Table 23 – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 286
268
Fabric OS Encryption Administrator’s Guide (LKM/SSKM)
53-1002925-01
DF-compatibility support for disk LUNs
B
TABLE 23
Support matrix for disk LUNs for various configuration and modify options
LUN
encryption
format
LUN state
LUN policy
Encrypt existing data
Key ID
Metadata
on LUN
Results
Native
(Brocade)
Encrypted
Encrypt
NA when
LUN State = encrypt
NA
Yes
No error. If the LUN was previously
DF-encrypted, the LUN is set to Read Only until
you either remove the LUN and add it back
with the native Brocade encryption format, or
issue the runtime CLI command to force the
change.
Native
(Brocade)
Encrypted
Encrypt
NA when
LUN State = encrypt
None
No
The data encryption key is retrieved from the
key vault based on the LUN serial number, and
used for further encryption and decryption. An
attempt is made to write the metadata. If the
key cannot be retrieved for this LUN based on
the LUN serial number, then the LUN is
disabled for encryption. You need to either
modify the LUN state to cleartext or provide
the key ID in the LUN setup. You can also use
the runtime cryptocfg --enable -LUN
command to force the change, in which case a
new key is generated and an attempt is made
to write metadata.
Native
(Brocade)
Encrypted
Encrypt
NA when
LUN State = encrypt
Provided No
No error.
Native
(Brocade)
Encrypted
Cleartext
NA when
LUN State = encrypt
NA
Yes
The LUN is disabled for encryption. Metadata
is present on the LUN and the LUN is in
encrypted state. You need to either modify the
LUN policy to encrypt, or use the runtime
cryptocfg --enable -LUN command to force
the change from encrypt to cleartext.
Native
(Brocade)
Encrypted
Cleartext
NA when
LUN State = encrypt
None
No
No error.
Native
(Brocade)
Encrypted
Cleartext
NA when
LUN State = encrypt
Provided No
The KeyID is not valid when this combination is
used in cryptocfg --modify -LUN. When
issuing cryptocfg --add -LUN, this is an invalid
combination
Native
(Brocade)
Cleartext
Encrypt
Yes
NA
Yes
The LUN is disabled for encryption. Metadata
is present on the LUN and the LUN is in
encrypted state. You need to either modify the
LUN state to “encrypted” or use the runtime
cryptocfg --enable -LUN command to force
the change from the current state of the LUN
to encrypt.
Native
(Brocade)
Cleartext
Encrypt
Yes
None
No
No error. First time encryption started to
convert the LUN from cleartext to encrypt.
Native
(Brocade)
Cleartext
Encrypt
Yes
Provided No
No Error. Key ID is ignored.