Brocade Communications Systems StoreFabric SN6500B, Fabric OS 7.1.0 Administrator's Manual

53-1002721-01

14 December 2012

Fabric OS Encryption

Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments

Supporting Fabric OS v7.1.0

Brocade, Brocade Assurance, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, MLX, NetIron, SAN Health, ServerIron, TurboIron, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.

The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it.

The product described by this document may contain “open source” software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.

Brocade Communications Systems, Incorporated

Corporate and Latin American Headquarters Brocade Communications Systems, Inc. 130 Holger Way San Jose, CA 95134 Tel: 1-408-333-8000 Fax: 1-408-333-8101 E-mail: info@brocade.com

European Headquarters Brocade Communications Switzerland Sàrl Centre Swissair Tour B - 4ème étage 29, Route de l'Aéroport Case Postale 105 CH-1215 Genève 15 Switzerland Tel: +41 22 799 5640 Fax: +41 22 799 5641 E-mail: emea-info@brocade.com

Asia-Pacific Headquarters Brocade Communications Systems China HK, Ltd. No. 1 Guanghua Road Chao Yang District Units 2718 and 2818 Beijing 100020, China Tel: +8610 6588 8888 Fax: +8610 6588 9999 E-mail: china-info@brocade.com

Asia-Pacific Headquarters Brocade Communications Systems Co., Ltd. (Shenzhen WFOE) Citic Plaza No. 233 Tian He Road North Unit 1308 – 13th Floor Guangzhou, China Tel: +8620 3891 2000 Fax: +8620 3891 2111 E-mail: china-info@brocade.com

Document History

Title Publication number Summary of changes Date

Fabric OS Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments

53-1002721-01 New product release December 2012

Contents

About This Document

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

What’s new in this document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Command syntax conventions . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Notes, cautions, and warnings . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Key terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Brocade resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Other industry resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Getting technical help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvii

Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Chapter 1 Encryption Overview

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Host and LUN considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

The Brocade Encryption Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Performance licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Adding a license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Licensing best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Recommendation for connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Usage limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Brocade encryption solution overview. . . . . . . . . . . . . . . . . . . . . . . . . 7

Data flow from server to storage . . . . . . . . . . . . . . . . . . . . . . . . . 8

Data encryption key life cycle management . . . . . . . . . . . . . . . . . . . . 9

Master key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Master key generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Master key backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) iii 53-1002721-01

Support for virtual fabrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Cisco Fabric Connectivity support . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Chapter 2 Configuring Encryption Using the Management Application

Encryption Center features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Encryption user privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Using authentication cards with a card reader . . . . . . . . . . . . . 16

Registering authentication cards from a card reader . . . . . . . . 17

Registering authentication cards from the database . . . . . . . .19

Deregistering an authentication card. . . . . . . . . . . . . . . . . . . . .20

Setting a quorum for authentication cards . . . . . . . . . . . . . . . .20

Using system cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Enabling or disabling the system card requirement . . . . . . . . .22

Registering systems card from a card reader . . . . . . . . . . . . . .22

Deregistering system cards. . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Using smart cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Tracking smart cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Editing smart cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Blade processor links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Configuring blade processor links . . . . . . . . . . . . . . . . . . . . . . . 28

Encryption node initialization and certificate generation. . . . . . . . .28

Setting encryption node initialization . . . . . . . . . . . . . . . . . . . . .29

Steps for connecting to an ESKM/SKM appliance . . . . . . . . . . . . . .29

Configuring a Brocade group on ESKM/SKM . . . . . . . . . . . . . .30

Registering the ESKM/SKM Brocade group user name

and password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Setting up the local Certificate Authority (CA) on

ESKM/SKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Downloading the local CA certificate from ESKM/SKM . . . . . . 33

Creating and installing the ESKM/SKM server certificate . . . . 34

Enabling SSL on the Key Management System (KMS)

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

Creating an ESKM/SKM High Availability cluster . . . . . . . . . . .35

Copying the local CA certificate for a clustered ESKM/SKM

appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Adding ESKM/SKM appliances to the cluster . . . . . . . . . . . . . .36

Signing the encryption node KAC certificates . . . . . . . . . . . . . . 37

Importing a signed KAC certificate into a switch . . . . . . . . . . . . 38

ESKM/SKM key vault high availability deployment. . . . . . . . . .38

Encryption preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

Creating a new encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

Configuring key vault settings for HP Enterprise Secure

Key Manager (ESKM/SKM). . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Understanding configuration status results. . . . . . . . . . . . . . . .49

Adding a switch to an encryption group. . . . . . . . . . . . . . . . . . . . . . .50

iv Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002721-01

Replacing an encryption engine in an encryption group . . . . . . . . . 55

High availability (HA) clusters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Creating High availability (HA) clusters. . . . . . . . . . . . . . . . . . . .56

Removing engines from an HA cluster . . . . . . . . . . . . . . . . . . . .57

Swapping engines in an HA cluster . . . . . . . . . . . . . . . . . . . . . .58

Failback option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

Invoking failback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

Configuring encryption storage targets . . . . . . . . . . . . . . . . . . . . . . .59

Adding an encryption target . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Configuring hosts for encryption targets . . . . . . . . . . . . . . . . . . . . . .67

Adding target disk LUNs for encryption . . . . . . . . . . . . . . . . . . . . . . .69

Configuring storage arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Adding target tape LUNs for encryption. . . . . . . . . . . . . . . . . . . . . . .75

Moving Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Configuring encrypted tape storage in a multi-path

environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Tape LUN write early and read ahead . . . . . . . . . . . . . . . . . . . . . . . .79

Enabling and disabling tape LUN write early and read

ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Tape LUN statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Viewing and clearing tape container statistics . . . . . . . . . . . . .81

Viewing and clearing tape LUN statistics for specific

tape LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Viewing and clearing statistics for tape LUNs in a

container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84

Encryption engine rebalancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Rebalancing an encryption engine . . . . . . . . . . . . . . . . . . . . . . .86

Master keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86

Active master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Alternate master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87

Master key actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Saving the master key to a file . . . . . . . . . . . . . . . . . . . . . . . . . .88

Saving a master key to a key vault . . . . . . . . . . . . . . . . . . . . . . .89

Saving a master key to a smart card set . . . . . . . . . . . . . . . . . .90

Restoring a master key from a file . . . . . . . . . . . . . . . . . . . . . . .92

Restoring a master key from a key vault . . . . . . . . . . . . . . . . . .93

Restoring a master key from a smart card set. . . . . . . . . . . . . .94

Creating a new master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96

Zeroizing an encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96

Setting zeroization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Using the Encryption Targets dialog box . . . . . . . . . . . . . . . . . . . . . .98

Redirection zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) v 53-1002721-01

Disk device decommissioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

Decommissioning Disk LUNs . . . . . . . . . . . . . . . . . . . . . . . . . .100

Displaying and deleting decommissioned key IDs. . . . . . . . . .100

Displaying Universal IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

Rekeying all disk LUNs manually . . . . . . . . . . . . . . . . . . . . . . . . . . .102

Setting disk LUN Re-key All . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Viewing disk LUN rekeying details . . . . . . . . . . . . . . . . . . . . . .104

Viewing the progress of manual rekey operations. . . . . . . . . .105

Thin provisioned LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Viewing time left for auto rekey . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Viewing and editing switch encryption properties . . . . . . . . . . . . .108

Exporting the public key certificate signing request (CSR)

from properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

Importing a signed public key certificate from properties . . .111 Enabling and disabling the encryption engine state from

properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

Viewing and editing encryption group properties . . . . . . . . . . . . . .112

General tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114

Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115

Consequences of removing an encryption switch . . . . . . . . . .117

Security tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

HA Clusters tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120

Tape Pools tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

Engine Operations tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

Encryption-related acronyms in log messages . . . . . . . . . . . . . . . .125

Chapter 3 Configuring Encryption Using the CLI

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

Command validation checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

Command RBAC permissions and AD types . . . . . . . . . . . . . . . . . .129

Cryptocfg Help command output . . . . . . . . . . . . . . . . . . . . . . . . . . .132

Management LAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .132

Configuring cluster links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

Special consideration for blades . . . . . . . . . . . . . . . . . . . . . . .133

IP Address change of a node within an encryption group. . . .134

Setting encryption node initialization . . . . . . . . . . . . . . . . . . . . . . .135

vi Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002721-01

Steps for connecting to an SKM or ESKM appliance . . . . . . . . . . .136

Configuring a Brocade group. . . . . . . . . . . . . . . . . . . . . . . . . . .136

Setting up the local Certificate Authority (CA) . . . . . . . . . . . . .137

Downloading the local CA certificate . . . . . . . . . . . . . . . . . . . .138

Creating and installing the SKM or ESKM server

certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139

Enabling SSL on the Key Management System (KMS)

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Creating an SKM or ESKM high availability cluster . . . . . . . . .141

Copying the local CA certificate. . . . . . . . . . . . . . . . . . . . . . . . .141

Adding SKM or ESKM appliances to the cluster . . . . . . . . . . .142

Initializing the Fabric OS encryption engines . . . . . . . . . . . . . .143

Signing the Brocade encryption node KAC certificates. . . . . .144

Registering SKM or ESKM on a Brocade encryption group

leader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

Registering the SKM/ESKM Brocade group user name

and password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147

SKM or ESKM key vault high availability deployment . . . . . . .148

Adding a member node to an encryption group . . . . . . . . . . .149

Generating and backing up the master key . . . . . . . . . . . . . . . . . .152

High availability cluster configuration . . . . . . . . . . . . . . . . . . . . . . .154

HA cluster configuration rules. . . . . . . . . . . . . . . . . . . . . . . . . .154

Creating an HA cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155

Adding an encryption engine to an HA cluster. . . . . . . . . . . . .156

Failover/failback policy configuration. . . . . . . . . . . . . . . . . . . .156

Re-exporting a master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157

Exporting an additional key ID . . . . . . . . . . . . . . . . . . . . . . . . .158

Viewing the master key IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

Enabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . . .160

Checking encryption engine status . . . . . . . . . . . . . . . . . . . . .160

Zoning considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161

Setting default zoning to no access . . . . . . . . . . . . . . . . . . . . .161

Frame redirection zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

Creating an initiator - target zone . . . . . . . . . . . . . . . . . . . . . . .162

CryptoTarget container configuration . . . . . . . . . . . . . . . . . . . . . . .164

LUN rebalancing when hosting both disk and tape

targets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165

Gathering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

Creating a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .167

Removing an initiator from a CryptoTarget container . . . . . . .168

Deleting a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .169

Moving a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . . .170

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) vii 53-1002721-01

Crypto LUN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Discovering a LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Configuring a Crypto LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172

Crypto LUN parameters and policies . . . . . . . . . . . . . . . . . . . .173

Configuring a tape LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175

Removing a LUN from a CryptoTarget container . . . . . . . . . . .177

Modifying Crypto LUN parameters . . . . . . . . . . . . . . . . . . . . . .177

LUN modification considerations . . . . . . . . . . . . . . . . . . . . . . .178

Impact of tape LUN configuration changes. . . . . . . . . . . . . . . . . . .179

Configuring a multi-path Crypto LUN . . . . . . . . . . . . . . . . . . . . . . . .179

Multi-path LUN configuration example. . . . . . . . . . . . . . . . . . .180

Decommissioning LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183

Decommissioning replicated LUNs . . . . . . . . . . . . . . . . . . . . . . . . .185

Decommissioning primary LUNs only . . . . . . . . . . . . . . . . . . . .185

Decommissioning secondary LUNs only . . . . . . . . . . . . . . . . .185

Decommissioning primary and secondary LUN pairs . . . . . . .186

Force-enabling a decommissioned disk LUN for encryption . . . . .186

Force-enabling a disabled disk LUN for encryption . . . . . . . . . . . .187

Tape pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188

Tape pool labeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188

Creating a tape pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

Deleting a tape pool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191

Modifying a tape pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191

Impact of tape pool configuration changes . . . . . . . . . . . . . . .191

First-time encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

Resource allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

First-time encryption modes . . . . . . . . . . . . . . . . . . . . . . . . . . .192

Configuring a LUN for first-time encryption . . . . . . . . . . . . . . .192

Thin provisioned LUNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

Space reclamation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194

Data rekeying. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Resource allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Rekeying modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Configuring a LUN for automatic rekeying . . . . . . . . . . . . . . . .196

Initiating a manual rekey session. . . . . . . . . . . . . . . . . . . . . . .197

Suspension and resumption of rekeying operations. . . . . . . .198

Chapter 4 Deployment Scenarios

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Single encryption switch, two paths from host to target . . . . . . . .200

Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . .201

Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . .202

Dual fabric deployment - HA and DEK cluster. . . . . . . . . . . . . . . . .203

Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . .204

Multiple paths, DEK cluster, no HA cluster . . . . . . . . . . . . . . . . . . .206

viii Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002721-01

Deployment in Fibre Channel routed fabrics. . . . . . . . . . . . . . . . . .207

Deployment as part of an edge fabric . . . . . . . . . . . . . . . . . . . . . . .209

Deployment with FCIP extension switches . . . . . . . . . . . . . . . . . . .210

VMware ESX server deployments. . . . . . . . . . . . . . . . . . . . . . . . . . .211

Chapter 5 Best Practices and Special Topics

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283

Firmware upgrade and downgrade considerations . . . . . . . . . . . .284

General guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285

Specific guidelines for HA clusters . . . . . . . . . . . . . . . . . . . . . .286

Configuration upload and download considerations . . . . . . . . . . .287

Configuration upload at an encryption group leader

node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287

Configuration upload at an encryption group member

node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287

Information not included in an upload . . . . . . . . . . . . . . . . . . .287

Steps before configuration download. . . . . . . . . . . . . . . . . . . .288

Configuration download at the encryption group leader. . . . .288

Configuration download at an encryption group member . . .288

Steps after configuration download . . . . . . . . . . . . . . . . . . . . .288

HP-UX considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289

AIX Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290

Enabling a disabled LUN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290

Disk metadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290

Tape metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290

Tape data compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290

Tape pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291

Tape block zero handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Tape key expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Configuring CryptoTarget containers and LUNs . . . . . . . . . . . . . . .292

Redirection zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293

Deployment with Admin Domains (AD) . . . . . . . . . . . . . . . . . . . . . .293

Do not use DHCP for IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . .293

Ensure uniform licensing in HA clusters . . . . . . . . . . . . . . . . . . . . .294

Tape library media changer considerations . . . . . . . . . . . . . . . . . .294

Turn off host-based encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . .294

Avoid double encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294

PID failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294

Turn off compression on extension switches . . . . . . . . . . . . . . . . .295

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) ix 53-1002721-01

Rekeying best practices and policies. . . . . . . . . . . . . . . . . . . . . . . .295

Manual rekey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295

Latency in rekey operations . . . . . . . . . . . . . . . . . . . . . . . . . . .295

Allow rekey to complete before deleting a container. . . . . . . .295

Rekey operations and firmware upgrades . . . . . . . . . . . . . . . .295

Do not change LUN configuration while rekeying . . . . . . . . . .296

Recommendation for Host I/O traffic during online

rekeying and first- time encryption . . . . . . . . . . . . . . . . . . . . . .296

KAC certificate registration expiry . . . . . . . . . . . . . . . . . . . . . . . . . .296

Changing IP addresses in encryption groups . . . . . . . . . . . . . . . . .296

Disabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . .297

Recommendations for Initiator Fan-Ins . . . . . . . . . . . . . . . . . . . . . .297

Best practices for host clusters in an encryption environment . . .298

HA Cluster deployment considerations and best practices . . . . . .298

Key Vault Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298

Tape Device LUN Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299

Chapter 6 Maintenance and Troubleshooting

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301

Encryption group and HA cluster maintenance. . . . . . . . . . . . . . . .302

Displaying encryption group configuration or status

information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Removing a member node from an encryption group. . . . . . .302

Deleting an encryption group . . . . . . . . . . . . . . . . . . . . . . . . . .305

Removing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . .305

Displaying the HA cluster configuration . . . . . . . . . . . . . . . . . .306

Replacing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . .307

Deleting an HA cluster member . . . . . . . . . . . . . . . . . . . . . . . .309

Performing a manual failback of an encryption engine . . . . .310

x Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

Encryption group merge and split use cases . . . . . . . . . . . . . . . . .311

A member node failed and is replaced . . . . . . . . . . . . . . . . . .311

A member node reboots and comes back up . . . . . . . . . . . . .312

A member node lost connection to the group leader . . . . . . .313

A member node lost connection to all other nodes in the

encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

Several member nodes split off from an encryption group . .314

Adjusting heartbeat signaling values . . . . . . . . . . . . . . . . . . . .315

EG split possibilities requiring manual recovery . . . . . . . . . . .316

Configuration impact of encryption group split or node

isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320

Encryption group database manual operations . . . . . . . . . . . . . . .321

Manually synchronizing the encryption group database. . . . .321

Manually synchronizing the security database . . . . . . . . . . . .321

Aborting a pending database transaction . . . . . . . . . . . . . . . .322

Key vault diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322

Measuring encryption performance . . . . . . . . . . . . . . . . . . . . . . . .323

53-1002721-01

General encryption troubleshooting . . . . . . . . . . . . . . . . . . . . . . . .325

Troubleshooting examples using the CLI. . . . . . . . . . . . . . . . . . . . .328

Encryption Enabled CryptoTarget LUN . . . . . . . . . . . . . . . . . . .328

Encryption Disabled CryptoTarget LUN. . . . . . . . . . . . . . . . . . .329

Management application encryption wizard troubleshooting . . . .330

Errors related to adding a switch to an existing group . . . . . .330

Errors related to adding a switch to a new group . . . . . . . . . .331

General errors related to the Configure Switch Encryption

wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332

LUN policy troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333

Loss of encryption group leader after power outage . . . . . . . . . . .334

MPIO and internal LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335

Suspension and resumption of rekeying operations. . . . . . . .335

FS8-18 blade removal and replacement. . . . . . . . . . . . . . . . . . . . .336

Multi-node EG replacement . . . . . . . . . . . . . . . . . . . . . . . . . . .336

Single-node EG replacement. . . . . . . . . . . . . . . . . . . . . . . . . . .338

Brocade Encryption Switch removal and replacement. . . . . . . . . .339

Multi-node EG Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

Single-node EG Replacement . . . . . . . . . . . . . . . . . . . . . . . . . .342

Reclaiming the WWN base of a failed Brocade Encryption

Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344

Removing stale rekey information for a LUN. . . . . . . . . . . . . . . . . .345

Downgrading firmware from Fabric OS 7.1.0. . . . . . . . . . . . . . . . . .345

Fabric OS and ESKM compatibility matrix. . . . . . . . . . . . . . . . . . . .346

Splitting an encryption group into two encryption groups . . . . . . . 347

Moving an encryption blade from one EG to another in the

same fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348

Moving an encryption switch from one EG to another in the

same fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348

Appendix A State and Status Information

In this appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351

Encryption engine security processor (SP) states. . . . . . . . . . . . . .301

Security processor KEK status. . . . . . . . . . . . . . . . . . . . . . . . . . . . .352

Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) xi 53-1002721-01

xii Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002721-01

About This Document

In this chapter

•How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

•Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

•What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

•Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

•Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

•Command syntax conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

•Key terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

•Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

•Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

•Brocade resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

•Other industry resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

•Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

•Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

How this document is organized

. This document is organized to help you find the information that you want as quickly and easily as

possible.

The document contains the following components:

• Chapter 1, “Encryption Overview,” provides a task matrix, an overview of the data encryption

switch and the encryption solution, and the terminology used in this document.

• Chapter 2, “Configuring Encryption Using the Management Application”describes how to

configure and manage encryption features using Brocade Network Advisor.

• Chapter 3, “Configuring Encryption Using the CLI,” describes how to configure and manage

encryption features using the command line interface.

• Chapter 4, “Deployment Scenarios,” describes SAN configurations in which encryption may be

deployed.

• Chapter 5, “Best Practices and Special Topics,” summarizes best practices and addresses

special topics relevant to the implementation of encryption features.

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) xiii 53-1002721-01

• Chapter 6, “Maintenance and Troubleshooting,” provides information on troubleshooting and

the most common commands and procedures to use to diagnose and recover from problems.

• Appendix A, “State and Status Information,” lists the encryption engine security processor (SP)

states, security processor key encryption key (KEK) status information, and encrypted LUN states.

Supported hardware and software

. The following hardware platforms support data encryption as described in this manual.

• Brocade DCX Backbone series chassis with an FS8-18 encryption blade.

• Brocade Encryption Switch.

What’s new in this document

This document identifies any encryption changes that support Fabric OS 7.1.0.

Document conventions

This section describes text formatting conventions and important notice formats used in this document.

Text formatting

The narrative-text formatting conventions that are used are as follows:

bold text Identifies command names

Identifies the names of user-manipulated GUI elements Identifies keywords and operands Identifies text to enter at the GUI or CLI

italic text Provides emphasis

Identifies variables Identifies paths and Internet addresses Identifies document titles

code text Identifies CLI output

Identifies command syntax examples

For readability, command names in the narrative portions of this guide are presented in mixed lettercase: for example, switchShow. In actual examples, command lettercase is often all lowercase. Otherwise, this manual specifically notes those cases in which a command is case sensitive.

xiv Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002721-01

Command syntax conventions

NOTE

ATTENTION

CAUTION

DANGER

Command syntax in this manual follows these conventions:

command Commands are printed in bold.

--option, option Command options are printed in bold.

-argument, arg Arguments.

[ ] Optional element.

variable Variables are printed in italics. In the help pages, variables are underlined

enclosed in angled brackets < >.

... Repeat the previous element, for example “member[;member...]”

value Fixed values following arguments are printed in plain font. For example,

--show WWN

| Boolean. Elements are exclusive. Example:

\ Backslash. Indicates that the line continues through the line break. For

command line input, type the entire line without the backslash.

--show -mode egress | ingress

Notes, cautions, and warnings

The following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards.

A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information.

An Attention statement indicates potential damage to hardware or data.

A Caution statement alerts you to situations that can cause damage to hardware, firmware, software, or data.

A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.

Key terms

For definitions specific to Brocade and Fibre Channel, see the technical glossaries on Brocade Connect. See “Brocade resources” on page xvi for instructions on accessing MyBrocade.

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) xv 53-1002721-01

For definitions specific to this document, see “Terminology” on page 2.

For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at:

http://www.snia.org/education/dictionary

Notice to the reader

This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations.

These references are made for informational purposes only.

Corporation Referenced Trademarks and Products

CommVault CommVault Galaxy Data Protection

EMC RSA Key Manager (RKM)

EMC RSA Data Protection Manager (DPM)

EMC EMC Networker

Hewlett Packard Secure Key Manager (SKM)

Hewlett Packard Enterprise Secure Key Manager (ESKM)

IBM Tivoli Key Lifecycle Manager (TKLM)

IBM IBM Tivoli Storage Manager (TSM)

Microsoft Corporation Windows, Windows NT, Internet Explorer

Net App Lifetime Key Manager (LKM)

SafeNet SafeNet

Symantec Symantec Veritas NetBackup Enterprise Server

Thales Thales Encryption Manager for Storage (TEMS)

Thales Thales e-Security keyAuthority (TEKA)

Additional information

This section lists additional Brocade and industry-specific documentation that you might find helpful.

Brocade resources

To get up-to-the-minute information, go to http://my.brocade.com and register at no cost for a user ID and password.

For practical discussions about SAN design, implementation, and maintenance, you can obtain

Building SANs with Brocade Fabric Switches through:

http://www.amazon.com

xvi Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002721-01

For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource Library location:

http://www.brocade.com

Release notes are available on the MyBrocade website and are also bundled with the Fabric OS firmware.

Other industry resources

• White papers, online demos, and data sheets are available through the Brocade website at

http://www.brocade.com/products-solutions/products/index.page.

• Best practice guides, white papers, data sheets, and other documentation is available through

the Brocade Partner website.

For additional resource information, visit the Technical Committee T11 Web site. This website provides interface standards for high-performance and mass storage applications for Fibre Channel, storage management, and other applications:

http://www.t11.org

For information about the Fibre Channel industry, visit the Fibre Channel Industry Association website:

http://www.fibrechannel.org

For information about the Key Management Interoperability Protocol standard, visit the OASIS KMIP Technical Committee website:

https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip

Getting technical help

Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To expedite your call, have the following information available:

1. General Information

• Switch model

• Switch operating system version

• Error numbers and messages received

• supportSave command output

• Detailed description of the problem, including the switch or fabric behavior immediately

following the problem, and specific questions

• Description of any troubleshooting steps already performed and the results

• Serial console and Telnet session logs

• syslog message logs

2. Switch Serial Number

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) xvii 53-1002721-01

The switch serial number and corresponding bar code are provided on the serial number label, as illustrated below.:

*FT00X0054E9*

FT00X0054E9

The serial number label is located as follows:

• Brocade Encryption Switch—On the switch ID pull-out tab located inside the chassis on the

port side of the switch on the left.

• Brocade DCX—On the bottom right on the port side of the chassis

• Brocade DCX-4S—On the bottom right on the port side of the chassis, directly above the

cable management comb.

• Brocade DCX 8510-8—On the port side of the chassis, on the lower right side, and directly

above the cable management comb.

• Brocade DCX 8510-4—On the port side of the chassis, on the lower right side and directly

above the cable management comb.

3. World Wide Name (WWN)

Use the licenseIdShow command to display the WWN of the chassis.

If you cannot use the licenseIdShow command because the switch is inoperable, you can get the WWN from the same place as the serial number, except for the Brocade DCX. For the Brocade DCX, access the numbers on the WWN cards by removing the Brocade logo plate at the top of the non-port side of the chassis.

Document feedback

Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. Forward your feedback to:

documentation@brocade.com

Provide the title and version number of the document and as much detail as possible about your comment, including the topic heading and page number and your suggestions for improvement.

xviii Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002721-01

Chapter

CAUTION

Encryption Overview

In this chapter

•Host and LUN considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

•Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

•The Brocade Encryption Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

•The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

•FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

•Performance licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

•Recommendation for connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

•Usage limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

•Brocade encryption solution overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

•Data encryption key life cycle management . . . . . . . . . . . . . . . . . . . . . . . . . . 9

•Master key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

•Support for virtual fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

•Cisco Fabric Connectivity support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Host and LUN considerations

Encrypting data-at-rest provides peace of mind in terms of protecting data from loss or theft, but very careful planning must be done to ensure encrypted data is handled correctly. Much of the planning must come from careful evaluation of host application and LUN resources, and of the path that the data will take to get from one or more hosts to a LUN.

When implementing encryption for data-at-rest, all hosts that access a LUN that is to hold encrypted data need to be configured for encryption to avoid data corruption. If a host, possibly in another fabric, writes cleartext to an encrypted LUN, the data on the LUN will be lost. The user must ensure that all hosts that can access a LUN are configured in the same manner.

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 1 53-1002721-01

Terminology

The following are definitions of terms used extensively in this document.

ciphertext

cleartext

CryptoModule

Data Encryption Key (DEK)

Data Encryption Key Cluster (DEK Cluster)

Encryption Engine

Encryption Group

Failback

Failover

Group Leader

High Availability Cluster (HA Cluster)

Encrypted data.

Unencrypted data.

The secure part of an encryption engine that is protected to the FIPS 140-2 level 3 standard. The term CryptoModule is used primarily in the context of FIPS authentication.

An encryption key generated by the encryption engine. The DEK is used to encrypt cleartext received from a host before it is sent to a target LUN, and to decrypt that data when it is retrieved by the host.

A cluster of encryption engines which can host all paths to a LUN and share the same data encryption key (DEK) set. The encryption engines can be in the same or different fabrics. DEK clusters enable host MPIO failover.

The entity within a node that performs encryption operations, including the generation of Data Encryption Keys.

A collection of one or more DEK clusters, HA clusters, or both, which share the same key vault and device configuration, and is managed as a single group.

In the context of this implementation of encryption, failback refers to behavior after a failed encryption switch recovers. Devices that were transferred to another switch by failover processing may automatically be transferred back, or they may be manually switched back. This is determined as a configuration option.

In the context of this implementation of encryption, failover refers to the automatic transfer of devices hosted by one encryption switch to another encryption switch within a high availability cluster (HA cluster).

A group leader is a special node within an encryption group which acts as a group and cluster manager, and manages and distributes all group-wide and cluster-wide configurations to all members of the group or cluster.

A collection of peer-level encryption engines that provide failover capabilities within a fabric.

Key Encryption Key

Link Key

Logical Unit Number (LUN)

Master Key

Node

2 Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

A key used to encrypt and decrypt Data Encryption Keys (DEKs) within encryption devices so that DEKs are transmitted in a secure manner outside of the encryption engines, and stored persistently inside key vaults.

A shared secret exchanged between an encryption engine and a FIPS 140-2 level 3 certified key management appliance and key vault. The link key is an Key Encryption Key (KEK) that is used to encrypt Data Encryption Keys (DEKs) in transit over a secure connection to and from the key vault. The key management appliance decrypts the DEKs and stores them encrypted with its own master key.

The identifier of a SCSI logical unit.

A Key Encryption Key (KEK) used to encrypt and decrypt DEKs when storing DEKs in opaque key vaults. There is one master key per encryption group. That means all node encryption engines within an encryption group use the same master key to encrypt and decrypt the DEKs.

In terms of encryption, a Brocade Encryption Switch, DCX, or DCX-4S through which users can manage an encryption engine.

53-1002721-01

Terminology

Opaque Key Vault

Recovery cards

Redirection zone

Re-keying

Trusted Key Vault

Virtual Initiator

Virtual Target

A storage location that provides untrusted key management functionality. Its contents may be visible to a third party. DEKs in an opaque key vault are stored encrypted in a master key to protect them.

A set of smart cards that contain a backup master key. Each recovery card holds a portion of the master key. The cards must be gathered and read together from a card reader attached to a PC running the BNA client to restore the master key. Recovery cards may be stored in different locations, making it very difficult to steal the master key. The cards should not be stored together, as that defeats the purpose.

When encryption is implemented, data traffic is routed to and from virtual initiators and virtual targets. Redirection zones are automatically created to enable frame redirection to the virtual initiators and virtual targets.

Re-keying refers to decrypting data with the current Data Encryption Key (DEK), and encrypting it with a new DEK. This is done when the security of the current key is compromised, or when a DEK is configured to expire in a specific time frame. The re-keying operation can be used to encrypt existing data currently stored as cleartext. In that case, there is no existing DEK, and the data does not have to be decr ypted before it is encrypted using the new DEK.

Very secure storage on a hardware appliance that establishes a trusted link with the encryption device for secure exchange of DEKs. DEKs are encrypted with the link for transit between the encryption device and the hardware appliance. At the hardware appliance, the DEKs are re-encrypted, using master key created and maintained by hardware appliance, and then stored in the trusted key vault.

A logical entity that acts as a stand-in for a physical host when communicating with a physical target LUN.

A logical entity that acts as a stand-in for a physical target LUN when communicating with a physical host. A virtual target is mapped one to one to a specific physical target.

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 3 53-1002721-01

The Brocade Encryption Switch

The Brocade Encryption Switch is a high-performance, 32-port, auto-sensing 8 Gbps Fibre Channel switch with data cryptographic (encryption/decryption) and data compression capabilities. The switch is a network-based solution that secures data-at-rest for heterogeneous tape drives, disk array LUNs, and virtual tape libraries by encrypting the data using Advanced Encryption Standard (AES) 256-bit algorithms. Encryption and decryption engines provide in-line encryption services with up to 96 Gbps throughput for disk I/O (mix of ciphertext and cleartext traffic) and up to 48 Gbps throughput for tape I/O (mix of ciphertext and cleartext traffic). Refer to “The FS8-18 blade” on page 5 for information about license requirements for 48 Gbps and 96 Gbps throughput.

In addition to its 32 Fibre Channel ports, the switch has one RJ45 Gigabit Ethernet (GE) management port, two RJ45 GE ports for clustering interconnection and rekey synchronization, one RJ-45 Serial console port, and one USB port for serviceability, error logging, and firmware upgrades (Figure 1) .

FIGURE 1 Brocade Encryption Switch

Power LED.

Status LED.

RJ-45 gigabit Ethernet ports (labeled eth0 and eth1) for clustering and centralized management of multiple encryption switches through a group leader.

Smart card reader.

RJ-45 gigabit Ethernet port for the management interface. This interface is used for the secure connection to the key vault location and to the BNA client.

RJ-45 serial console port.

USB port for firmware upgrades and other support services.

Fibre Channel ports (0-31) - 1, 2, 4, or 8 Gbps auto-sensing F, FL, E, EX, or M ports to connect host servers, SAN disks, SAN tapes, edge switches, or core switches.

4 Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002721-01

The FS8-18 blade

The FS8-18 blade provides the same features and functionality as the Brocade Encryption Switch. The FS8-18 blade installs on the Brocade DCX Backbone chassis, which include the DCX, DCX-4S, DCX 8510-8, and DCX 8510-4 chassis.

FIPS mode

Both the Brocade Encryption Switch and the FS8-18 blade always boot up in FIPS mode, which cannot be disabled. In this mode, only FIPS-compliant algorithms are allowed.

Performance licensing

Encryption processing power is scalable, and may be increased by purchasing and installing an encryption performance license. The base unit Brocade Encryption Switch and FS8-18 Encryption Blade have a standard capacity of 48 Gbps of encryption processing power. Additional encryption processing power can be added for disk I/O by purchasing and installing an Advanced Disk Encryption Performance Upgrade license. When the performance upgrade license is applied, encryption processing power of up to 96 Gbps is available for disk encryption. Note that when the license is applied to a Brocade DCX Backbone chassis, it applies to all FS8-18 blades installed on that chassis.

The FS8-18 blade

Adding a license

The encryption performance licenses are added just like any other Fabric OS feature license. After the license is added, the Brocade Encryption Switch and Brocade DCX Backbone chassis with encryption blades installed must be rebooted for the license to take effect. See the Fabric OS Administrator’s Guide for information about obtaining and adding licenses.

Licensing best practices

Licenses installed on the switches and blades must have identical performance numbers when used together in high availability (HA) clusters or data encryption key (DEK) clusters.

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 5 53-1002721-01

Recommendation for connectivity

NOTE

Recommendation for connectivity

In order to achieve high performance and throughput, the encryption engines perform what is referred to as “cut-through” encryption. In simple terms, this is achieved by encrypting the data in data frames on a per-frame basis. This enables the encryption engine to buffer only one frame, encrypt it, and send out the frame to the target on write I/Os. For read I/Os, the reverse is done.

This puts some constraints on the topology and the container configurations to support acceptable performance for encrypted and decrypted I/O to and from LUNs, and to support acceptable levels of scale in terms of the number of LUNs and the number of flows. The topology and container configuration constraint are stated below:

Care must be taken when connecting the encryption engines to the fabric and configuring crypto-target containers to be sure that the traffic flow between the host initiator and the physical storage array LUN through the container flows through only one encryption engine that is hosting the container. This is to avoid crisscrossing of flows to and from virtual entities; that is, from virtual targets and virtual initiators on two different encryption engines over the same path.

Although there is considerable flexibility in connecting and configuring the containers for encryption, the following guidelines are the recommended best practices:

• Host and storage array ports that are not involved in any encryption flow can be connected to

any encryption engines (EEs).

• Recommendations for host and target ports with respect to encryption flows are as follows:

- For high availability (HA) purposes, only ISLs are connected to the encryption engine to

connect it to the fabric. No devices (initiators and targets) are connected to it.

- To maintain HA, we recommend that devices (hosts and targets) and ISLs not be

connected directly to the encryption blades (FS8-18) in a Brocade DCX Backbone chassis in a single-path configuration.

Usage limitations

There are usage limitations to be aware of when planning an encryption implementation:

• Special redirection zones are created to handle data that is redirected to an encryption switch

or blade. Quality of Service (QoS) cannot be applied to a redirection zone.

• For frame redirection to be applied, regular zones for hosts and targets must be defined in the

effective configuration. Hosts and targets must be zoned together by worldwide port name (WWPN) rather than worldwide node name (WWNN) in configurations where frame redirection will be used. If hosts or targets are zoned together using worldwide node name, frame redirection will not occur properly.

Alias zoning is not supported in containers. You must use the real WWPN.

• On tapes written in DataFort format, the encryption switch or blade cannot read and decrypt

files with a block size of 1 MB or greater.

• Th e To p Tal ker fe a t ure is not compatib l e w ith redirection zones. The To p Ta l ker fe a t u re should

not be enabled when an encryption switch or blade is present in the fabric.

6 Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002721-01

Brocade encryption solution overview

The loss of stored private data, trade secrets, intellectual properties, and other sensitive information through theft, or accidental loss of disk or tape media can have widespread negative consequences for governments, businesses, and individuals. This threat is countered by an increasing demand from governments and businesses for solutions that create and enforce policies and procedures that protect stored data. Encryption is a powerful tool for data protection. Brocade provides an encryption solution that resides in a Storage Area Network (SAN) fabric. This location, between computers and storage, is ideal for implementing a solution that works transparently with heterogeneous servers, disk storage subsystems, and tape libraries. Data entering the SAN from a server is encrypted before it is written to storage. When stored data is encrypted, theft or loss of storage media does not pose a security threat.

Figure 2 provides a high-level view of the Brocade encryption solution. Cleartext is sent from the

server to the encryption engine, where it is encrypted into ciphertext using one of two encryption algorithms: one for disk storage targets, and one for tape storage targets. The encrypted data cannot be read without first being decrypted. The key management system is required for management of the data encryption keys (DEKs) that are generated by the encryption engine, and used for encrypting and decrypting the data. The key management system is provided by a third-party vendor.

Brocade encryption solution overview

FIGURE 2 Encryption overview

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 7 53-1002721-01

Brocade encryption solution overview

Host

Encryption

Switch

Ciphertext

Cleartext

Virtual

Initiator

Lun

Virtual Target

Fabric 1

Target

Data flow from server to storage

The Brocade Encryption Switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to a virtual target associated with the encryption switch. The encryption switch then acts as a virtual initiator to forward the frames to the target LUN.

FIGURE 3 Frame redirection

8 Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002721-01

Data encryption key life cycle management

Node 1

Key Management

System

Node 2

Group Leader

Encryption Group

Node 3

Node 4

IO Sync LAN

LAN

Data encryption key life cycle management

Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly, and some data may be stored for years or decades before it is accessed. To be sure the data remains accessible, DEKs may also need to be stored for years or decades. Key management systems provide life-cycle management for all DEKs created by the encryption engine. Key management systems are provided by third-party vendors.

Figure 4 shows the relationship of the LAN connections to the key vault and between encryption

nodes.

FIGURE 4 LAN connections to the key vault, and between encryption nodes

Regardless of the length of the life cycle, there are four stages in the life of a DEK, as shown in

Figure 5. A DEK is created by an encryption engine, distributed, then stored in a key vault. The key

is used to encrypt and decrypt data at least once, and possibly many times. A DEK may be configured to expire in a certain time frame to avoid becoming compromised. Under those conditions, it must be used one more time to decrypt the data, and the resulting cleartext is encrypted with a new key (rekeyed).

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 9 53-1002721-01

Data encryption key life cycle management

FIGURE 5 DEK life cycle

10 Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002721-01

Master key management

NOTE

Communications with opaque key vaults are encrypted using a master key that is created by the encryption engine on the encryption switch. Currently, this includes the key vaults of all supported key management systems except NetApp LKM.

Master key generation

A master key must be generated by the group leader encryption engine. The master key can be generated once by the group leader, then propagated to the other members of an encryption group.

Master key backup

It is essential to back up the master key immediately after it is generated. The master key may be backed up to any of the following:

• A file as an encrypted key.

• The key management system as an encrypted key record.

• A set of recovery smart cards. This option is available only if the switch is managed by the

Brocade Network Advisor (BNA) application (also referred to as the Management application), and if a card reader is available for attachment to the BNA workstation.

The use of smart cards provides the highest level of security. When smart cards are used, the key is split and written on up to 10 cards. Each card may be kept and stored by a different individual. A quorum of key holders is needed to restore the key. If five key holders exist and the quorum is set to three, then any three of the five key holders is needed to restore the key.

Master key management

Support for virtual fabrics

The Brocade Encryption Switch does not support the logical switch partitioning capability and, thus, cannot be partitioned, but the switch can be connected to any Logical Switch partition or Logical Fabric using an E_Port.

The FS8-18 Encryption Blades are supported only in a default switch partition. All FS8-18 blades must be placed in a default switch partition in a DCX Backbone chassis. The encryption resource from the default switch partition/fabric can be shared with other logical switch partitions/fabrics or other fabrics only through external device sharing using FCR or EX_Ports through a base switch/fabric. A separate port blade must be used in the base switch/fabric for EX_Port connectivity from the logical switch partition (default switch partition) of FS8-18 blades and host/target fabrics. The EX_Port can be on any external FCR switch.

Refer to the Fabric OS Administrator’s Guide for details on how to configure the Brocade DCX Backbones in virtual fabrics environments, including configuration of default switch partition and any other logical switch partitions.

Fabric OS Encryption Administrator’s Guide (SKM/ESKM) 11 53-1002721-01

Cisco Fabric Connectivity support

The Brocade Encryption Switch provides NPIV mode connectivity to Cisco fabrics. Connectivity is supported for Cisco SAN OS 3.3 and later versions.

Cisco fabric connectivity is provided only on the Brocade Encryption Switch. The FS8-18 blade for the Brocade DCX Backbone chassis does not support this feature.

12 Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002721-01

+ 274 hidden pages

Brocade Communications Systems StoreFabric SN6500B, Fabric OS 7.1.0 Administrator's Manual

Specifications and Main Features

Frequently Asked Questions

User Manual