Supported operations on thin provisioned luns, Data rekeying, Thin provisioned lun limitations during rekey – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 217
Fabric OS Encryption Administrator’s Guide (SKM/ESKM)
197
53-1002923-01
Data rekeying
3
•
The WRITE_SAME command will not be supported for the unmap operation.
•
Changing a LUN from thin provisioned to non-thin provisioned (and vice versa) is not allowed
during the rekey operation. After changing the LUN type from thin provisioned to non-thin
provisioned (or vice versa), LUN discovery should be done for the Brocade Encryption Switch to
know about the change of type.
•
Because windows host utility “sdelete –c” sends WRITE command with zeros to unmap LBAs,
and which is currently not supported on the Brocade Encryption Switch, this utility will not be
able to unmap LBAs.
•
Rekey temporarily uses the last 512 blocks. As a result, these blocks will be marked as
provisioned by the thin provisioned LUN.
•
The first 16 blocks of the LUN will be mapped automatically (if they were unmapped) after the
LUN has been configured as an encrypted LUN.
Supported operations on thin provisioned LUNs
The following operations are supported on TP LUNs.
•
UNMAP command (SCSI Opcode 0x42) is supported during normal I/O operation.
•
INQUIRY command with page code 0xb2 (Thin Provisioning VPD). The Brocade Encryption
Switch will not filter INQUIRY on this page code.
•
Thin provisioning mode page with page code 0x1c and subpage code 0x2 is supported with the
Brocade Encryption Switch.
Data rekeying
In a rekeying operation, encrypted data on a LUN is decrypted with the current key, re-encrypted
with a new key and written back to the same LUN at the same logical block address (LBA) location.
This process effectively re-encrypts the LUN and is referred to as “in-place rekeying.”
It is recommended that you limit the practice of rekeying to the following situations:
•
Key compromise as a result of a security breach.
•
As a general security policy to be implemented as infrequently as every six months or once per
year.
Rekeying is only applicable to disk array LUNs or fixed block devices. There is no rekeying support
for tape media. If there is a need to re-encrypt encrypted tape contents with a new key, the process
is equivalent to restoring the data from tape backup. You decrypt the data with the old DEK and
subsequently back up the tape contents to tape storage, which will have the effect of encrypting
the data with the new DEK.
Thin provisioned LUN limitations during rekey
•
The WRITE_SAME command will not be supported for the unmap operation.
•
The UNMAP command will be rejected during a rekey.