful completion of a decommissioning operation, the LUN is deleted from all
containers hosting it, and all active paths to the LUNs are lost.

NOTE

The command used to decommission LUNs will not work after firmware has been downgraded to a
version of Fabric OS earlier than v7.1.0.

Use the following procedure to decommission a LUN.

1. Log in as Admin or FabricAdmin to the node that hosts the container.

2. Enter the cryptocfg

--

decommission command.

FabricAdmin:switch> cryptocfg --decommission -container disk_ct0 -initiator

21:01:00:1b:32:29:5d:1c -LUN 0

3. Enter cryptocfg

--

show

-

decommissionedkeyids to obtain a list of all currently

decommissioned key IDs to be deleted after decommissioning key IDs manually from the key
vault.

FabricAdmin:switch> cryptocfg -show -decommissionedkeyids

4. Enter the cryptocfg

--

show

-

vendorspecific_keyid <key_id> command to list the

vendor-specific key information for a given key ID.

FabricAdmin:switch> cryptocfg --show -vendorspecific_keyid

AA:8B:91:B0:35:6F:DA:92:8A:72:B3:97:92:1B:CA:B4

uuid = b7e07a6a-db64-40c2-883a-0bc6c4e923e6

5. Manually delete the listed key IDs from the key vault.

6. Enter the cryptocfg

--

delete

-

decommissionedkeyids command to purge all key IDs

associated with a decommissioned LUN.

FabricAdmin:switch> cryptocfg --delete -decommissionedkeyids

7. Enter the cryptocfg

--

show

-

decommissionedkeyids command to verify that the deleted

key IDs are no longer listed.

The cache is also cleared when cryptocfg

--

zeroizeEE is executed on the encryption engine.

NOTE

When a decommissioned LUN is reused and the decommissioned key IDs are listed using the
cryptocfg

--

show

-

decommissionedkeyids command, the entire list of decommissioned key IDs

since the first time the LUN was used is displayed.

Advertising
Popular Brands
Popular manuals