How it Works
Brocade Communications Systems
Loading...
Brocade BladeSystem 4/12
Administrator's Manual
248 pgs3.19 Mb0
Administrator's Manual
62 pgs538.43 Kb0
Administrator's Manual
86 pgs1.09 Mb0
Command Reference Manual
746 pgs4.35 Mb0
User Manual
23 pgs839.4 Kb0

Brocade Communications Systems 1606, 8/24, 8/40, 8/8, 8/80 Administrator's Manual

...
53-1001864-01
53-1001864-01 March 30, 2010
Fabric OS Encryption
®
Administrator’s Guide
Supporting Fabric OS v6.4.0, Supporting HP StorageWorks Secure Key Manager (SKM) Environments
Copyright © 2008-2010 Brocade Communications Systems, Inc. All Rights Reserved.
Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify, products or services of their respective owners.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it.
The product described by this document may contain “open source” software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.
Brocade Communications Systems, Incorporated
Corporate and Latin American Headquarters Brocade Communications Systems, Inc. 1745 Technology Drive San Jose, CA 95110 Tel: 1-408-333-8000 Fax: 1-408-333-8101 E-mail: info@brocade.com
European Headquarters Brocade Communications Switzerland Sàrl Centre Swissair Tour B - 4ème étage 29, Route de l'Aéroport Case Postale 105 CH-1215 Genève 15 Switzerland Tel: +41 22 799 5640 Fax: +41 22 799 5641 E-mail: emea-info@brocade.com
Asia-Pacific Headquarters Brocade Communications Systems China HK, Ltd. No. 1 Guanghua Road Chao Yang District Units 2718 and 2818 Beijing 100020, China Tel: +8610 6588 8888 Fax: +8610 6588 9999 E-mail: china-info@brocade.com
Asia-Pacific Headquarters Brocade Communications Systems Co., Ltd. (Shenzhen WFOE) Citic Plaza No. 233 Tian He Road North Unit 1308 – 13th Floor Guangzhou, China Tel: +8620 3891 2000 Fax: +8620 3891 2111 E-mail: china-info@brocade.com
Document History
Title Publication number Summary of changes Date
Fabric OS Encryption Administrator’s Guide
Fabric OS Encryption Administrator’s Guide
Fabric OS Encryption Administrator’s Guide
Fabric OS Encryption Administrator’s Guide
Fabric OS Encryption Administrator’s Guide
Fabric OS Encryption Administrator’s Guide
Fabric OS Encryption Administrator’s Guide
Fabric OS Encryption Administrator’s Guide
Fabric OS Encryption Administrator’s Guide
53-1001114-01 New document. August 2008
53-1001114-02 Revised document to
include additional best practices.
53-1001114-03 Revised document to
include new performance licensing information.
53-1001201-01 Revised document for
Fabric OS version 6.2.0.
53-1001201-02 Revised document to
synchronize with DCFM version 10.1.0.
53-1001201-03 Revised document to
incorporate changes to key manager software procedures.
53-1001341-01 Revised document for Fabric
OS version 6.3.0.
53-1001341-02 Revised document to
incorporate support for Virtual Fabrics, KAC login information for HP and Thales key vaults, and other various updates.
53-1001864-01 Revised document for Fabric
OS version 6.4.0. Began the practice of creating separate manuals for each supported Key Manager. This is the SKM manual.
September 2008
September 2008
November 2008
December 2008
March 2009
July 2009
August 2009
March 2010
Fabric OS Encryption Administrator’s Guide iii 53-1001864-01
iv Fabric OS Encryption Administrator’s Guide
53-1001864-01
Contents
About This Document
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
What’s new in this document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Getting technical help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvii
Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Chapter 1 Encryption overview
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Host and LUN considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
The Brocade encryption switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Performance licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Adding a license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Licensing best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Recommendation for connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Usage limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Brocade encryption solution overview. . . . . . . . . . . . . . . . . . . . . . . . . 7
Data flow from server to storage . . . . . . . . . . . . . . . . . . . . . . . . . 8
Data encryption key life cycle management . . . . . . . . . . . . . . . . . . . . 9
Key management systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Master key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Master key generation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Master key backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Support for Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Fabric OS Encryption Administrator’s Guide v 53-1001864-01
Chapter 2 Encryption configuration using the Management application
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Encryption Center features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Encryption user privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Registering authentication cards from a card reader . . . . . . . . 16
Registering authentication cards from the database . . . . . . . . 17
De-registering an authentication card . . . . . . . . . . . . . . . . . . . .18
Using authentication cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Enabling or disabling the system card requirement . . . . . . . . . 19
Registering system cards from a card reader . . . . . . . . . . . . . .19
De-registering a system card. . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Tracking smart cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Editing smart cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Configuring blade processor links . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Encryption node initialization and certificate generation. . . . . . . . .23
Steps for connecting to an SKM appliance . . . . . . . . . . . . . . . . . . . .24
Configuring a Brocade group on SKM . . . . . . . . . . . . . . . . . . . . 25
Registering the SKM Brocade group
user name and password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Setting up the local Certificate Authority (CA) on SKM . . . . . . .27
Downloading the local CA certificate from SKM . . . . . . . . . . . .28
Creating and installing the SKM server certificate . . . . . . . . . . 28
Enabling SSL on the Key Management System
(KMS) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Creating an SKM High Availability cluster . . . . . . . . . . . . . . . . .30
Copying the local CA certificate for a
clustered SKM appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Adding SKM appliances to the cluster . . . . . . . . . . . . . . . . . . . . 31
Signing the Brocade encryption node KAC certificates. . . . . . .32
Importing a signed KAC certificate into a switch . . . . . . . . . . . . 32
Gathering information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Creating a new encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Adding a switch to an encryption group. . . . . . . . . . . . . . . . . . . . . . . 41
Replacing an encryption engine in an encryption group . . . . . . . . . 45
Creating high availability (HA) clusters . . . . . . . . . . . . . . . . . . . . . . . 46
Removing engines from an HA cluster . . . . . . . . . . . . . . . . . . . .47
Swapping engines in an HA cluster . . . . . . . . . . . . . . . . . . . . . . 48
Failback option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Invoking failback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
vi Fabric OS Encryption Administrator’s Guide
Adding encryption targets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configuring hosts for encryption targets . . . . . . . . . . . . . . . . . . . . . . 56
Adding target disk LUNs for encryption . . . . . . . . . . . . . . . . . . . . . . . 57
53-1001864-01
Adding Target Tape LUNs for encryption . . . . . . . . . . . . . . . . . . . . . .59
Configuring encrypted tape storage in a
multi-path environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Re-balancing the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . .61
Master keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Active master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Alternate master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Master key actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Reasons master keys can be disabled . . . . . . . . . . . . . . . . . . . .63
Saving the master key to a file . . . . . . . . . . . . . . . . . . . . . . . . . .63
Saving a master key to a key vault . . . . . . . . . . . . . . . . . . . . . . . 65
Saving a master key to a smart card set . . . . . . . . . . . . . . . . . .66
Restoring a master key from a file . . . . . . . . . . . . . . . . . . . . . . .68
Restoring a master key from a key vault . . . . . . . . . . . . . . . . . . 69
Restoring a master key from a smart card set. . . . . . . . . . . . . .70
Creating a new master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Zeroizing an encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Encryption Targets dialog box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Disk device decommissioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Decommissioning LUNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Displaying and deleting decommissioned key IDs. . . . . . . . . . .77
Viewing and editing switch encryption properties . . . . . . . . . . . . . .77
Exporting the public key certificate signing request (CSR) from
Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Importing a signed public key certificate from Properties . . . .80
Enabling the encryption engine state from Properties . . . . . . . 81
Viewing and editing group properties . . . . . . . . . . . . . . . . . . . . . . . . 81
General tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Consequences of removing an encryption switch . . . . . . . . . . .84
Security tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
HA Clusters tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Engine Operations tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Tape Pools tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Encryption-related acronyms in log messages . . . . . . . . . . . . . . . . .90
Chapter 3 Configuring Brocade encryption using the CLI
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Command validation checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Command RBAC permissions and AD types . . . . . . . . . . . . . . . . . . .93
Cryptocfg Help command output . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Fabric OS Encryption Administrator’s Guide vii 53-1001864-01
Management LAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring cluster links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Special consideration for blades . . . . . . . . . . . . . . . . . . . . . . . .98
IP Address change of a node within an encryption group. . . . . 99
Steps for connecting to an SKM appliance . . . . . . . . . . . . . . . . . . .100
Configuring a Brocade group. . . . . . . . . . . . . . . . . . . . . . . . . . .100
Setting up the local Certificate Authority (CA) . . . . . . . . . . . . .100
Downloading the local CA certificate . . . . . . . . . . . . . . . . . . . .102
Creating and installing the SKM server certificate . . . . . . . . .102
Enabling SSL on the Key Management System
(KMS) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Creating an SKM High Availability cluster . . . . . . . . . . . . . . . .104
Copying the local CA certificate. . . . . . . . . . . . . . . . . . . . . . . . .104
Adding SKM appliances to the cluster . . . . . . . . . . . . . . . . . . .105
Initializing the Brocade encryption engines . . . . . . . . . . . . . . .106
Registering the SKM Brocade group
user name and password . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Signing the Brocade encryption node KAC certificates. . . . . .108
Registering SKM on a Brocade encryption group leader . . . .109
Generating and backing up the master key . . . . . . . . . . . . . . . . . .111
High Availability (HA) cluster configuration . . . . . . . . . . . . . . . . . . .113
HA cluster configuration rules. . . . . . . . . . . . . . . . . . . . . . . . . .113
Creating an HA cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Adding an encryption engine to an HA cluster. . . . . . . . . . . . .114
Failover/failback policy configuration. . . . . . . . . . . . . . . . . . . .115
Enabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Checking encryption engine status . . . . . . . . . . . . . . . . . . . . .116
Zoning considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Setting default zoning to no access . . . . . . . . . . . . . . . . . . . . .117
Frame redirection zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Creating an initiator - target zone . . . . . . . . . . . . . . . . . . . . . . .118
CryptoTarget container configuration . . . . . . . . . . . . . . . . . . . . . . .121
LUN re-balancing when hosting both disk and tape . . . . . . . .122
Creating a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .123
Removing an initiator from a CryptoTarget container . . . . . . .125
Deleting a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .125
Moving a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . . .126
Crypto LUN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Discovering a LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Configuring a Crypto LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Crypto LUN parameters and policies . . . . . . . . . . . . . . . . . . . .129
Configuring a tape LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Modify example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Removing a LUN from a CryptoTarget container . . . . . . . . . . .133
Modifying Crypto LUN parameters . . . . . . . . . . . . . . . . . . . . . .134
LUN modification considerations . . . . . . . . . . . . . . . . . . . . . . .134
Impact of tape LUN configuration changes . . . . . . . . . . . . . . .135
Force-enabling a disabled disk LUN for encryption . . . . . . . . .135
Decommissioning LUNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
viii Fabric OS Encryption Administrator’s Guide
53-1001864-01
Tape pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Tape pool labeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Creating a tape pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Deleting a tape pool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Modifying a tape pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Impact of tape pool configuration changes . . . . . . . . . . . . . . .140
Configuring a multi-path Crypto LUN . . . . . . . . . . . . . . . . . . . . . . . . 141
Multi-path LUN configuration example. . . . . . . . . . . . . . . . . . . 141
First time encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Resource allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
First time encryption modes . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Configuring a LUN for first time encryption . . . . . . . . . . . . . . .145
Data re-keying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Resource Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Re-keying modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Configuring a LUN for automatic re-keying. . . . . . . . . . . . . . . .147
Initiating a manual re-key session . . . . . . . . . . . . . . . . . . . . . .148
Suspension and resumption of re-keying operations . . . . . . .149
Chapter 4 Deployment Scenarios
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Single encryption switch, two paths from host to target . . . . . . . .152
Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . .153
Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . .154
Dual fabric deployment - HA and DEK cluster. . . . . . . . . . . . . . . . .155
Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . .156
Multiple paths, DEK cluster, no HA cluster . . . . . . . . . . . . . . . . . . .158
Deployment in Fibre Channel routed fabrics. . . . . . . . . . . . . . . . . .159
Deployment as part of an edge fabric . . . . . . . . . . . . . . . . . . . . . . .161
Deployment with FCIP extension switches . . . . . . . . . . . . . . . . . . .162
VmWare ESX server deployments . . . . . . . . . . . . . . . . . . . . . . . . . .163
Chapter 5 Best Practices and Special Topics
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Firmware download considerations. . . . . . . . . . . . . . . . . . . . . . . . .166
Firmware Upgrades and Downgrades . . . . . . . . . . . . . . . . . . .166
Specific guidelines for HA clusters . . . . . . . . . . . . . . . . . . . . . .167
Fabric OS Encryption Administrator’s Guide ix 53-1001864-01
Configuration upload and download considerations . . . . . . . . . . .168
Configuration Upload at an encryption group leader node . . .168 Configuration upload at an encryption group member node .168
Information not included in an upload . . . . . . . . . . . . . . . . . . .168
Steps before configuration download. . . . . . . . . . . . . . . . . . . .169
Configuration download at the encryption group leader. . . . .169
Configuration download at an encryption group member . . .169
Steps after configuration download . . . . . . . . . . . . . . . . . . . . .170
HP-UX considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Enable of a disabled LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Disk metadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Tape metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Tape data compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Tape pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Tape block zero handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Tape key expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
DF compatibility for tapes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
DF compatibility for disk LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Configuring CryptoTarget containers and LUNs . . . . . . . . . . . . . . . 174
Redirection zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Deployment with Admin Domains (AD) . . . . . . . . . . . . . . . . . . . . . .175
Master key usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Do not use DHCP for IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . .175
Ensure uniform licensing in HA clusters . . . . . . . . . . . . . . . . . . . . .175
Tape library media changer considerations . . . . . . . . . . . . . . . . . . 176
Turn off host-based encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Avoid double encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
PID failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Turn off compression on extension switches . . . . . . . . . . . . . . . . . 176
Re-keying best practices and policies . . . . . . . . . . . . . . . . . . . . . . .177
Manual re-key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Latency in re-key operations . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Allow re-key to complete before deleting a container . . . . . . .177
Re-key operations and firmware upgrades . . . . . . . . . . . . . . .177
Do not change LUN configuration while re-keying . . . . . . . . . .178
Brocade native mode in LKM installations . . . . . . . . . . . . . . .178
Recommendation for Host I/O traffic during
online rekeying and first time encryption. . . . . . . . . . . . . . . . .178
x Fabric OS Encryption Administrator’s Guide
Changing IP addresses in encryption groups . . . . . . . . . . . . . . . . .178
Disabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Recommendations for Initiator Fan-Ins . . . . . . . . . . . . . . . . . . . . . .179
53-1001864-01
Best practices for host clusters in an encryption environment . . .180
HA Cluster Deployment Considerations and Best Practices . . . . .180
Chapter 6 Maintenance and Troubleshooting
In this Chapter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Encryption group and HA cluster maintenance. . . . . . . . . . . . . . . .181
Removing a node from an encryption group . . . . . . . . . . . . . .181
Deleting an encryption group . . . . . . . . . . . . . . . . . . . . . . . . . .183
Removing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . .184
Displaying the HA cluster configuration . . . . . . . . . . . . . . . . . .184
Replacing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . .185
Deleting an HA cluster member . . . . . . . . . . . . . . . . . . . . . . . .188
Performing a manual failback of an encryption engine . . . . .188
Encryption group merge and split use cases. . . . . . . . . . . . . .189
Configuration impact of encryption group split
or node isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
General encryption troubleshooting I . . . . . . . . . . . . . . . . . . . . . . .195
Troubleshooting examples using the CLI . . . . . . . . . . . . . . . . . . . . .198
Encryption Enabled Crypto Target LUN. . . . . . . . . . . . . . . . . . .198
Encryption Disabled Crypto Target LUN . . . . . . . . . . . . . . . . . .199
Management application encryption wizard troubleshooting . . . .200
Errors related to adding a switch to an existing group . . . . . . . . . .200
Errors related to adding a switch to a new group . . . . . . . . . .201
General errors related to the Configure Switch
Encryption wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
LUN policy troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Loss of encryption group leader after power outage . . . . . . . . . . .205
MPIO and internal LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Suspension and resumption of re-keying operations . . . . . . .206
Appendix A State and Status Information
In this appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Encryption engine security processor (SP) states. . . . . . . . . . . . . .209
Security processor KEK status. . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
Appendix B LUN Policies
Fabric OS Encryption Administrator’s Guide xi 53-1001864-01
In this appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
DF-compatibility support for disk LUNs . . . . . . . . . . . . . . . . . . . . . . 215
DF-compatibility support for tape LUNs. . . . . . . . . . . . . . . . . . . . . .219
Appendix C NS-Based Transparent Frame Redirection
Index
xii Fabric OS Encryption Administrator’s Guide
53-1001864-01
About This Document
In this chapter
How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
How this document is organized
. This document is organized to help you find the information that you want as quickly and easily as
possible.
The document contains the following components:
Chapter 1, “Encryption overview,” provides a task matrix, an overview of the data encryption
switch and the encryption solution, and the terminology used in this document.
Chapter 2, “Encryption configuration using the Management application” describes how to
configure and manage encryption features using DCFM.
Chapter 3, “Configuring Brocade encryption using the CLI” describes how to configure and
manage encryption features using the command line interface.
Chapter 4, “Deployment Scenarios” describes SAN configurations in which encryption may be
deployed.
Chapter 5, “Best Practices and Special Topics,” summarizes best practices and addresses
special topics relevant to the implementation of encryption features.
Chapter 6, “Maintenance and Troubleshooting,” provides information on troubleshooting and
the most common commands and procedures to use to diagnose and recover from problems.
Appendix A, “State and Status Information,” lists the encryption engine security processor (SP)
states, security processor key encryption key (KEK) status information, and encrypted LUN states.
Appendix B, “LUN Policies,” provides a DataFort compatibility support matrix for disk and tape
LUNs, and includes LUN policy troubleshooting information.
Appendix C, “NS-Based Transparent Frame Redirection,” provides a name server (NS)-based
transparent frame redirection interop matrix.
Fabric OS Encryption Administrator’s Guide xiii 53-1001864-01
Supported hardware and software
. The following hardware platforms support data encryption as described in this manual.
Brocade DCX and DCX-4S with an FS8-18 encryption blade.
Brocade Encryption Switch.
What’s new in this document
Information about decommissioning a encrypted LUN, hosting disk and tape containers on the same encryption engine and support for replicated LUN environments is included in this document..
Document conventions
This section describes text formatting conventions and important notice formats used in this document.
Text formatting
The narrative-text formatting conventions that are used are as follows:
bold text Identifies command names
Identifies the names of user-manipulated GUI elements Identifies keywords and operands Identifies text to enter at the GUI or CLI
italic text Provides emphasis
Identifies variables Identifies paths and Internet addresses Identifies document titles
code text Identifies CLI output
Identifies command syntax examples
For readability, command names in the narrative portions of this guide are presented in mixed lettercase: for example, switchShow. In actual examples, command lettercase is often all lowercase. Otherwise, this manual specifically notes those cases in which a command is case sensitive.
Command syntax conventions
Command syntax in this manual follows these conventions:
command Commands are printed in bold.
--option, option Command options are printed in bold.
-argument, arg Arguments.
xiv Fabric OS Encryption Administrator’s Guide
53-1001864-01
NOTE
ATTENTION
CAUTION
DANGER
[ ] Optional element.
variable Variables are printed in italics. In the help pages, variables are underlined
enclosed in angled brackets < >.
... Repeat the previous element, for example “member[;member...]”
value Fixed values following arguments are printed in plain font. For example,
--show WWN
| Boolean. Elements are exclusive. Example:
\ Backslash. Indicates that the line continues through the line break. For
command line input, type the entire line without the backslash.
--show -mode egress | ingress
or
Notes, cautions, and warnings
The following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards.
A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information.
An Attention statement indicates potential damage to hardware or data.
A Caution statement alerts you to situations that can cause damage to hardware, firmware, software, or data.
A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.
Key terms
For definitions specific to Brocade and Fibre Channel, see the technical glossaries on Brocade Connect. See “Brocade resources” on page xvi for instructions on accessing Brocade Connect.
For definitions specific to this document, see “Terminology” on page 2.
For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at:
http://www.snia.org/education/dictionary
Fabric OS Encryption Administrator’s Guide xv 53-1001864-01
Notice to the reader
This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations.
These references are made for informational purposes only.
Corporation Referenced Trademarks and Products
Microsoft Corporation Windows, Windows NT, Internet Explorer
Net App Lifetime Key Manager (LKM)
EMC RSA Key Manager (RKM)
Hewlett Packard Secure Key Manager (SKM)
Thales Thales Encryption Manager for Storage (TEMS)
IBM IBM Tivoli Storage Manager 5.4 (Windows 2003)— Tape backup only, no support for
EMC Legato Legato Networker 7.4 (Windows 2003 and Red Hat Linux 5.1)
Symantec Symantec Veritas NetBackup 6.5 Enterprise Server (Windows 2003 and Solaris 10)
CommVault Commvault Galaxy Data Protection 7.0 (Windows 2003)
tape pool
Additional information
This section lists additional Brocade and industry-specific documentation that you might find helpful.
Brocade resources
To get up-to-the-minute information, go to http://my.brocade.com and register at no cost for a user ID and password.
For practical discussions about SAN design, implementation, and maintenance, you can obtain
Building SANs with Brocade Fabric Switches through:
http://www.amazon.com
For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource Library location:
http://www.brocade.com
Release notes are available on the MyBrocade web site and are also bundled with the Fabric OS firmware.
Other industry resources
White papers, online demos, and data sheets are available through the Brocade Web site at
http://www.brocade.com/products-solutions/products/index.page.
xvi Fabric OS Encryption Administrator’s Guide
53-1001864-01
Best practice guides, white papers, data sheets, and other documentation is available through
the Brocade Partner Web site.
For additional resource information, visit the Technical Committee T11 Web site. This Web site provides interface standards for high-performance and mass storage applications for Fibre Channel, storage management, and other applications:
http://www.t11.org
For information about the Fibre Channel industry, visit the Fibre Channel Industry Association Web site:
http://www.fibrechannel.org
Getting technical help
Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To expedite your call, have the following information available:
1. General Information
Switch model
Switch operating system version
Error numbers and messages received
supportSave command output
Detailed description of the problem, including the switch or fabric behavior immediately
following the problem, and specific questions
Description of any troubleshooting steps already performed and the results
Serial console and Telnet session logs
syslog message logs
2. Switch Serial Number
The switch serial number and corresponding bar code are provided on the serial number label, as illustrated below.:
*FT00X0054E9*
FT00X0054E9
The serial number label is located as follows:
Brocade Encryption Switch—On the switch ID pull-out tab located inside the chassis on the
port side of the switch on the left.
Brocade DCX—On the bottom right on the port side of the chassis
Brocade DCX-4S—On the bottom right on the port side of the chassis, directly above the
cable management comb.
3. World Wide Name (WWN)
Use the licenseIdShow command to display the WWN of the chassis.
Fabric OS Encryption Administrator’s Guide xvii 53-1001864-01
If you cannot use the licenseIdShow command because the switch is inoperable, you can get the WWN from the same place as the serial number, except for the Brocade DCX. For the Brocade DCX, access the numbers on the WWN cards by removing the Brocade logo plate at the top of the non-port side of the chassis.
Document feedback
Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. Forward your feedback to:
documentation@brocade.com
Provide the title and version number of the document and as much detail as possible about your comment, including the topic heading and page number and your suggestions for improvement.
xviii Fabric OS Encryption Administrator’s Guide
53-1001864-01
CAUTION
Chapter
Encryption overview
In this chapter
Host and LUN considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
The Brocade encryption switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Performance licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Recommendation for connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Usage limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Brocade encryption solution overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Data encryption key life cycle management . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Key management systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Support for Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1
Host and LUN considerations
Encrypting data-at-rest provides peace of mind in terms of protecting data from loss or theft, but very careful planning must be done to ensure encrypted data is handled correctly. Much of the planning must come from careful evaluation of host application and LUN resources, and of the path that the data will take to get from one or more hosts to a LUN.
When implementing encryption for data-at-rest, all hosts that access a LUN that is to hold encrypted data need to be configured for encryption to avoid data corruption. If a host, possibly in another fabric, writes cleartext to an encrypted LUN, the data on the LUN will be lost. The user must ensure that all hosts that can access a LUN are configured in the same manner.
Fabric OS Encryption Administrator’s Guide 1 53-1001864-01
Terminology
1
Terminology
The following are definitions of terms used extensively in this document.
ciphertext
cleartext
CryptoModule
Data Encryption Key (DEK)
Data Encryption Key Cluster (DEK Cluster)
Encryption Engine
Encryption Group
Failback
Failover
Group Leader
High Availability Cluster (HA Cluster)
Encrypted data.
Unencrypted data.
The secure part of an encryption engine that is protected to the FIPS 140-2 level 3 standard. The term CryptoModule is used primarily in the context of FIPS authentication.
An encryption key generated by the encryption engine. The DEK is used to encrypt cleartext received from a host before it is sent to a target LUN, and to decrypt that data when it is retrieved by the host.
A cluster of encryption engines which can host all paths to a LUN and share the same data encryption key (DEK) set. The encryption engines can be in the same or different fabrics. DEK clusters enable host MPIO failover.
The entity within a node that performs encryption operations, including the generation of Data Encryption Keys.
A collection of one or more DEK clusters, HA clusters, or both, which share the same key vault and device configuration, and is managed as a single group.
In the context of this implementation of encryption, failback refers to behavior after a failed encryption switch recovers. Devices that were transferred to another switch by failover processing may automatically be transferred back, or they may be manually switched back. This is determined as a configuration option.
In the context of this implementation of encryption, failover refers to the automatic transfer of devices hosted by one encryption switch to another encryption switch within a high availability cluster (HA cluster).
A group leader is a special node within an encryption group which acts as a group and cluster manager, and manages and distributes all group-wide and cluster-wide configurations to all members of the group or cluster.
A collection of peer-level encryption engines that provide failover capabilities within a fabric.
Key Encryption Key
Link Key
Master Key
Node
Opaque Key Vault
2 Fabric OS Encryption Administrator’s Guide
A key used to encrypt and decrypt Data Encryption Keys (DEKs) within encryption devices so that DEKs are transmitted in a secure manner outside of the encryption engines, and stored persistently inside key vaults.
A shared secret exchanged between an encryption engine and a FIPS 140-2 level 3 certified key management appliance and key vault. The link key is an Key Encryption Key (KEK) that is used to encrypt Data Encryption Keys (DEKs) in transit over a secure connection to and from the key vault. The key management appliance decrypts the DEKs and stores them encrypted with its own master key.
An Key Encryption Key (KEK) used to encrypt and decrypt DEKs when storing DEKs in opaque key vaults. There is one master key per encryption group. That means all node encryption engines within an encryption group use the same master key to encrypt and decrypt the DEKs.
In terms of encryption, a switch, DCX, or DCX-4S through which users can manage an encryption engine.
A storage location that provides untrusted key management functionality. Its contents may be visible to a third party. DEKs in an opaque key vault are stored encrypted in a master key to protect them.
53-1001864-01
Recovery cards
Redirection zone
Re-keying
Trusted Key Vault
Virtual Initiator
Virtual Target
Terminology
A set of smart cards that contain a backup master key. Each recovery card holds a portion of the master key. The cards must be gathered and read together from a card reader attached to a PC running the Brocade SAN Management Application to restore the master key. Recovery cards may be stored in different locations, making it very difficult to steal the master key. The cards should not be stored together, as that defeats the purpose.
When encryption is implemented, data traffic is routed to and from virtual initiators and virtual targets. Redirection zones are automatically created to enable frame redirection to the virtual initiators and virtual targets.
Re-keying refers to decrypting data with the current Data Encryption Key (DEK), and encrypting it with a new DEK. This is done when the security of the current key is compromised, or when a DEK is configured to expire in a specific time frame. The re-keying operation can be used to encrypt existing data currently stored as cleartext. In that case, there is no existing DEK, and the data does not have to be decrypted before it is encrypted using the new DEK.
Very secure storage on a hardware appliance that establishes a trusted link with the encryption device for secure exchange of DEKs. DEKs are encrypted with the link for transit between the encryption device and the hardware appliance. At the hardware appliance, the DEKs are re-encrypted, using master key created and maintained by hardware appliance, and then stored in the trusted key vault.
A logical entity that acts as a stand-in for a physical host when communicating with a physical target LUN.
A logical entity that acts as a stand-in for a physical target LUN when communicating with a physical host. A virtual target is mapped one to one to a specific physical target.
1
Fabric OS Encryption Administrator’s Guide 3 53-1001864-01
The Brocade encryption switch
1
The Brocade encryption switch
The Brocade encryption switch (Figure 1) is a high performance 32 port auto-sensing 8 Gbps Fibre Channel switch with data cryptographic (encryption/decryption) and data compression capabilities. The switch is a network-based solution that secures data-at-rest for heterogeneous tape drives, disk array LUNs, and virtual tape libraries by encrypting the data, using Advanced Encryption Standard (AES) 256-bit algorithms. Encryption and decryption engines provide in-line encryption services with up to 96 Gbps throughput for disk I/O (mix of ciphertext and cleartext traffic) and up to 48 Gbps throughput for tape I/O (mix of ciphertext and cleartext traffic). Refer to “The FS8-18
blade” on page 5 for information about license requirements for 48 Gbps and 96 Gbps bandwidth.
In addition to its 32 Fibre Channel ports, the switch has one RJ45 Gigabit Ethernet (GE) management port, two RJ45 GE ports for clustering interconnection and re-key synchronization, one RJ45 Serial console port, and one USB port for serviceability, error logging, and firmware upgrades.
1
2
3
4
5
6
7
8
Power LED.
Status LED.
RJ45 gigabit Ethernet ports for clustering and centralized management of multiple encryption switches through a group leader.
Smart card reader.
RJ45 gigabit Ethernet port for the management interface. This interface is used for the secure connection to the key vault location and to the Data Center Fabric Manager (DCFM).
RJ45 serial console port.
USB port for firmware upgrades and other support services.
Fibre Channel ports (0-31) - 1, 2, 4, or 8 Gbps auto-sensing F, FL, E, EX, or M ports to connect host servers, SAN disks, SAN tapes, edge switches, or core switches.
FIGURE 1 Brocade encryption switch
4 Fabric OS Encryption Administrator’s Guide
53-1001864-01
The FS8-18 blade
The FS8-18 blade provides the same features and functionality as the encryption switch. The FS8-18 blade installs on the Brocade DCX and DCX-4S. Four FS8-18 blades may be installed in a single DCX or DCX-4S.
Performance licensing
Encryption processing power is scalable, and may be increased by purchasing and installing an encryption performance license. The base unit Brocade Encryption Switch and FS8-18 Encryption Blade have a standard capacity of 48 Gbps of encryption processing power. Additional encryption processing power can be added for disk I/O by purchasing and installing a Disk Advanced Encryption Performance license. When the performance upgrade license is applied, encryption processing power of up to 96 Gbps is available. Note that when the license is applied to a DCX or DCX-4S chassis, it applies to all FS8-18 blades installed on that chassis.
Adding a license
The FS8-18 blade
1
The encryption performance licenses are added just like any other Fabric OS feature license. After the license is added, the encryption switch, DCX, or DCX-4S with encryption blades installed must be rebooted for the license to take effect. See the Fabric OS Administrator’s Guide for information about obtaining and adding licenses.
Licensing best practices
Licenses installed on the switches and blades must have identical performance numbers when used together in high availability (HA) clusters or data encryption key (DEK) clusters.
Fabric OS Encryption Administrator’s Guide 5 53-1001864-01
Recommendation for connectivity
1
Recommendation for connectivity
In order to achieve high performance and throughput, the encryption engines perform what is referred to as “cut-through” encryption. In simple terms this is achieved by encrypting the data in data frames on a per frame basis. This enables the encryption engine to buffer only a frame, encrypt it and send the frame out to the target on write I/Os. For read I/Os the reverse is done. This puts some constraints on the topology and the container configurations to support acceptable performance for encrypted and decrypted I/O to and from LUNs, and to support acceptable levels of scale in terms of the number of LUNs and the number of flows. The topology and container configuration constraint is stated below:
Care must be taken when connecting the encryption engines to the fabric and configuring crypto-target containers to be sure that the traffic flow between the host initiator and the physical storage array LUN through the container flows through only one encryption engine that is hosting the container. This is to avoid crisscrossing of flows to and from virtual entities; that is, from virtual targets and virtual initiators on two different encryption engines over the same path.
Although there is considerable flexibility in connecting and configuring the containers for encryption, the following guidelines are the recommended best practices:
Host and Storage Array ports that are not involved in any encryption flow can be connected to
any Encryption Engines.
Recommendations for host and target ports with respect to encryption flows are as follows:
- Only ISLs are connected to the Brocade Encryption Switch encryption engine in order to
- Only host ports are connected to the FS8-18 blade encryption engine. and no ISLs are
Usage limitations
There are usage limitations to be aware of when planning an encryption implementation:
Special redirection zones are created to handle data that is redirected to an encryption switch
or blade. Quality of Service (QoS) cannot be applied to a redirection zone.
In order for frame redirection to be applied, regular zones for hosts and targets must be
defined in the effective configuration. Hosts and targets must be zoned together by worldwide port name (WWPN) rather than worldwide node name (WWNN) in configurations where frame redirection will be used. If hosts or targets are zoned together using worldwide node name, frame redirection will not occur properly.
On tapes written in DataFort format, the encryption switch or blade cannot read and decrypt
files with a block size of one MB or greater.
Th e To p Talker feature is not compatible wi t h redirection z o n e s. The Top Talker featur e s hould
not be enabled when an encryption switch or blade is present in the fabric.
connect it to the fabric. No devices (initiators and targets) are connected to it.
connected to it.
6 Fabric OS Encryption Administrator’s Guide
53-1001864-01
Host
Encryption Switch
Cleartext
DEKs
Ciphertext
based on
AES256-GCM
Ciphertext
based on
AES256-XTS
Disk Storage
Tape Storage
Key Management
System
Ciphertext
Cleartext
Brocade encryption solution overview
The loss of stored private data, trade secrets, intellectual properties, and other sensitive information through theft or accidental loss of disk or tape media can have widespread negative consequences for governments, businesses, and individuals. This threat is countered by an increasing demand from governments and businesses for solutions that create and enforce policies and procedures that protect stored data. Encryption is a powerful tool for data protection. Brocade provides an encryption solution that resides in a Storage Area Network (SAN) fabric. This location, between computers and storage, is ideal for implementing a solution that works transparently with heterogeneous servers, disk storage subsystems, and tape libraries. Data entering the SAN from a server is encrypted before it is written to storage. When stored data is encrypted, theft or loss of storage media does not pose a security threat.
Figure 2 provides a high level view of the Brocade encryption solution. Cleartext is sent from the
server to the encryption engine, where it is encrypted into ciphertext using one of two encryption algorithms, one for disk storage targets, and one for tape storage targets. The encrypted data cannot be read without first being decrypted. The key management system is required for management of the data encryption keys (DEKs) that are generated by the encryption engine, and used for encrypting and decrypting the data. The key management system is provided by a third party vendor.
Brocade encryption solution overview
1
FIGURE 2 Encryption overview
Fabric OS Encryption Administrator’s Guide 7 53-1001864-01
Brocade encryption solution overview
Host
Encryption
Switch
Ciphertext
Cleartext
Virtual
Initiator
Lun
X
Virtual Target
Fabric 1
Target
1
Data flow from server to storage
The Brocade encryption switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to a virtual target associated with the encryption switch. The encryption switch then acts as a virtual initiator to forward the frames to the target LUN.
FIGURE 3 Frame redirection
8 Fabric OS Encryption Administrator’s Guide
53-1001864-01
Node 1
Key Management
System
EE
Node 2
Group Leader
Management Group
EE
Node 3
EE
Node 4
EE
IO Sync LAN
LAN
Data encryption key life cycle management
Data encryption key life cycle management
Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly, and some data may be stored for years or decades before it is accessed. To be sure the data remains accessible, DEKs may also need to be stored for years or decades. Key management systems provide life cycle management for all DEKs created by the encryption engine. Key management systems are provided by third party vendors.
Figure 4 shows the relationship of the LAN connections to the key vault and between encryption
nodes.
1
FIGURE 4 LAN connections to the key vault, and between encryption nodes
Regardless of the length of the life cycle, there are four stages in the life of a DEK, as shown in
Figure 5. A DEK is created by an encryption engine, distributed, and stored in a key vault. The key is
used to encrypt and decrypt data at least once, and possibly many times. A DEK may be configured to expire in a certain time frame, or it may become compromised. Under those conditions, it must be used one more time to decrypt the data, and the resulting cleartext is encrypted with a new key (re-keyed).
Fabric OS Encryption Administrator’s Guide 9 53-1001864-01
Data encryption key life cycle management
1
FIGURE 5 DEK life cycle
10 Fabric OS Encryption Administrator’s Guide
53-1001864-01
Key management systems
Key management systems are available from several vendors. This release supports the following leading key management systems:
The NetApp LIfetime Key Manager (LKM) version 4.0 or later.
The RSA Key Manager (RKM) version 2.1.3 or later, available through EMC.
The HP Secure Key Manager (SKM) version 1.1 or later, available through Hewlett Packard.
The Thales Encryption Manager for Storage (TEMS).
Master key management
Communications with opaque key vaults are encrypted using a master key that is created by the encryption engine on the encryption switch. Currently, this includes the key vaults of all supported key management systems except NetApp LKM.
Master key generation
Key management systems
1
A master key must be generated by the group leader encryption engine. The master key can be generated once by the group leader, and propagated to the other members of an encryption group.
Master key backup
It is essential to back up the master key immediately after it is generated. The master key may be backed up to any of the following,
To a file as an encrypted key.
To the key management system as an encrypted key record.
To a set of recovery smart cards. This option is only available if the switch is managed by the
Data Center Fabric Manager (DFCM), and if a card reader is available for attachment to the DCFM workstation.
The use of smart cards provides the highest level of security. When smart cards are used, the key is split and written on up to five cards, and the cards may be kept and stored by up to five individuals, and all are needed to restore the master key.
Fabric OS Encryption Administrator’s Guide 11 53-1001864-01
Support for Virtual Fabrics
NOTE
1
Support for Virtual Fabrics
The Brocade encryption switch does not support the logical switch partitioning capability and can not be partitioned, but the switch can be connected to any Logical Switch partition or Logical Fabric using an E-Port.
The FS8-18 encryption blades are supported in only in a default switch partition All FS8-18 blades must be placed in a default switch partition in DCX or DCX-4S. The encryption resource from default switch partition/fabric can be shared with other logical switch partitions/fabrics or other fabrics only through external device sharing using FCR or EX_Ports through a base switch/fabric. A separate port blade must be used in the base switch/fabric for EX_Port connectivity from the logical switch partition (default switch partition) of FS8-18 blades and host/target fabrics. The EX_Port can be on any external FCR switch.
Please refer to Fabric OS Administrator’s Guide for more details on how to configure the DCX and DCX-4S in virtual fabrics environments including configuration of default switch partition and any other logical switch partitions.
12 Fabric OS Encryption Administrator’s Guide
53-1001864-01
Loading...
+ 218 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use