Brocade Fabric OS Command Reference (Supporting Fabric OS v7.3.0) User Manual
Page 245
Fabric OS Command Reference
215
53-1003131-01
cryptoCfg
2
LUN policies are configured per HA or DEK cluster. For multi-path LUNs exposed
through multiple target ports and thus configured on multiple CTCs on different
EEs in an HA cluster or DEK cluster, the same LUN policies must be configured.
Refer to the Fabric OS Administrator's Guide for more information.
The following LUN policy parameters can be optionally set:
-lunstate encrypted | cleartext
Sets the encryption state of a specified disk LUN. When set to encrypted,
metadata on the LUN containing the key ID of the DEK that was used for
encrypting the LUN is used to retrieve the DEK from the key vault. If the LUN state
is not specified, the default state is cleartext. This operand is not valid for tape
LUNs.
-keyID keyID
Specifies the Key ID. Use this operand only if the LUN was encrypted but does not
include the metadata containing the keyID for the LUN. This is a rare case for
LUNS encrypted in Brocade native mode. However for LUNS encrypted with
DataFort v2.0, a Key ID is required, because these LUNs do not contain any
metadata. This operand is not valid for tape LUNs.
-encryption_format native | DF_compatible
Specifies the LUN encryption format. Two encryption formats are supported:
native
The LUN uses the Brocade metadata format and algorithm for the encryption
and decryption of data. This is the default mode.
DF_compatible
The LUN uses the NetApp DataFort metadata format and algorithm for the
encryption and decryption of data. Use of this format requires a NetApp
DataFort-compatible license to be present on the encryption switch or the
chassis that houses the encryption blade.
-encrypt | -cleartext
Enables or disables the LUN for encryption. By default, cleartext is enabled (no
encryption). When the LUN policy is changed from encrypt to cleartext, the
following policy parameters become disabled (default) and generate errors when
executed: -enable_encexistingdata, -enable_rekey, and -key_lifespan. When
a LUN is added in DF-compatible encryption format, -cleartext is rejected as
invalid.
-enable_encexistingdata | -disable_encexistingdata
Specifies whether or not existing data should be encrypted. The Encryption policy
must be enabled on the LUN before the -enable_encexistingdata parameter can
be set and the LUN state must be set to -cleartext. By default, encryption of
existing data is disabled. If LUN policy is set to -encrypt, the encryption of existing
data must be enabled, or existing data is not preserved. This policy is not valid for
tape LUNs.
-enable_rekey time_period | -disable_rekey
Enables or disables the auto rekeying capability on the specified disk LUN. This
operand is not valid for tape LUNs. By default, the automatic rekey feature is
disabled. Enabling automatic rekeying is valid only if the LUN policy is set to
encrypt. You must specify a time_period in days when enabling auto rekeying to
indicate the interval at which automatic rekeying should take place.
-key_lifespan time_in_days | none
Specifies the lifespan of the encryption key in days. The key will expire after the
specified number of days. Accepted values are integers from 1 to 2982616. The
default value is none, which means, the key does not expire. This operand is valid
only for tape LUNs. The key lifespan cannot be modified after it is set.