Dell POWEREDGE M1000E User Manual

158

Fabric OS Command Reference

53-1001764-02

cryptoCfg

2

--

leave_encryption_group

Clears the node's states pertaining to the node's membership in the
encryption group. This command is invoked from the member node that is to
be ejected from the encryption group.The node must be online (in
DISCOVERED state) for this command to succeed. To remove a node that is
not online (in DISCOVERING State), use --dereg -membernode.

If there are CryptoTarget container/LUN configurations on the node and the
encryption engines of this node are part of any HA Cluster configuration, this
command prompts you to either continue leaving the encryption group while
retaining the configuration, or to abort the leave operation. It is
recommended that you remove the EEs from the HA cluster and delete any
CryptoTarget container and Crypto LUN configurations from this node prior to
initiating a leave operation.

--

genmasterkey

Generates a master key. A master key is needed when an opaque key vault
such as RKM is used. The master key must be exported (backed up) before it
may be used. This command is valid only on the group leader. Only one
master key per key vault is needed for the entire encryption group. When a
master key is generated and a master key exists, the current master key
becomes the alternate master Key and the newly generated master key
becomes the current master key.

--

exportmasterkey

Exports the current master key encrypted in a key generated from a specified
pass phrase. By default this command backs up the key to the attached key
vaults, or optionally to a predetermined file on the switch. This command is
valid only on the group leader. This command prompts for a pass phrase.

passphrase

Specifies the pass phrase for the master key encryption. A pass phrase must
be between 8 and 40 characters in length and can contain any character
combination. Make a note of the pass phrase, because the same pass
phrase is required to restore the master key from backup. This operand is
required.

-file

Stores the encrypted master key in a predetermined file on the switch. This
operand is optional. If the -file operand is not specified, the encrypted master
key is stored in the attached key vaults, and a key ID uniquely identifying the
encrypted master key is displayed. Make a note of the key ID, because the
same key ID is required to restore the master key from backup.

--

recovermasterkey

Restores the master key from backup. This command is valid only on the
group leader. This command prompts for a pass phrase:

passphrase

Specifies the pass phrase for recovering the master key. The pass phrase
must be the samethat was used to back up the master key with the
--

exportmasterkey command.

currentMK | alternateMK

Specifies whether the master key should be restored to the current position
or the alternate position. This command replaces the specified existing
master key and should be exercised with caution. A master key is typically
restored to the alternate position to enable decryption of older data
encryption keys (DEKs) that were encrypted in that master key.