Table 6 – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 166
148
Fabric OS Encryption Administrator’s Guide (LKM/SSKM)
53-1002925-01
Crypto LUN configuration
3
The tape policies specified at the LUN configuration level take effect if you do not create tape pools
or configure policies at the tape pool level. The Brocade encryption solutions supports up to a 1 MB
block size for tape encryption. Also, the Logical Block Address (LBA) 0 block size (I/O size from the
host) must be at least 1 K less than the maximum supported backend block size (usually 1 MB).
This is typically the case, as label operations are small I/O operations. If this support requirement
is not met, the Brocade encryption solution will not allow the backup operation to start to that tape.
NOTE
LBA 0 is not encrypted. Data sent to this block address is always sent as clear text.
TABLE 6
LUN parameters and policies
Policy name
Command parameters
Description
LUN state
Disk LUN: yes
Tape LUN: No
Modify? No
-
lunstate encrypted |
cleartext
Sets the Encryption state for the LUN. Valid values are:
•
cleartext - Default LUN state. Refer to policy configuration
considerations for compatibility with other policy settings.
•
encrypted - Metadata on the LUN containing the key ID of the
DEK that was used for encrypting the LUN is used to retrieve
the DEK from the key vault. DEKs are used for encrypting and
decrypting the LUN.
Key ID
Disk LUN: yes
Tape LUN: No
Modify? No
-
keyID Key_ID
Specifies the key ID. Use this option only if the LUN was encrypted
but does not include the metadata containing the key ID for the
LUN. This is a rare case for LUNs encrypted in Native (Brocade)
mode. However for LUNS encrypted with DataFort v2.0, a key ID is
required, because these LUNs do not contain any metadata.
Encryption
format
Disk LUN: yes
Tape LUN: yes
Modify? Yes
-
encryption_format native
| DF_compatible
Sets the encryption format. Valid values are:
•
Native - The LUN is encrypted or decrypted using the Brocade
encryption format (metadata format and algorithm). This is
the default setting.
•
DF_compatible - The LUN is encrypted or decrypted using the
NetApp DataFort encryption format (metadata format and
algorithm). Use of this format requires a NetApp
DataFort-compatible license.
On tapes written in DataFort format, the encryption switch or blade
cannot read and decrypt files with a block size of 1 MB or greater.
Encryption
policy
Disk LUN: yes
Tape LUN: Yes
Modify? Yes
-
encrypt | -cleartext
Enables or disables a LUN for encryption. Valid values are:
•
cleartext - Encryption is disabled. This is the default setting.
When the LUN policy is set to cleartext the following policy
parameters are invalid and generate errors when executed:
-
enable_encexistingdata -enable_rekey, and
-
key_lifespan. When a LUN is added in DataFort-compatible
encryption format, cleartext is not a valid policy option.
•
encrypt - The LUN is enabled to perform encryption.
Existing data
encryption
Disk LUN: yes
Tape LUN: No
Modify? Yes
-enable_encexistingdata |
-disable_encexistingdata
Specifies whether or not existing data on the LUN should be
encrypted. By default, encryption of existing data is disabled.
Encryption policy must be set to -enable_encexistingdata, and
the LUN state must be set to cleartext (default). If the encryption
policy is cleartext, the existing data on the LUN will be overwritten.