Dell POWEREDGE M1000E User Manual

182

Fabric OS Command Reference

53-1002746-01

cryptoCfg

2

cryptocfg --show -mkexported_keyids key_id

cryptocfg --show -groupcfg

cryptocfg --show -groupmember -all | node_WWN

cryptocfg --show -egstatus -cfg | -stat

cryptocfg --sync -encgroup

cryptocfg --sync -securitydb

cryptocfg --perfshow [slot] [-tx | -rx | -tx -rx] [-t interval]

DESCRIPTION

Use these cryptoCfg commands to create or delete an encryption group, to add or remove group
member nodes, key vaults, and authentication cards, to enable or disable system cards, to enable
quorum authentication and set the quorum size, to manage keys including key recovery from backup, to
configure group-wide policies, and to sync the encryption group databases.

An encryption group is a collection of encryption engines that share the same key vault and are managed
as a group. All EEs in a node are part of the same encryption group. An encryption group can include up
to four nodes, and each node can contain up to four encryption engines. The maximum number of EEs
per encryption group is sixteen (four per member node).

With the exception of the --help and --show commands, all group configuration functions must be
performed from the designated group leader. The encryption switch or blade on which you create the
encryption group becomes the designated group leader. The group leader distributes all relevant
configuration data to the member nodes in the encryption group.

The groupCfg commands include three display options that show group configuration, runtime status,
and group member information. Refer to the Appendix of the Fabric OS Encryption Administrator's Guide
for a more comprehensive explanation of system states.

Use the --show -groupcfg command to display encryption group and member configuration
parameters, including the following parameters:

•

Encryption group name: user-defined label

•

Encryption group policies:

-

Failback mode: Auto or Manual

-

Replication mode: Enabled or Disabled

-

Heartbeat misses: numeric value

-

Heartbeat timeout: value in seconds

-

Key Vault Type: LKM, DPM, SKM, TEKA, KMIP, or TKLM

-

System Card: Disabled or Enabled

•

For each configured key vault, primary and secondary, the command shows:

-

IP address: The key vault IP address

-

Certificate ID: the key vault certificate name

-

State: connected, disconnected, up, authentication failure, or unknown.

-

Type: LKM, DPM, SKM, TEKA, or TKLM
If an SKM key vault is configured in HA mode, no connection information is displayed because
the system is unable to detect the connection status of an SKM appliance in an HA
configuration.