Brocade Communications Systems Brocade 8/12c, Fabric OS Encryption Administrator's Manual

53-1002159-03

28 July 2011

Fabric OS Encryption

Administrator’s Guide Supporting HP Secure Key Manager (SKM) Environments and HP Enterprise Secure Key Manager (ESKM) Environments

Supporting Fabric OS v7.0.0

Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify, products or services of their respective owners.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.

The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it.

The product described by this document may contain “open source” software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.

Brocade Communications Systems, Incorporated

Corporate and Latin American Headquarters Brocade Communications Systems, Inc. 130 Holger Way San Jose, CA 95134 Tel: 1-408-333-8000 Fax: 1-408-333-8101 E-mail: info@brocade.com

European Headquarters Brocade Communications Switzerland Sàrl Centre Swissair Tour B - 4ème étage 29, Route de l'Aéroport Case Postale 105 CH-1215 Genève 15 Switzerland Tel: +41 22 799 5640 Fax: +41 22 799 5641 E-mail: emea-info@brocade.com

Asia-Pacific Headquarters Brocade Communications Systems China HK, Ltd. No. 1 Guanghua Road Chao Yang District Units 2718 and 2818 Beijing 100020, China Tel: +8610 6588 8888 Fax: +8610 6588 9999 E-mail: china-info@brocade.com

Asia-Pacific Headquarters Brocade Communications Systems Co., Ltd. (Shenzhen WFOE) Citic Plaza No. 233 Tian He Road North Unit 1308 – 13th Floor Guangzhou, China Tel: +8620 3891 2000 Fax: +8620 3891 2111 E-mail: china-info@brocade.com

Document History

Title Publication number Summary of changes Date

Fabric OS Encryption Administrator’s Guide for SKM Environments

53-1001864-01 New product release March 2010

53-1001864-02 Maintenance release November 2010

53-1002159-01 Revised to support new

features

53-1002159-02 Maintenance release June 2011

53-1002159-03 Added support for ESKM July 2011

April 2011

Fabric OS Encryption Administrator’s Guide iii 53-1002159-03

iv Fabric OS Encryption Administrator’s Guide

53-1002159-03

Contents

About This Document

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

What’s new in this document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Getting technical help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvii

Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Chapter 1 Encryption Overview

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Host and LUN considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

The Brocade Encryption Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Performance licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Adding a license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Licensing best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Recommendation for connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Usage limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Brocade encryption solution overview. . . . . . . . . . . . . . . . . . . . . . . . . 7

Data flow from server to storage . . . . . . . . . . . . . . . . . . . . . . . . . 8

Data encryption key life cycle management . . . . . . . . . . . . . . . . . . . . 9

Master key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Master key generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Master key backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Support for Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Cisco Fabric Connectivity support . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Fabric OS Encryption Administrator’s Guide v 53-1002159-03

Chapter 2 Encryption configuration

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Encryption Center features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Encryption user privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Registering authentication cards from a card reader . . . . . . . . 16

Registering authentication cards from the database . . . . . . . .18

Deregistering an authentication card. . . . . . . . . . . . . . . . . . . . .19

Using authentication cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Enabling or disabling the system card requirement . . . . . . . . .20

Registering system cards from a card reader . . . . . . . . . . . . . . 21

Deregistering a system card . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Tracking smart cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Editing smart cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Configuring blade processor links . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Encryption node initialization and certificate generation. . . . . . . . .25

Steps for connecting to an SKM or ESKM appliance . . . . . . . . . . . .26

Configuring a Brocade group on SKM or ESKM. . . . . . . . . . . . . 27

Registering the SKM or ESKM Brocade group user name

and password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

Setting up the local Certificate Authority (CA) on SKM or

ESKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Downloading the local CA certificate from SKM or ESKM . . . .30

Creating and installing the SKM or ESKM server certificate . .30 Enabling SSL on the Key Management System (KMS)

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Creating an SKM or ESKM High Availability cluster. . . . . . . . . .32

Copying the local CA certificate for a clustered SKM or

ESKM appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Adding SKM or ESKM appliances to the cluster . . . . . . . . . . . .33

Signing the Brocade encryption node KAC certificates. . . . . . .34

Importing a signed KAC certificate into a switch . . . . . . . . . . . . 35

SKM or ESKM key vault high availability deployment . . . . . . . .36

Steps for Migrating from SKM to ESKM. . . . . . . . . . . . . . . . . . . . . . .36

Steps required from the BES CLI . . . . . . . . . . . . . . . . . . . . . . . .36

Steps required using Brocade Management application . . . . . 37

Encryption preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

vi Fabric OS Encryption Administrator’s Guide

Creating a new encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Understanding configuration status results. . . . . . . . . . . . . . . .46

Adding a switch to an encryption group. . . . . . . . . . . . . . . . . . . . . . . 47

Replacing an encryption engine in an encryption group . . . . . . . . . 53

53-1002159-03

Creating high availability (HA) clusters . . . . . . . . . . . . . . . . . . . . . . . 54

Removing engines from an HA cluster . . . . . . . . . . . . . . . . . . . .55

Swapping engines in an HA cluster . . . . . . . . . . . . . . . . . . . . . .55

Failback option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Invoking failback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Adding encryption targets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Configuring hosts for encryption targets . . . . . . . . . . . . . . . . . . . . . . 64

Adding target disk LUNs for encryption . . . . . . . . . . . . . . . . . . . . . . .65

Configuring Storage Arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Adding target tape LUNs for encryption. . . . . . . . . . . . . . . . . . . . . . .68

Tape LUN write early and read ahead . . . . . . . . . . . . . . . . . . . . . . . . 71

Enabling and disabling tape LUN write early and read

ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Tape LUN statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Viewing and clearing tape container statistics . . . . . . . . . . . . .73

Viewing and clearing tape LUN statistics for a container . . . . . 74

Viewing and clearing statistics for specific tape LUNs . . . . . . .75

Re-balancing the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . 77

Master keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Active master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Alternate master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Master key actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Reasons master keys can be disabled. . . . . . . . . . . . . . . . . . . .79

Saving the master key to a file . . . . . . . . . . . . . . . . . . . . . . . . . .79

Saving a master key to a key vault . . . . . . . . . . . . . . . . . . . . . . .81

Saving a master key to a smart card set . . . . . . . . . . . . . . . . . .82

Restoring a master key from a file . . . . . . . . . . . . . . . . . . . . . . .84

Restoring a master key from a key vault . . . . . . . . . . . . . . . . . .85

Restoring a master key from a smart card set. . . . . . . . . . . . . .86

Creating a new master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Viewing master key IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Zeroizing an encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Using the Encryption Targets dialog box . . . . . . . . . . . . . . . . . . . . . .90

Redirection zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Fabric OS Encryption Administrator’s Guide vii 53-1002159-03

Re-keying all disk LUNs manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Viewing the progress of manual re-key operations . . . . . . . . . .93

Viewing time left for auto re-key. . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Viewing and editing switch encryption properties . . . . . . . . . . . . . .95

Exporting the public key certificate signing request (CSR)

from Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Importing a signed public key certificate from Properties . . . . 97

Enabling and disabling the encryption engine state from

Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Viewing and editing group properties . . . . . . . . . . . . . . . . . . . . . . . .98

General tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

Consequences of removing an encryption switch . . . . . . . . . .101

Security tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

HA Clusters tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

Tape Pools tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

Engine Operations tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Encryption-related acronyms in log messages . . . . . . . . . . . . . . . .109

Chapter 3 Configuring Brocade Encryption Using the CLI

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112

Command validation checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112

Command RBAC permissions and AD types . . . . . . . . . . . . . . . . . .113

Cryptocfg Help command output . . . . . . . . . . . . . . . . . . . . . . . . . . .115

Management LAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .116

Configuring cluster links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116

Special consideration for blades . . . . . . . . . . . . . . . . . . . . . . .117

IP Address change of a node within an encryption group. . . . 117

Steps for connecting to an SKM or ESKM appliance . . . . . . . . . . .119

Configuring a Brocade group. . . . . . . . . . . . . . . . . . . . . . . . . . .119

Setting up the local Certificate Authority (CA) . . . . . . . . . . . . .120

Downloading the local CA certificate . . . . . . . . . . . . . . . . . . . .121

Creating and installing the SKM or ESKM server

certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

Enabling SSL on the Key Management System (KMS)

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Creating an SKM or ESKM high availability cluster . . . . . . . . .124

Copying the local CA certificate. . . . . . . . . . . . . . . . . . . . . . . . .124

Adding SKM or ESKM appliances to the cluster . . . . . . . . . . .125

Initializing the Brocade encryption engines . . . . . . . . . . . . . . .126

Signing the Brocade encryption node KAC certificates. . . . . .127

Registering SKM or ESKM on a Brocade encryption group

leader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

Registering the SKM or ESKM Brocade group user name

and password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

SKM or ESKM key vault high availability deployment . . . . . . .131

Adding a member node to an encryption group . . . . . . . . . . .132

Generating and backing up the master key . . . . . . . . . . . . . . . . . .135

viii Fabric OS Encryption Administrator’s Guide

High availability cluster configuration . . . . . . . . . . . . . . . . . . . . . . .137

HA cluster configuration rules. . . . . . . . . . . . . . . . . . . . . . . . . .137

Creating an HA cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138

Adding an encryption engine to an HA cluster. . . . . . . . . . . . .139

Failover/failback policy configuration. . . . . . . . . . . . . . . . . . . .139

53-1002159-03

Re-exporting a master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Exporting an additional key ID . . . . . . . . . . . . . . . . . . . . . . . . . 141

Viewing the master key IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . .142

Enabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . . .143

Checking encryption engine status . . . . . . . . . . . . . . . . . . . . .143

Zoning considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

Setting default zoning to no access . . . . . . . . . . . . . . . . . . . . .144

Frame redirection zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

Creating an initiator - target zone . . . . . . . . . . . . . . . . . . . . . . .145

CryptoTarget container configuration . . . . . . . . . . . . . . . . . . . . . . .147

LUN re-balancing when hosting both disk and tape

targets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148

Gathering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149

Creating a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .149

Removing an initiator from a CryptoTarget container . . . . . . . 151

Deleting a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .152

Moving a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . . .153

Crypto LUN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

Discovering a LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154

Configuring a Crypto LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154

Crypto LUN parameters and policies . . . . . . . . . . . . . . . . . . . .156

Configuring a tape LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158

Removing a LUN from a CryptoTarget container . . . . . . . . . . .159

Modifying Crypto LUN parameters . . . . . . . . . . . . . . . . . . . . . .160

LUN modification considerations . . . . . . . . . . . . . . . . . . . . . . . 161

Impact of tape LUN configuration changes. . . . . . . . . . . . . . . . . . .161

Force-enabling a disabled disk LUN for encryption . . . . . . . . .162

Tape pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

Tape pool labeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

Creating a tape pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Deleting a tape pool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165

Modifying a tape pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165

Impact of tape pool configuration changes . . . . . . . . . . . . . . .166

Configuring a multi-path Crypto LUN . . . . . . . . . . . . . . . . . . . . . . . .166

Multi-path LUN configuration example. . . . . . . . . . . . . . . . . . .166

First-time encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

Resource allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

First time encryption modes . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Configuring a LUN for first time encryption . . . . . . . . . . . . . . .170

Data re-keying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Resource Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Re-keying modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Configuring a LUN for automatic re-keying. . . . . . . . . . . . . . . . 171

Initiating a manual re-key session . . . . . . . . . . . . . . . . . . . . . .172

Suspension and resumption of re-keying operations . . . . . . .173

Fabric OS Encryption Administrator’s Guide ix 53-1002159-03

Chapter 4 Deployment Scenarios

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175

Single encryption switch, two paths from host to target . . . . . . . .176

Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . .177

Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . .178

Dual fabric deployment - HA and DEK cluster. . . . . . . . . . . . . . . . .179

Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . .180

Multiple paths, DEK cluster, no HA cluster . . . . . . . . . . . . . . . . . . .182

Deployment in Fibre Channel routed fabrics. . . . . . . . . . . . . . . . . .183

Deployment as part of an edge fabric . . . . . . . . . . . . . . . . . . . . . . .185

Deployment with FCIP extension switches . . . . . . . . . . . . . . . . . . .186

VMware ESX server deployments. . . . . . . . . . . . . . . . . . . . . . . . . . .187

Chapter 5 Best Practices and Special Topics

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189

Firmware download considerations. . . . . . . . . . . . . . . . . . . . . . . . .190

Firmware upgrades and downgrades. . . . . . . . . . . . . . . . . . . .190

Data-at-rest encryption support for IBM SVC LUNs

configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191

Specific guidelines for HA clusters . . . . . . . . . . . . . . . . . . . . . .191

Configuration upload and download considerations . . . . . . . . . . .192

Configuration upload at an encryption group leader node . . .192 Configuration upload at an encryption group member

node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

Information not included in an upload . . . . . . . . . . . . . . . . . . .193

Steps before configuration download. . . . . . . . . . . . . . . . . . . .193

Configuration download at the encryption group leader. . . . .194

Configuration download at an encryption group member . . .194

Steps after configuration download . . . . . . . . . . . . . . . . . . . . .194

HP-UX considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

AIX Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Enable of a disabled LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Disk metadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Tape metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196

Tape data compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196

Tape pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196

Tape block zero handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Tape key expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Configuring CryptoTarget containers and LUNs . . . . . . . . . . . . . . .197

Redirection zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

Deployment with Admin Domains (AD) . . . . . . . . . . . . . . . . . . . . . .199

x Fabric OS Encryption Administrator’s Guide

53-1002159-03

Do not use DHCP for IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . .199

Ensure uniform licensing in HA clusters . . . . . . . . . . . . . . . . . . . . .199

Tape library media changer considerations . . . . . . . . . . . . . . . . . .199

Turn off host-based encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Avoid double encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

PID failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200

Turn off compression on extension switches . . . . . . . . . . . . . . . . .200

Re-keying best practices and policies . . . . . . . . . . . . . . . . . . . . . . .200

Manual re-key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200

Latency in re-key operations . . . . . . . . . . . . . . . . . . . . . . . . . . .200

Allow re-key to complete before deleting a container . . . . . . .201

Re-key operations and firmware upgrades . . . . . . . . . . . . . . .201

Do not change LUN configuration while re-keying . . . . . . . . . .201

Recommendation for Host I/O traffic during online

rekeying and first time encryption . . . . . . . . . . . . . . . . . . . . . .201

KAC certificate registration expiry . . . . . . . . . . . . . . . . . . . . . . . . . .201

Changing IP addresses in encryption groups . . . . . . . . . . . . . . . . .202

Disabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . .202

Recommendations for Initiator Fan-Ins . . . . . . . . . . . . . . . . . . . . . .202

Best practices for host clusters in an encryption environment . . .204

HA Cluster deployment considerations and best practices . . . . . .204

Key Vault Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204

Tape Device LUN Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204

Chapter 6 Maintenance and Troubleshooting

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

Encryption group and HA cluster maintenance. . . . . . . . . . . . . . . .205

Displaying encryption group configuration or status

information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

Removing a member node from an encryption group. . . . . . .206

Deleting an encryption group . . . . . . . . . . . . . . . . . . . . . . . . . .208

Removing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . .208

Displaying the HA cluster configuration . . . . . . . . . . . . . . . . . .208

Replacing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . .209

Deleting an HA cluster member . . . . . . . . . . . . . . . . . . . . . . . .211

Performing a manual failback of an encryption engine . . . . .212

Fabric OS Encryption Administrator’s Guide xi 53-1002159-03

Encryption group merge and split use cases . . . . . . . . . . . . . . . . .213

A member node failed and is replaced . . . . . . . . . . . . . . . . . .213

A member node reboots and comes back up . . . . . . . . . . . . .214

A member node lost connection to the group leader . . . . . . .215

A member node lost connection to all other nodes in the

encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215

Several member nodes split off from an encryption group . .216

Adjusting heartbeat signaling values . . . . . . . . . . . . . . . . . . . .217

EG split possibilities requiring manual recovery . . . . . . . . . . .217

Configuration impact of encryption group split or node

isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

Encryption group database manual operations . . . . . . . . . . . . . . .223

Manually synchronizing the encryption group database. . . . .223

Manually synchronizing the security database . . . . . . . . . . . .223

Aborting a pending database transaction . . . . . . . . . . . . . . . .223

Key vault diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223

General encryption troubleshooting . . . . . . . . . . . . . . . . . . . . . . . .226

Troubleshooting examples using the CLI. . . . . . . . . . . . . . . . . . . . .229

Encryption Enabled Crypto Target LUN. . . . . . . . . . . . . . . . . . .229

Encryption Disabled Crypto Target LUN . . . . . . . . . . . . . . . . . .230

Management application encryption wizard troubleshooting . . . .231

Errors related to adding a switch to an existing group . . . . . .231

Errors related to adding a switch to a new group . . . . . . . . . .232

General errors related to the Configure Switch Encryption

wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233

LUN policy troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234

Loss of encryption group leader after power outage . . . . . . . . . . .235

MPIO and internal LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236

Suspension and resumption of re-keying operations . . . . . . .236

FS8-18 blade removal and replacement. . . . . . . . . . . . . . . . . . . . .237

BES removal and replacement. . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

Multi Node EG Case. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

Single Node EG Replacement . . . . . . . . . . . . . . . . . . . . . . . . . .242

Reclaiming the WWN base of a failed Brocade Encryption

Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244

Splitting an encryption group into two encryption groups . . . . . . .244

Moving a blade from one EG to another EG in the same fabric. . . 245

Moving a BES from one EG to another EG in the same fabric . . . . 246

Removing stale rekey information for a LUN. . . . . . . . . . . . . . . . . .247

Appendix A State and Status Information

In this appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249

Encryption engine security processor (SP) states. . . . . . . . . . . . . .249

xii Fabric OS Encryption Administrator’s Guide

53-1002159-03

Index

Security processor KEK status. . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

Fabric OS Encryption Administrator’s Guide xiii 53-1002159-03

xiv Fabric OS Encryption Administrator’s Guide

53-1002159-03

About This Document

In this chapter

•How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

•Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

•What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

•Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

•Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

•Command syntax conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

•Key terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

•Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

•Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

•Brocade resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

•Other industry resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

•Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

•Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

How this document is organized

. This document is organized to help you find the information that you want as quickly and easily as

possible.

The document contains the following components:

• Chapter 1, “Encryption Overview,” provides a task matrix, an overview of the data encryption

switch and the encryption solution, and the terminology used in this document.

• Chapter 2, “Encryption configuration using the Management application,” describes how to

configure and manage encryption features using Brocade Network Advisor.

• Chapter 3, “Configuring Brocade Encryption Using the CLI,” describes how to configure and

manage encryption features using the command line interface.

• Chapter 4, “Deployment Scenarios,” describes SAN configurations in which encryption may be

deployed.

• Chapter 5, “Best Practices and Special Topics,” summarizes best practices and addresses

special topics relevant to the implementation of encryption features.

Fabric OS Encryption Administrator’s Guide xiii 53-1002159-03

• Chapter 6, “Maintenance and Troubleshooting,” provides information on troubleshooting and

the most common commands and procedures to use to diagnose and recover from problems.

• Appendix A, “State and Status Information,” lists the encryption engine security processor (SP)

states, security processor key encryption key (KEK) status information, and encrypted LUN states.

Supported hardware and software

. The following hardware platforms support data encryption as described in this manual.

• Brocade DCX and DCX-4S with an FS8-18 encryption blade.

• Brocade Encryption Switch.

What’s new in this document

The purpose of this release is to note that HP Enterprise Secure Key Manager (ESKM) is now supported.

Document conventions

This section describes text formatting conventions and important notice formats used in this document.

Text formatting

The narrative-text formatting conventions that are used are as follows:

bold text Identifies command names

italic text Provides emphasis

code text Identifies CLI output

For readability, command names in the narrative portions of this guide are presented in mixed lettercase: for example, switchShow. In actual examples, command lettercase is often all lowercase. Otherwise, this manual specifically notes those cases in which a command is case sensitive.

Identifies the names of user-manipulated GUI elements Identifies keywords and operands Identifies text to enter at the GUI or CLI

Identifies variables Identifies paths and Internet addresses Identifies document titles

Identifies command syntax examples

xiv Fabric OS Encryption Administrator’s Guide

53-1002159-03

Command syntax conventions

NOTE

ATTENTION

CAUTION

DANGER

Command syntax in this manual follows these conventions:

command Commands are printed in bold.

--option, option Command options are printed in bold.

-argument, arg Arguments.

[ ] Optional element.

variable Variables are printed in italics. In the help pages, variables are underlined

enclosed in angled brackets < >.

... Repeat the previous element, for example “member[;member...]”

value Fixed values following arguments are printed in plain font. For example,

--show WWN

| Boolean. Elements are exclusive. Example:

\ Backslash. Indicates that the line continues through the line break. For

command line input, type the entire line without the backslash.

--show -mode egress | ingress

Notes, cautions, and warnings

The following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards.

A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information.

An Attention statement indicates potential damage to hardware or data.

A Caution statement alerts you to situations that can cause damage to hardware, firmware, software, or data.

A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.

Key terms

For definitions specific to Brocade and Fibre Channel, see the technical glossaries on Brocade Connect. See “Brocade resources” on page xvi for instructions on accessing MyBrocade.

Fabric OS Encryption Administrator’s Guide xv 53-1002159-03

For definitions specific to this document, see “Terminology” on page 2.

For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at:

http://www.snia.org/education/dictionary

Notice to the reader

This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations.

These references are made for informational purposes only.

Corporation Referenced Trademarks and Products

IBM Tivoli Key Lifecycle Manager (TKLM)

IBM IBM Tivoli Storage Manager (TSM)

Microsoft Corporation Windows, Windows NT, Internet Explorer

Net App Lifetime Key Manager (LKM)

EMC RSA Key Manager (RKM)

Hewlett Packard Secure Key Manager (SKM)

Hewlett Packard Enterprise Secure Key Manager (ESKM)

Thales Thales Encryption Manager for Storage (TEMS)

EMC EMC Networker

Symantec Symantec Veritas NetBackup Enterprise Server

CommVault CommVault Galaxy Data Protection

Additional information

This section lists additional Brocade and industry-specific documentation that you might find helpful.

Brocade resources

To get up-to-the-minute information, go to http://my.brocade.com and register at no cost for a user ID and password.

For practical discussions about SAN design, implementation, and maintenance, you can obtain

Building SANs with Brocade Fabric Switches through:

http://www.amazon.com

For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource Library location:

http://www.brocade.com

xvi Fabric OS Encryption Administrator’s Guide

53-1002159-03

Release notes are available on the MyBrocade website and are also bundled with the Fabric OS firmware.

Other industry resources

• White papers, online demos, and data sheets are available through the Brocade website at

http://www.brocade.com/products-solutions/products/index.page.

• Best practice guides, white papers, data sheets, and other documentation is available through

the Brocade Partner website.

For additional resource information, visit the Technical Committee T11 Web site. This website provides interface standards for high-performance and mass storage applications for Fibre Channel, storage management, and other applications:

http://www.t11.org

For information about the Fibre Channel industry, visit the Fibre Channel Industry Association website:

http://www.fibrechannel.org

Getting technical help

Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To expedite your call, have the following information available:

1. General Information

• Switch model

• Switch operating system version

• Error numbers and messages received

• supportSave command output

• Detailed description of the problem, including the switch or fabric behavior immediately

following the problem, and specific questions

• Description of any troubleshooting steps already performed and the results

• Serial console and Telnet session logs

• syslog message logs

2. Switch Serial Number

The switch serial number and corresponding bar code are provided on the serial number label, as illustrated below.:

*FT00X0054E9*

FT00X0054E9

Fabric OS Encryption Administrator’s Guide xvii 53-1002159-03

The serial number label is located as follows:

• Brocade Encryption Switch—On the switch ID pull-out tab located inside the chassis on the

port side of the switch on the left.

• Brocade DCX—On the bottom right on the port side of the chassis

• Brocade DCX-4S—On the bottom right on the port side of the chassis, directly above the

cable management comb.

3. World Wide Name (WWN)

Use the licenseIdShow command to display the WWN of the chassis.

If you cannot use the licenseIdShow command because the switch is inoperable, you can get the WWN from the same place as the serial number, except for the Brocade DCX. For the Brocade DCX, access the numbers on the WWN cards by removing the Brocade logo plate at the top of the non-port side of the chassis.

Document feedback

Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. Forward your feedback to:

documentation@brocade.com

Provide the title and version number of the document and as much detail as possible about your comment, including the topic heading and page number and your suggestions for improvement.

xviii Fabric OS Encryption Administrator’s Guide

53-1002159-03

Chapter

CAUTION

Encryption Overview

In this chapter

•Host and LUN considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

•Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

•The Brocade Encryption Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

•The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

•FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

•Performance licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

•Recommendation for connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

•Usage limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

•Brocade encryption solution overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

•Data encryption key life cycle management . . . . . . . . . . . . . . . . . . . . . . . . . . 9

•Master key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

•Support for Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

•Cisco Fabric Connectivity support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Host and LUN considerations

Encrypting data-at-rest provides peace of mind in terms of protecting data from loss or theft, but very careful planning must be done to ensure encrypted data is handled correctly. Much of the planning must come from careful evaluation of host application and LUN resources, and of the path that the data will take to get from one or more hosts to a LUN.

When implementing encryption for data-at-rest, all hosts that access a LUN that is to hold encrypted data need to be configured for encryption to avoid data corruption. If a host, possibly in another fabric, writes cleartext to an encrypted LUN, the data on the LUN will be lost. The user must ensure that all hosts that can access a LUN are configured in the same manner.

Fabric OS Encryption Administrator’s Guide 1 53-1002159-03

Terminology

The following are definitions of terms used extensively in this document.

ciphertext

cleartext

CryptoModule

Data Encryption Key (DEK)

Data Encryption Key Cluster (DEK Cluster)

Encryption Engine

Encryption Group

Failback

Failover

Group Leader

High Availability Cluster (HA Cluster)

Encrypted data.

Unencrypted data.

The secure part of an encryption engine that is protected to the FIPS 140-2 level 3 standard. The term CryptoModule is used primarily in the context of FIPS authentication.

An encryption key generated by the encryption engine. The DEK is used to encrypt cleartext received from a host before it is sent to a target LUN, and to decrypt that data when it is retrieved by the host.

A cluster of encryption engines which can host all paths to a LUN and share the same data encryption key (DEK) set. The encryption engines can be in the same or different fabrics. DEK clusters enable host MPIO failover.

The entity within a node that performs encryption operations, including the generation of Data Encryption Keys.

A collection of one or more DEK clusters, HA clusters, or both, which share the same key vault and device configuration, and is managed as a single group.

In the context of this implementation of encryption, failback refers to behavior after a failed encryption switch recovers. Devices that were transferred to another switch by failover processing may automatically be transferred back, or they may be manually switched back. This is determined as a configuration option.

In the context of this implementation of encryption, failover refers to the automatic transfer of devices hosted by one encryption switch to another encryption switch within a high availability cluster (HA cluster).

A group leader is a special node within an encryption group which acts as a group and cluster manager, and manages and distributes all group-wide and cluster-wide configurations to all members of the group or cluster.

A collection of peer-level encryption engines that provide failover capabilities within a fabric.

Key Encryption Key

Link Key

Logical Unit Number (LUN)

Master Key

Node

2 Fabric OS Encryption Administrator’s Guide

A key used to encrypt and decrypt Data Encryption Keys (DEKs) within encryption devices so that DEKs are transmitted in a secure manner outside of the encryption engines, and stored persistently inside key vaults.

A shared secret exchanged between an encryption engine and a FIPS 140-2 level 3 certified key management appliance and key vault. The link key is an Key Encryption Key (KEK) that is used to encrypt Data Encryption Keys (DEKs) in transit over a secure connection to and from the key vault. The key management appliance decrypts the DEKs and stores them encrypted with its own master key.

The identifier of a SCSI logical unit.

An Key Encryption Key (KEK) used to encrypt and decrypt DEKs when storing DEKs in opaque key vaults. There is one master key per encryption group. That means all node encryption engines within an encryption group use the same master key to encrypt and decrypt the DEKs.

In terms of encryption, a Brocade Encryption Switch, DCX, or DCX-4S through which users can manage an encryption engine.

53-1002159-03

Terminology

Opaque Key Vault

Recovery cards

Redirection zone

Re-keying

Trusted Key Vault

Virtual Initiator

Virtual Target

A storage location that provides untrusted key management functionality. Its contents may be visible to a third party. DEKs in an opaque key vault are stored encrypted in a master key to protect them.

A set of smart cards that contain a backup master key. Each recovery card holds a portion of the master key. The cards must be gathered and read together from a card reader attached to a PC running the Brocade Data Center Fabric Manager (DCFM) application to restore the master key. Recovery cards may be stored in different locations, making it very difficult to steal the master key. The cards should not be stored together, as that defeats the purpose.

When encryption is implemented, data traffic is routed to and from virtual initiators and virtual targets. Redirection zones are automatically created to enable frame redirection to the virtual initiators and virtual targets.

Re-keying refers to decrypting data with the current Data Encryption Key (DEK), and encrypting it with a new DEK. This is done when the security of the current key is compromised, or when a DEK is configured to expire in a specific time frame. The re-keying operation can be used to encrypt existing data currently stored as cleartext. In that case, there is no existing DEK, and the data does not have to be decr ypted before it is encrypted using the new DEK.

Very secure storage on a hardware appliance that establishes a trusted link with the encryption device for secure exchange of DEKs. DEKs are encrypted with the link for transit between the encryption device and the hardware appliance. At the hardware appliance, the DEKs are re-encrypted, using master key created and maintained by hardware appliance, and then stored in the trusted key vault.

A logical entity that acts as a stand-in for a physical host when communicating with a physical target LUN.

A logical entity that acts as a stand-in for a physical target LUN when communicating with a physical host. A virtual target is mapped one to one to a specific physical target.

Fabric OS Encryption Administrator’s Guide 3 53-1002159-03

The Brocade Encryption Switch

The Brocade Encryption Switch (BES) is a high performance 32 port auto-sensing 8 Gbps Fibre Channel switch with data cryptographic (encryption/decryption) and data compression capabilities. The switch is a network-based solution that secures data-at-rest for heterogeneous tape drives, disk array LUNs, and virtual tape libraries by encrypting the data using Advanced Encryption Standard (AES) 256-bit algorithms. Encryption and decryption engines provide in-line encryption services with up to 96 Gbps throughput for disk I/O (mix of ciphertext and cleartext traffic) and up to 48 Gbps throughput for tape I/O (mix of ciphertext and cleartext traffic). Refer to “The FS8-18

blade” on page 5 for information about license requirements for 48 Gbps and 96 Gbps throughput.

In addition to its 32 Fibre Channel ports, the switch has one RJ45 Gigabit Ethernet (GE) management port, two RJ45 GE ports for clustering interconnection and re-key synchronization, one RJ45 Serial console port, and one USB port for serviceability, error logging, and firmware upgrades (Figure 1) .

FIGURE 1 Brocade Encryption Switch

Power LED.

Status LED.

RJ45 gigabit Ethernet ports (labeled eth0 and eth1) for clustering and centralized management of multiple encryption switches through a group leader.

Smart card reader.

RJ45 gigabit Ethernet port for the management interface. This interface is used for the secure connection to the key vault location and to the Data Center Fabric Manager (DCFM).

RJ45 serial console port.

USB port for firmware upgrades and other support services.

Fibre Channel ports (0-31) - 1, 2, 4, or 8 Gbps auto-sensing F, FL, E, EX, or M ports to connect host servers, SAN disks, SAN tapes, edge switches, or core switches.

4 Fabric OS Encryption Administrator’s Guide

53-1002159-03

The FS8-18 blade

The FS8-18 blade provides the same features and functionality as the encryption switch. The FS8-18 blade installs on the Brocade DCX and DCX-4S. Four FS8-18 blades may be installed in a single DCX or DCX-4S.

FIPS mode

Both the BES and the FS8-18 blade always boot up in FIPS mode, which cannot be disabled. In this mode, only FIPS-compliant algorithms are allowed.

Performance licensing

Encryption processing power is scalable, and may be increased by purchasing and installing an encryption performance license. The base unit Brocade Encryption Switch and FS8-18 Encryption Blade have a standard capacity of 48 Gbps of encryption processing power. Additional encryption processing power can be added for disk I/O by purchasing and installing an Advanced Disk Encryption Performance Upgrade license. When the performance upgrade license is applied, encryption processing power of up to 96 Gbps is available for disk encryption. Note that when the license is applied to a DCX or DCX-4S chassis, it applies to all FS8-18 blades installed on that chassis.

The FS8-18 blade

Adding a license

The encryption performance licenses are added just like any other Fabric OS feature license. After the license is added, the encryption switch, DCX, or DCX-4S with encryption blades installed must be rebooted for the license to take effect. See the Fabric OS Administrator’s Guide for information about obtaining and adding licenses.

Licensing best practices

Licenses installed on the switches and blades must have identical performance numbers when used together in high availability (HA) clusters or data encryption key (DEK) clusters.

Fabric OS Encryption Administrator’s Guide 5 53-1002159-03

Recommendation for connectivity

NOTE

Recommendation for connectivity

In order to achieve high performance and throughput, the encryption engines perform what is referred to as “cut-through” encryption. In simple terms, this is achieved by encrypting the data in data frames on a per-frame basis. This enables the encryption engine to buffer only one frame, encrypt it, and send out the frame to the target on write I/Os. For read I/Os, the reverse is done. This puts some constraints on the topology and the container configurations to support acceptable performance for encrypted and decrypted I/O to and from LUNs, and to support acceptable levels of scale in terms of the number of LUNs and the number of flows. The topology and container configuration constraint are stated below:

Care must be taken when connecting the encryption engines to the fabric and configuring crypto-target containers to be sure that the traffic flow between the host initiator and the physical storage array LUN through the container flows through only one encryption engine that is hosting the container. This is to avoid crisscrossing of flows to and from virtual entities; that is, from virtual targets and virtual initiators on two different encryption engines over the same path.

Although there is considerable flexibility in connecting and configuring the containers for encryption, the following guidelines are the recommended best practices:

• Host and Storage Array ports that are not involved in any encryption flow can be connected to

any encryption engines (EEs).

• Recommendations for host and target ports with respect to encryption flows are as follows:

- For high availability (HA) purposes, only ISLs are connected to the Brocade Encryption

Switch encryption engine to connect it to the fabric. No devices (initiators and targets) are connected to it.

- To maintain HA, we recommend that devices (hosts and targets) and ISLs not be

connected directly to the encryption blades (FS8-18) in a DCX/DCX-4S in a single-path configuration.

Usage limitations

There are usage limitations to be aware of when planning an encryption implementation:

• Special redirection zones are created to handle data that is redirected to an encryption switch

or blade. Quality of Service (QoS) cannot be applied to a redirection zone.

• For frame redirection to be applied, regular zones for hosts and targets must be defined in the

effective configuration. Hosts and targets must be zoned together by worldwide port name (WWPN) rather than worldwide node name (WWNN) in configurations where frame redirection will be used. If hosts or targets are zoned together using worldwide node name, frame redirection will not occur properly.

Alias zoning is not supported in containers. You must use the real WWPN.

• On tapes written in DataFort format, the encryption switch or blade cannot read and decrypt

files with a block size of 1 MB or greater.

• Th e To p Talker fe a t ure is not compa tible with redirectio n z o n e s. The Top Talke r feature should

not be enabled when an encryption switch or blade is present in the fabric.

6 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Brocade encryption solution overview

Host

Encryption Switch

Cleartext

DEKs

Ciphertext

based on

AES256-GCM

Ciphertext

based on

AES256-XTS

Disk Storage

Tape Storage

Key Management

System

Ciphertext

Cleartext

The loss of stored private data, trade secrets, intellectual properties, and other sensitive information through theft or accidental loss of disk or tape media can have widespread negative consequences for governments, businesses, and individuals. This threat is countered by an increasing demand from governments and businesses for solutions that create and enforce policies and procedures that protect stored data. Encryption is a powerful tool for data protection. Brocade provides an encryption solution that resides in a Storage Area Network (SAN) fabric. This location, between computers and storage, is ideal for implementing a solution that works transparently with heterogeneous servers, disk storage subsystems, and tape libraries. Data entering the SAN from a server is encrypted before it is written to storage. When stored data is encrypted, theft or loss of storage media does not pose a security threat.

Figure 2 provides a high-level view of the Brocade encryption solution. Cleartext is sent from the

server to the encryption engine, where it is encrypted into ciphertext using one of two encryption algorithms: one for disk storage targets, and one for tape storage targets. The encrypted data cannot be read without first being decrypted. The key management system is required for management of the data encryption keys (DEKs) that are generated by the encryption engine, and used for encrypting and decrypting the data. The key management system is provided by a third-party vendor.

Brocade encryption solution overview

FIGURE 2 Encryption overview

Fabric OS Encryption Administrator’s Guide 7 53-1002159-03

Brocade encryption solution overview

Host

Encryption

Switch

Ciphertext

Cleartext

Virtual

Initiator

Lun

Virtual Target

Fabric 1

Target

Data flow from server to storage

The Brocade Encryption Switch can be introduced into a SAN with minimum disruption, with no need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from a host and a target LUN are redirected to a virtual target associated with the encryption switch. The encryption switch then acts as a virtual initiator to forward the frames to the target LUN.

FIGURE 3 Frame redirection

8 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Data encryption key life cycle management

Node 1

Key Management

System

Node 2

Group Leader

Encryption Group

Node 3

Node 4

IO Sync LAN

LAN

Data encryption key life cycle management

Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly, and some data may be stored for years or decades before it is accessed. To be sure the data remains accessible, DEKs may also need to be stored for years or decades. Key management systems provide life cycle management for all DEKs created by the encryption engine. Key management systems are provided by third-party vendors.

Figure 4 shows the relationship of the LAN connections to the key vault and between encryption

nodes.

FIGURE 4 LAN connections to the key vault, and between encryption nodes

Regardless of the length of the life cycle, there are four stages in the life of a DEK, as shown in

Figure 5. A DEK is created by an encryption engine, distributed, then stored in a key vault. The key

is used to encrypt and decrypt data at least once, and possibly many times. A DEK may be configured to expire in a certain time frame to avoid becoming compromised. Under those conditions, it must be used one more time to decrypt the data, and the resulting cleartext is encrypted with a new key (re-keyed).

Fabric OS Encryption Administrator’s Guide 9 53-1002159-03

Master key management

FIGURE 5 DEK life cycle

Master key management

Communications with opaque key vaults are encrypted using a master key that is created by the encryption engine on the encryption switch. Currently, this includes the key vaults of all supported key management systems except NetApp LKM.

Master key generation

A master key must be generated by the group leader encryption engine. The master key can be generated once by the group leader, then propagated to the other members of an encryption group.

Master key backup

It is essential to back up the master key immediately after it is generated. The master key may be backed up to any of the following:

• A file as an encrypted key

• The key management system as an encrypted key record

10 Fabric OS Encryption Administrator’s Guide

53-1002159-03

• A set of recovery smart cards. This option is only available if the switch is managed by the Data

NOTE

Center Fabric Manager (DFCM), and if a card reader is available for attachment to the DCFM workstation.

The use of smart cards provides the highest level of security. When smart cards are used, the key is split and written on up to 10 cards. Each card may be kept and stored by a different individual. A quorum of key holders is needed to restore the key. If five key holders exist and the quorum is set to three, then any three of the five key holders is needed to restore the key.

Support for Virtual Fabrics

The Brocade Encryption Switch does not support the logical switch partitioning capability and, thus, cannot be partitioned, but the switch can be connected to any Logical Switch partition or Logical Fabric using an E-Port.

The FS8-18 encryption blades are supported only in a default switch partition. All FS8-18 blades must be placed in a default switch partition in a DCX or DCX-4S chassis. The encryption resource from the default switch partition/fabric can be shared with other logical switch partitions/fabrics or other fabrics only through external device sharing using FCR or EX_Ports through a base switch/fabric. A separate port blade must be used in the base switch/fabric for EX_Port connectivity from the logical switch partition (default switch partition) of FS8-18 blades and host/target fabrics. The EX_Port can be on any external FCR switch.

Support for Virtual Fabrics

Please refer to Fabric OS Administrator’s Guide for more details on how to configure the DCX and DCX-4S in virtual fabrics environments, including configuration of default switch partition and any other logical switch partitions.

Cisco Fabric Connectivity support

The Brocade Encryption Switch provides NPIV mode connectivity to Cisco fabrics. Connectivity is supported for Cisco SAN OS 3.3 and later versions.

Cisco fabric connectivity is provided only on the Brocade Encryption Switch. The FS8-18 blade for the Brocade DCX and DCX-4S platforms does not support this feature.

Fabric OS Encryption Administrator’s Guide 11 53-1002159-03

Cisco Fabric Connectivity support

12 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Chapter

Encryption configuration

In this chapter

•Encryption Center features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

•Encryption user privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

•Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

•Network connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

•Configuring blade processor links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

•Encryption node initialization and certificate generation. . . . . . . . . . . . . . . 25

•Steps for connecting to an SKM or ESKM appliance . . . . . . . . . . . . . . . . . . 26

•Steps for Migrating from SKM to ESKM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

•Encryption preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

•Creating a new encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

•Adding a switch to an encryption group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

•Replacing an encryption engine in an encryption group . . . . . . . . . . . . . . . 53

•Creating high availability (HA) clusters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

•Adding encryption targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

•Configuring hosts for encryption targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

•Adding target disk LUNs for encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

•Adding target tape LUNs for encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

•Tape LUN write early and read ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

•Tape LUN statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

•Re-balancing the encryption engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

•Master keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

•Zeroizing an encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

•Using the Encryption Targets dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

•Re-keying all disk LUNs manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

•Viewing time left for auto re-key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

•Viewing and editing switch encryption properties. . . . . . . . . . . . . . . . . . . . . 95

•Viewing and editing group properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

•Encryption-related acronyms in log messages . . . . . . . . . . . . . . . . . . . . . . 109

Fabric OS Encryption Administrator’s Guide 13 53-1002159-03

Encryption Center features

The Encryption Center dialog box is the single launching point for all encryption-related configuration in the Management application. It also provides a table that shows the general status of all encryption-related hardware and functions at a glance.

FIGURE 6 Encryption Center dialog box

Beginning with Fabric OS 6.4, the Encryption Center is dynamically updated to reflect the latest changes based on any of the following events:

• Encryption group creation or deletion.

• A change in encryption group status.

• Addition or removal of an encryption group member.

• Addition or removal of an encryption engine.

• A change in encryption engine status.

If you are using the Encryption Center for the first time, please read the following topics before you begin to perform encryption operations:

• “Encryption user privileges” on page 15 describes the Role-based Access Control privileges

that are specific to encryption.

• “Smart card usage” on page 16 and the topics that follow describe the options available for the

use of Smart Cards for user authentication, system access control, and storing backup copies of data encryption master keys.

• “Network connections” on page 24 describes the network connections that must be in place to

enable encryption.

• “Configuring blade processor links” on page 24 describes the steps for interconnecting

encryption switches or blades in an encryption group through a dedicated LAN. This must be done before their encryption engines are enabled. Security parameters and certificates cannot be exchanged if these links are not configured and active.

• “Encryption node initialization and certificate generation” on page 25 lists the security

parameters and certificates that are generated when an encryption node is initialized.

• “Steps for connecting to an SKM or ESKM appliance” on page 26 lists the supported key

manager appliances, and lists topics that provide additional detail.

14 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Encryption user privileges

In the Management application, resource groups are assigned privileges, roles, and fabrics. Privileges are not directly assigned to users; users get privileges because they belong to a role in a resource group. A user can only belong to one resource group at a time.

The Management application provides three pre-configured roles:

• Storage encryption configuration.

• Storage encryption key operations.

• Storage encryption security.

Tab le 1 lists the associated roles and their read/write access to specific operations. The functions

are enabled from the Encryption Center dialog box:

TABLE 1 Encryption User Privileges

Privilege Read/Write

Encryption user privileges

Storage Encryption Configuration

Storage Encryption Key Operations

Storage Encryption Security

• Launch the Encryption center dialog box.

• View switch, group, or engine properties.

• View the Encryption Group Properties Security tab.

• View encryption targets, hosts, and LUNs.

• View LUN centric view

• View all re-key sessions

• Add/remove paths and edit LUN configuration on LUN centric view

• Re-balance encryption engines.

• Clear tape LUN statistics

• Create a new encryption group or add a switch to an existing encryption group.

• Edit group engine properties (except for the Security tab)

• Add targets.

• Select encryption targets and LUNs to be encrypted or edit LUN encryption settings.

• Edit encryption target hosts configuration.

• Show tape LUN statistics.

• Launch the Encryption center dialog box.

• View switch, group, or engine properties,

• View the Encryption Group Properties Security tab.

• View encryption targets, hosts, and LUNs.

• View LUN centric view.

• View all re-key sessions.

• Initiate manual re-keying of all disk LUNs.

• Initiate refresh DEK.

• Enable and disable an encryption engine.

• Zeroize an encryption engine.

• Restore a master key.

• Edit key vault credentials.

• Show tape LUN statistics.

• Launch the Encryption center dialog box.

• View switch, group, or engine properties.

• View Encryption Group Properties Security tab.

• View LUN centric view.

• View all re-key sessions.

• View encryption targets, hosts, and LUNs.

• Create a master key.

• Backup a master key.

• Edit smart card.

• View and modify settings on the Encryption Group Properties Security tab (quorum size,

authentication cards list and system card requirement).

• Show tape LUN statistics.

Fabric OS Encryption Administrator’s Guide 15 53-1002159-03

Smart card usage

NOTE

Smart card usage

Smart cards are credit card-sized cards that contain a CPU and persistent memory. Smart cards can be used as security devices. You must have Storage Encryption Security user privileges to activate, register, and configure smart cards.

Smart cards can be used to do the following:

• Control user access to the Management application security administrator roles.

• Control activation of encryption engines.

• Securely store backup copies of master keys.

Smart card readers provide a plug-and-play interface to read and write to a smart card. The following smart card readers are supported:

• GemPlus GemPC USB

http://www.gemalto.com/readers/index.html

• SCM MicrosystemsSCR331

http://www.scmmicro.com/security/view_product_en.php?PID=2

Only the Brocade smart cards that are included with the BES/FS8-18 are supported.

See the following procedures for instructions about how to manage smart cards:

• “Registering authentication cards from a card reader” on page 16

• “Registering system cards from a card reader” on page 21

• “Tracking smart cards” on page 22

• “Saving a master key to a smart card set” on page 82

• “Restoring a master key from a smart card set” on page 86

Registering authentication cards from a card reader

When authentication cards are used, one or more authentication cards must be read by a card reader attached to a Management application PC to enable certain security-sensitive operations. These include the following:

• Master key generation, backup, and restore operations.

• Replacement of authentication card certificates.

• Enabling and disabling the use of system cards.

• Changing the quorum size for authentication cards.

• Establishing a trusted link with the NetApp LKM key manager.

• Decommissioning LUNs.

To register an authentication card or a set of authentication cards from a card reader, you must have the cards physically available. Authentication cards can be registered during encryption group or member configuration when running the configuration wizard, or they can be registered using the following procedure.

16 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Smart card usage

NOTE

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select an encryption group from the Encryption Center Devices table, then select Group > Security from the menu task bar, or right-click an encryption group and select Security.

The Encryption Group Properties dialog box displays, with the Security tab selected.

FIGURE 7 Encryption Group Properties dialog box - registering authentication cards

3. Locate the Authentication Card Quorum Size and select the quorum size from the list.

The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards. The actual number of authentication cards registered is always more than the quorum size, so if you set the quorum size to five, for example, you will need to register at least six cards in the subsequent steps.

Ignore the System Cards setting for now.

4. Click Register from Card Reader to register a new card.

The Add Authentication Card dialog box displays.

Fabric OS Encryption Administrator’s Guide 17 53-1002159-03

Smart card usage

FIGURE 8 Add Authentication Card dialog box

5. Insert a smart card into the card reader. Wait for the card serial number to appear, then enter card assignment information as directed.

6. Click OK.

7. Wait for the confirmation dialog box indicating initialization is done, then click OK.

The card is added to the Registered Authentication Cards table in the Encryption Group Properties dialog box.

8. Repeat step 5 through step 7 until you have successfully registered all cards. Ensure that the number of cards registered equals at least the quorum size plus one.

For more information, see “Tracking smart cards” on page 22.

Registering authentication cards from the database

Smart cards that are already in the Management program’s database can be registered as authentication cards.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select an encryption group from the Encryption Center Devices table, then select Security from the menu task bar, or right-click an encryption group and select Security.

The Encryption Group Properties dialog box displays with the Security tab selected.

3. Click Register from Archive.

The Authentication Cards dialog box displays. The dialog box lists the smart cards that are in the database.

18 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Smart card usage

FIGURE 9 Authentication Cards dialog box - registering smart cards from archive

4. Select a card from the table, then click OK.

5. Wait for the confirmation dialog box indicating initialization is done, then click OK.

The card is added to the Registered Authentication Cards table in the Encryption Group Properties dialog box.

Deregistering an authentication card

Authentication cards can be removed from the database and the switch by deregistering them. Use the following procedure to deregister an authentication card.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select an encryption group from the Encryption Center Devices table, then select Group > Security from the menu task bar, or right-click an encryption group and select Security.

The Encryption Group Properties dialog box displays with the Security tab selected.

3. Select the authentication card in the Registered Authentication Cards table.

4. Click Deregister.

5. A confirmation dialog box displays. Click Yes to confirm deregistration.

The registered authentication card is removed from the table.

6. Click OK.

The card is deregistered from the group.

Fabric OS Encryption Administrator’s Guide 19 53-1002159-03

Smart card usage

Using authentication cards

When a quorum of authentication cards is registered for use, an Authenticate dialog box is displayed to grant access to the following:

• The Encryption Group Properties dialog box Link Keys tab (for NetApp LKM only).

• The Encryption Group Properties dialog box Security tab, which provides access to the

following:

- Master Key Actions, which includes Backup Master Key, Restore Master Key, and Create

Master Key.

- System Cards radio buttons used to specify whether a system card is Required or

Not Required.

- Authentication Card Quorum Size selector.

- Register from Card Reader, Register From Archive, and Deregister buttons.

• The Master Key Backup dialog box.

• The Master Key Restore dialog box.

To authenticate using a quorum of authentication cards, complete the following steps:

1. When the Authenticate dialog box is displayed, gather the number of cards needed, per instructions in the dialog box. The currently registered cards and the assigned owners are listed in the table near the bottom of the dialog box.

2. Insert a card, then wait for the ID to appear in the Card ID field.

3. Enter the assigned password.

4. Click Authenticate.

5. Wait for the confirmation dialog box, then click OK.

6. Repeat step 2 through step 5 for each card until at least the quorum plus one is reached.

7. C l ic k OK.

Enabling or disabling the system card requirement

To use a system card to control activation of an encryption engine on a switch, you must enable the system card requirement. You can use the following procedure to enable or disable the system card requirement.

1. Select an encryption group from the Encryption Center Devices table, then select Group > Security from the menu task bar, or right-click a group and select Security.

The Encryption Group Properties dialog box displays, with the Security tab selected.

2. Do one of the following:

• Set System Cards to Required to require the use of a system card for controlling activation

of the encryption engine. Click OK after reading the message in the encryption message dialog box.

• Set System Cards to Not Required to permit activation of the encryption engine without the

need to read a system card first.

20 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Smart card usage

Registering system cards from a card reader

System cards are smart cards that can be used to control activation of encryption engines. Encryption switches and blades have a card reader that enables the use of a system card. System cards discourage theft of encryption switches or blades by requiring the use of a system card at the switch or blade to enable the encryption engine. When the switch or blade is powered off, the encryption engine will not work without first inserting a system card into its card reader. If someone removes a switch or blade with the intent of accessing the encryption engine, it will function as an ordinary FC switch or blade when it is powered up, but use of the encryption engine is denied.

To register a system card from a card reader, a smart card must physically available. System cards can be registered during encryption group creation or member configuration when running the configuration wizard, or they can be registered using the following procedure.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select a switch from the Encryption Center Devices table, then select Switch > System Cards from the menu task bar, or right-click a switch and select System Cards.

The System Cards dialog box displays.

FIGURE 10 System Cards dialog box

3. Insert a smart card into the card reader. Wait for the card serial number to appear, then enter card assignment information as directed.

4. Click OK.

5. Wait for the confirmation dialog box indicating initialization is done, then click OK.

The card is added to the Registered System Cards table.

6. Store the card in a secure location, not in proximity to the switch or blade.

Deregistering a system card

System cards can be removed from the database by deregistering them. Use the following procedure to deregister a system card:

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

Fabric OS Encryption Administrator’s Guide 21 53-1002159-03

Smart card usage

2. Select the switch from the Encryption Center Devices table, then select Switch > System Cards from the menu task bar, or right-click the switch and select System Cards.

The System Cards dialog box displays.

3. Select the system card to deregister.

4. Click Deregister.

5. A confirmation dialog box displays. Click OK to confirm deregistration.

The card is removed from the Registered System Cards table.

Tracking smart cards

Use the Smart Card Tracking dialog box to track smart card details.

1. From the Encryption Center, select Smart Card > Smart Card Tracking.

The Smart Card Asset Tracking dialog box displays.

FIGURE 11 Smart Card asset tracking dialog box

2. Select a smart card from the table, then do one of the following:

• Click Delete to remove the smart card from the Management application database.

Deleting smart cards from the Management application database keeps the Smart Cards table at a manageable size, but does not invalidate the smart card. The smart card can still be used. You must deregister a smart card to invalidate its use.

• Click Save As to save the entire list of smart cards to a file. The available formats are

comma-separated values (.csv) and HTML files (.html).

22 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Smart card usage

Editing smart cards

Use the Edit Smart Card dialog box to edit smart card details.

1. From the Encryption Center dialog box, select Smart Card > Edit Smart Card from the menu task bar.

The Edit Smart Card dialog box displays.

FIGURE 12 Edit Smart Card dialog box

2. Insert the smart card into the card reader.

3. After the card’s ID is displayed in the Card ID field, enter the Card Password, then click Login.

4. Edit the card assignment user information as needed.

5. Click OK.

Fabric OS Encryption Administrator’s Guide 23 53-1002159-03

Network connections

Before you use the encryption setup wizard for the first time, you must have the following required network connections:

• The management ports on all devices that will perform encryption (Brocade Encryption

Switches, or DCX and DCX-4S chassis with encryption blades installed) must have a LAN connection to the SAN management program, and must be available for discovery.

• A supported key management appliance must be connected on the same LAN as the

management port of each device that will perform encryption, and the SAN Management program.

• In some cases, you may want to have an external host available on the LAN to facilitate

certificate exchange between encryption nodes and the key management appliance. You may use the SAN management program host computer rather than an external host.

• All switches in the planned encryption group must be interconnected on a private LAN. This

LAN is used to exchange security parameters and certificates, and to synchronize encryption engine operations. Refer to “Configuring blade processor links” on page 24 for details.

Configuring blade processor links

Each encryption switch or blade has two GbE ports labeled Ge0 and Ge1. The Ge0 and Ge1 ports are Ethernet ports that connect encryption switches and blades to other encryption switches and blades. Both ports of each encryption switch or blade must be connected to the same IP network and the same subnet. Static IP addresses should be assigned. Neither VLANs nor DHCP should be used. These two ports are bonded together as a single virtual network interface to provide link layer redundancy.

All encryption switches and blades in an encryption group must be interconnected by these links through a dedicated LAN before their encryption engines are enabled. Security parameters and certificates cannot be exchanged if these links are not configured and active.

To configure blade processor links, complete the following steps:

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select the encryption engine from the Encryption Center Devices table, then select Engine > Blade Processor Link from the menu task bar, or right-click the encryption engine and select Blade Processor Link.

The Blade Processor Link dialog box displays.

FIGURE 13 Blade Processor Link dialog box

24 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Encryption node initialization and certificate generation

3. Enter the link IP address and mask, and the gateway IP address.

4. Click OK.

The Blade Processor Link dialog box can also be launched from the following locations:

- Select an encryption group from the Encryption Center Devices table, then select Group >

HA Clusters from the menu task bar, or right-click a group and select HA Clusters. The Properties dialog box displays with the HA Clusters tab selected. Select a device from the Non-HA Encryption Engines table, then click Configure Blade Processor Link.

- Select a group, switch, or engine from the Encryption Center Devices table, then select

Group/Switch/Engine > Targets from the menu task bar, or right-click a group, switch, or engine and select Tar get s. Select a container from the Encryption Targets table, click LUNs, then click Configure Blade Processor Link.

Encryption node initialization and certificate generation

When an encryption node is initialized, the following security parameters and certificates are generated:

• FIPS crypto officer

• FIPS user

• Node CP certificate

• A signed Key Authentication Center (KAC) certificate

• A KAC Certificate Signing Request (CSR)

From the standpoint of external SAN management application operations, the FIPS crypto officer, FIPS user, and node CP certificates are transparent to users. The KAC certificates are required for operations with key managers. In most cases, KAC certificate signing requests must be sent to a Certificate Authority (CA) for signing to provide authentication before the certificate can be used. In all cases, signed KACs must be present on each switch.

Encryption nodes are initialized by the Configure Switch Encryption wizard when you confirm a configuration.

Encryption nodes may also be initialized from the Encryption Center dialog box.

1. Select a switch from the Encryption Center Devices table, then select Switch > Init Node from the menu task bar, or right-click a switch and select Init Node.

A warning displays.

Fabric OS Encryption Administrator’s Guide 25 53-1002159-03

Steps for connecting to an SKM or ESKM appliance

FIGURE 14 Warning message

2. Select Yes to initialize the node.

Steps for connecting to an SKM or ESKM appliance

The SKM and Enterprise SKM (ESKM) management web console can be accessed from any web browser with Internet access to the SKM/ESKM appliance. Both SKM and ESKM are supported, but combining them in a single encryption group is not supported. The URL for the appliance is as follows:

https://<appliance hostname>:<appliance port number>

Where:

- <appliance hostname> is the hostname or IP address when installing the SKM/ESKM

appliance.

- <appliance port number> is 9443 by default. If a different port number was specified

when installing the SKM/ESKM appliance, use that port number.

The following configuration steps are performed from the SKM/ESKM management web console and from the Management application.

• Configure a Brocade group on SKM/ESKM.

• Register the Brocade group user name and password on the encryption node.

• Set up a local Certificate Signing Authority (CA) on SKM/ESKM.

• Download the CA certificate.

• Create and install an SKM/ESKM server certificate.

• Enable an SSL connection.

• Configure a cluster of SKM/ESKM appliances for high availability.

• Export and sign the encryption node certificate signing requests.

• Import the signed certificates into the encryption node.

26 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Steps for connecting to an SKM or ESKM appliance

NOTE

These steps are described in more detail in the following sections:

• “Registering authentication cards from the database” on page 18

• “Registering the SKM or ESKM Brocade group user name and password” on page 28

• “Setting up the local Certificate Authority (CA) on SKM or ESKM” on page 29

• “Downloading the local CA certificate from SKM or ESKM” on page 30

• “Creating and installing the SKM or ESKM server certificate” on page 30

• “Enabling SSL on the Key Management System (KMS) Server” on page 31

• “Copying the local CA certificate for a clustered SKM or ESKM appliance” on page 33

• “SKM or ESKM key vault high availability deployment” on page 36

Configuring a Brocade group on SKM or ESKM

A Brocade group is configured on SKM/ESKM for all keys created by Brocade encryption switches and blades. This needs to be done only once for each key vault.

1. Log in to the SKM/ESKM management web console using the admin password.

2. Select the Security tab.

3. Select Local Users & Groups under Users and Groups.

The User & Group Configuration page displays.

4. Select Add under Local Users.

5. Create a Brocade user name and password.

you will need this user name and password later when registering this information with the switches.

6. Select the User Administration Permission and Change Password Permission check boxes.

7. S e le c t Save to save this user data.

8. Select Add under Local Groups.

9. Add a Brocade group under Group.

The group name must be “brocade” and is case sensitive.

10. Select Save.

11. Select the new Brocade group name, and then select Properties.

Local Group Properties and a User List are displayed.

12. In the User List section, select or type the Brocade user name under Username.

13. Select Save.

The Brocade user name and password are now configured on SKM/ESKM.

Fabric OS 6.2.0 uses brcduser1 as a standard user name when creating a Brocade group on SKM/ESKM. If you downgrade to version 6.2.0, the user name is overwritten to brcduser1, and the Brocade group user name must be changed to brcduser1.

Fabric OS Encryption Administrator’s Guide 27 53-1002159-03

Steps for connecting to an SKM or ESKM appliance

NOTE

Registering the SKM or ESKM Brocade group user name and password

The Brocade group user name and password you created when configuring a Brocade group on SKM/ESKM must also be registered on each Brocade encryption node.

This operation can be performed only after the switch is added to the encryption group.

1. Select Configure > Encryption from the menu task bar.

2. The Encryption Center dialog box displays.

3. Select a switch from the Encryption Center Devices table, then select Switch > Key Vault Credentials, or right-click a switch and select Key Vault Credentials.

The Key Vault Credentials dialog box displays.

FIGURE 15 Key Vault Credentials dialog box

4. Enter the Brocade group user name and password.

Keep the following rules in mind when registering the Brocade user name and password:

- The user name and password must match the user name and password specified for the

Brocade group.

- The same user name and password must be configured on all nodes in an encryption

group. This is not enforced or validated by the encryption group members, so care must be taken when configuring the user name and password to ensure they are the same on each node.

- Different user names and passwords can never be used within the same encryption group,

but each encryption group may have its own user name and password.

- If you change the user name and password, the keys created by the previous user become

inaccessible. The Brocade group user name and password must also be changed to the same values on SKM/ESKM to make the keys accessible.

- When storage is moved from one encryption group to another, and the new encryption

group uses different user name and password, the Brocade group user name and password must also be changed to the same values on SKM/ESKM to make the keys accessible.

5. Repeat the procedure for each node.

28 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Steps for connecting to an SKM or ESKM appliance

Setting up the local Certificate Authority (CA) on SKM or ESKM

To create and install a local CA, complete the following steps:

1. Log in to the SKM/ESKM management web console using the admin password.

2. Select the Security tab.

3. Under Certificates & CAs, click Local CAs.

4. Enter information required by the Create Local Certificate Authority section of the window to create your local CA.

- Enter a Certificate Authority Name and Common Name. These may be the same value.

- Enter your organizational information.

- Enter the Email Address to receive messages for the Security Officer.

- Enter the Key Size. HP recommends using 2048 for maximum security.

- Select Self-signed Root CA.

- Enter the CA Certification Duration and Maximum User Certificate Duration. These values

determine when the certificate must be renewed and should be set in accordance with your company's security policies. The default value for both is 3650 days or 10 years.

5. Click Create.

The new local CA displays under Local Certificate Authority List.

FIGURE 16 Creating an HP SKM/ESKM local CA

Fabric OS Encryption Administrator’s Guide 29 53-1002159-03

Steps for connecting to an SKM or ESKM appliance

6. Under Certificates & CAs, select Trusted CA Lists to display the Trusted Certificate Authority List Profiles.

7. Cl ic k o n Default under Profile Name.

8. In the Trusted Certificate Authority List, click Edit.

9. From the list of Available CAs in the right panel, select the CA you just created.

Repeat these steps any time another local CA is needed.

Downloading the local CA certificate from SKM or ESKM

The local CA certificate you created must be saved to your local system. Later, this certificate must be imported onto the Brocade encryption group leader nodes. For more information, see “Setting

up the local Certificate Authority (CA) on SKM or ESKM” on page 29.

1. From the Security tab, select Local CAs under Certificates and CAs.

2. Select the CA certificate you created.

3. Click Download, and save the certificate file on your local system.

4. Rename the downloaded file, changing the .cert extension to a .pem extension.

Creating and installing the SKM or ESKM server certificate

To create the SKM/ESKM server certificate, perform the following steps:

1. Click the Security tab.

2. Under Certificates and CAs, select Certificates.

3. Enter the required information under Create Certificate Request.

- Enter a Certificate Name and Common Name. The same name may be used for both.

- Enter your organizational information.

- Enter the E-mail Address where you want messages to the Security Officer to go.

- Enter the Key Size. HP recommends using the default value: 1024.

4. Click Create Certificate Request.

Successful completion is indicated when the new entry for the server certificate appears on the Certificate List with a Certificate Status of Request Pending.

5. Select the newly created server certificate from the Certificate List.

6. Select Properties.

The pending request displays under Certificate Request Information.

7. Copy the certificate data from --–––BEGIN CERTIFICATE REQUEST--––– to --–––END CERTIFICATE REQUEST--––– lines. Be careful to exclude extra carriage returns or spaces after the data.

8. Under Certificates & CAs, select Local CAs.

The Certificate and CA Configuration page is displayed.

9. From the CA Name column, select the name of the local CA you just created in “Setting up the

local Certificate Authority (CA) on SKM or ESKM” on page 29.

30 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Steps for connecting to an SKM or ESKM appliance

10. Click Sign Request.

11. Enter the required data in the Sign Certificate Request section of the window. Select the CA name from the Sign with Certificate Authority drop-down list.

12. Paste the copied certificate request data into the Certificate Request box.

13. Click Sign Request.

The signed certificate request data displays under Sign Certificate Request.

14. Click Download to download the signed certificate to your local system.

15. Copy the signed certificate data, from -----BEGIN to END…----- lines. Be careful to exclude extra carriage returns or spaces after the data.

16. From the Security tab, select Certificates under Certificates & CAs.

17. Select the server certificate name you just created from the certificate list, and select Properties.

The Certificate Request Information window displays.

18. Click Install Certificate.

The Certificate Installation window displays.

19. Paste the signed certificate data you copied under Certificate Response and click Save.

The status of the server certificate should change from Request Pending to Active.

Enabling SSL on the Key Management System (KMS) Server

The KMS Server provides the interface to the client. Secure Sockets Layer (SSL) must be enabled on the KMS Server before this interface will operate. After SSL is enabled on the first appliance, it will be automatically enabled on the other cluster members.

To configure and enable SSL, complete the following steps:

1. Select the Device tab.

2. In the Device Configuration menu, click KMS Server to display the Key Management Services Configuration window.

Fabric OS Encryption Administrator’s Guide 31 53-1002159-03

Steps for connecting to an SKM or ESKM appliance

FIGURE 17 SKM Key Management Services Configuration window

3. In the KMS Server Settings section of the window, select the following check boxes:

• Use SSL

• Allow Key and Policy Configuration Operations

• Allow Key Export

4. Click Edit.

A warning message might display explaining that if you disable SSL, you must have TLS enabled for your web browser.

5. Configure the KMS Server Settings. Ensure that the port and connection timeout settings are 9000 and 3600, respectively. For Server Certificate, select the name of the certificate you created in “Creating and installing the SKM or ESKM server certificate” on page 30.

6. Click Save.

Creating an SKM or ESKM High Availability cluster

The HP SKM/ESKM key vault supports clustering of HP SKM/ESKM appliances for high availability. If two SKM/ESKM key vaults are configured, they must be clustered. If only a single SKM/ESKM appliance is configured, it may be clustered for backup purposes, but the backup appliance will not be directly used by the switch. The procedures in this section will establish a cluster configuration on one SKM/ESKM appliance and then transfer that configuration to the remaining appliances.

• Create the cluster on one SKM/ESKM appliance that is to be a member of the cluster.

• Copy the local CA certificate from the first SKM/ESKM appliance or an existing cluster

member.

• Paste the local CA certificate it into the management console for each of the SKM/ESKM

appliances added to the cluster.

32 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Steps for connecting to an SKM or ESKM appliance

To create a cluster, perform the following steps on one of the HP SKM/ESKM appliances that is to be a member of the cluster.

1. From the SKM/ESKM management console, click the Device tab.

2. In the Device Configuration menu, click Cluster.

The Create Cluster section displays.

3. Select and note the Local IP address. You will need this address when you add an appliance to the cluster.

4. For Local Port, use the default value of 9001 unless you are explicitly directed to use a different value for your site.

5. Type the cluster password in the Create Cluster section of the main window to create the new cluster.

6. Click Create.

7. In th e Cluster Settings section of the window, click Download Cluster Key and save the key to a convenient location, such as your computer's desktop. The cluster key is a text file and is only required temporarily. It may be deleted from your computer's desktop after all SKM/ESKM appliances have been added to the cluster.

Copying the local CA certificate for a clustered SKM or ESKM appliance

Before adding an SKM/ESKM appliance to a cluster, you must obtain the local CA certificate from the original SKM/ESKM or from an SKM/ESKM that is already in the cluster.

1. Select the Security tab.

2. Select Local CAs under Certificates & CAs.

3. Select the name of the local CA from the Local Certificate Authority list.

The CA Certificate Information is displayed.

4. Copy the certificate request, beginning with with

---END CERTIFICATE REQUEST---. Be careful not to include any extra characters.

---BEGIN CERTIFICATE REQUEST--- and ending

Adding SKM or ESKM appliances to the cluster

If you are adding an appliance to an existing cluster, select the Cluster Settings section of the window, click Download Cluster Key and save the key to a convenient location, such as your computer's desktop.

To add SKM/ESKM appliances to the cluster you are creating, you will need the original cluster member’s local IP address and port number, and the location of the cluster key you downloaded, as specified in “Creating an SKM or ESKM High Availability cluster” on page 32.

Perform the following steps on each SKM/ESKM appliance you want to add to the cluster.

1. Open a new browser window, keeping the browser window from Copying the Local CA certificate open.

2. In the new browser window, log into the management console of the SKM/ESKM appliance that is being added to the cluster, then click the Security tab.

3. In the Certificates & CAs menu, click Known CAs.

Fabric OS Encryption Administrator’s Guide 33 53-1002159-03

Steps for connecting to an SKM or ESKM appliance

Enter information required in the Install CA Certificate section near the bottom of the page.

- Enter the Certificate Name of the certificate being transferred from the first cluster

member.

- Paste the copied certificate data into the Certificate box.

4. Click Install.

5. In the Certificates & CA menu, click Trusted CA Lists.

6. Click on the Default Profile Name.

7. C l ic k Edit.

8. Select the name of the CA from the list of Available CAs in the right panel.

9. Click Add.

10. Click Save.

11. Select the Device tab.

12. In the Device Configuration menu, click Cluster.

13. Click Join Cluster. In the Join Cluster section of the window, leave Local IP and Local Port set to their default settings.

14. Enter the original cluster member’s local IP address into Cluster Member IP.

15. Enter the original cluster member’s local Port into Cluster Member Port.

16. Click Browse, then select the Cluster Key File you saved.

17. Enter the c l u s ter p a s s w o rd into Cluster Password.

18. Click Join.

19. After adding all members to the cluster, delete the cluster key file from the desktop.

20. Create and install an SKM/ESKM server certificate. Refer to “Creating and installing the SKM

or ESKM server certificate” on page 30 for a description of this procedure.

Signing the Brocade encryption node KAC certificates

The KAC certificate signing request generated when the encryption node is initialized must be exported for each encryption node and signed by the Brocade local CA on SKM/ESKM. The signed certificate must then be imported back into the encryption node.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select a switch from the Encryption Center Devices table, then select Switch > Export Certificate, from the menu task bar, or right-click a switch and select Export Certificate.

The Export Switch Certificate dialog box displays.

3. Select Public Key Certificate Request (CSR), then click OK.

You are prompted to save the CSR, which can be saved to your SAN Management Program client PC, or an external host of your choosing.

34 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Steps for connecting to an SKM or ESKM appliance

NOTE

Alternatively, you may select a switch, then select Switch > Properties. Click the Export button beside the Public Key Certificate Request, or copy the CSR for pasting into the Certificate Request Copy area on the SKM/ESKM Sign Certificate Request page.

4. Launch the SKM/ESKM administration console in a web browser and log in.

5. Select the Security tab.

6. Select Local CAs under Certificates & CAs.

The Certificate and CA Configuration page displays.

7. Under Local Certificate Authority List, select the Brocade CA name.

8. Select Sign Request.

The Sign Certificate Request page displays.

9. Select Sign with Certificate Authority using the Brocade CA name and maximum of 3649 days.

10. Select Client as Certificate Purpose.

11. Allow Certificate Duration to default to 3649.

12. Paste the file contents that you copied in step 2 in the Certificate Request Copy area.

13. Select Sign Request.

14. Download the signed certificate to your local system as signed_kac_skm_cert.pem.

This file is then ready to be imported to the encryption switch or blade.

Importing a signed KAC certificate into a switch

After a KAC CSR has been submitted and signed by a CA, the signed certificate must be imported into the switch.

This operation can be performed only after the switch is added to the encryption group.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

1. Select a switch from the Encryption Center Devices table, then select Switch > Import Certificate from the menu task bar, or right-click a switch and select Import Certificate.

The Import Signed Certificate dialog box displays.

FIGURE 18 Import Signed Certificate dialog box

2. Browse to the location where the signed certificate is stored.

3. Click OK.

The signed certificate is stored on the switch.

Fabric OS Encryption Administrator’s Guide 35 53-1002159-03

Steps for Migrating from SKM to ESKM

NOTE

SKM or ESKM key vault high availability deployment

The SKM/ESKM key vault has high availability clustering capability. SKM/ESKM appliances can be clustered together in a transparent manner to the end user. Encryption keys saved to one key vault are synchronously hardened to the cluster pairs. Please refer to the HP SKM/ESKM appliance user documentation for configuration requirements and procedures.

Configured primary and secondary HPSKM/ESKM appliances must be registered with the Brocade encryption switch or blade to begin key operations. The user can register only a single SKM/ESKM if desired. In that case, the HA features are lost, but the archived keys are backed up to any other non-registered cluster members. Beginning with Fabric OS 6.3.0, the primary and secondary appliances must be clustered.

Both the SKM/ESKM appliances in the cluster can be registered using the following command.

cryptocfg --reg -keyvault <cert label> <certfile> <hostname/ip address> <primary | secondary>

Related Topics

• “Disk keys and tape pool keys support” on page 131

• “Tape LUN support” on page 132

• “SKM or ESKM Key Vault Deregistration” on page 132

Steps for Migrating from SKM to ESKM

The procedure for migrating SKM to ESKM assumes the following:

• An encryption group already exists on the BES with SKM configured and connected.

• ESKM has the following data transferred from SKM:

• User group, users, CA information

• SSL/FIPS settings

• Key database

• ESKM uses the same CA certificate that was used by SKM.

If the CA changes on the ESKM, you must deregister the key vaults and redo the procedure for configuring the key vault for the encryption group. To perform the steps using the GUI, see

“Steps for connecting to an SKM or ESKM appliance” on page 26. To perform the steps using

cli, see “Steps for connecting to an SKM or ESKM appliance” on page 119.

Steps required from the BES CLI

From the group leader BES:

1. Deregister SKM using the command cryptocfg

2. Import the CA certificate using the command cryptocfg IP> <host name> <CAcert.cer>.

--dereg -keyvault.

–import –scp <cert_name.pem> <host

36 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Steps for Migrating from SKM to ESKM

NOTE

If the earlier configuration was done for SKM using CLI and if the previously imported CA certificate was not deleted (using the command cryptocfg previously imported can be reused, and importing the CA certificate is not required.

--file -delete), the CA file that was

3. Register ESKM using the command cryptocfg

--reg –keyvault.

Steps required using Brocade Management application

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select an encryption group from the Encryption Center Devices table, then select Group > Properties from the menu task bar, or right-click a group and select Properties.

The Encryption Group Properties dialog box displays.

FIGURE 19 Encryption Group Properties dialog box

3. Enter the new ESKM key vault IP address in the Primary Key Vault IP Address field.

4. Download the ESKM local CA certificate.

a. From the Security tab, select Local CAs under Certificates and CAs.

b. Select the CA certificate you created.

Fabric OS Encryption Administrator’s Guide 37 53-1002159-03

Encryption preparation

NOTE

c. Click Download, and save the certificate file on your local system.

d. Rename the downloaded file, changing the .cert extension to a .pem extension.

5. From the Encryption Group Properties dialog box, click Load from File to upload the new ESKM certificate to the switch, then click OK.

The switch is now ready to connect securely to the key vault. The encryption dialog takes a few minutes to update the connected status.

ESKM is referred to as SKM in the Brocade Management application.

Encryption preparation

Before you use the encryption setup wizard for the first time, you should have a detailed configuration plan in place and available for reference. The encryption setup wizard assumes the following:

• You have a plan in place to organize encryption devices into encryption groups.

• If you want redundancy and high availability in your implementation, you have a plan to create

high availability (HA) clusters of two encryption switches or blades to provide failover support.

• All switches in the planned encryption group are interconnected on an I/O synch LAN.

• The management ports on all encryption switches and 384-port Backbone Chassis CPs that

have encryption blades installed, have a LAN connection to the SAN management program and are available for discovery.

• A supported key management appliance is connected on the same LAN as the encryption

switches, 384-port Backbone Chassis CPs, and the SAN Management program.

• An external host is available on the LAN to facilitate certificate exchange.

• Switch KAC certificates have been signed by a CA and stored in a known location.

• Key management system (key vault) certificates have been obtained and stored in a known

location.

Creating a new encryption group

The following steps describe how to start and run the encryption setup wizard, and create a new encryption group.

When a new encryption group is created, any existing tape pools in the switch are removed.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

38 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Creating a new encryption group

FIGURE 20 Encryption Center - No Group Defined dialog box

2. Select a switch from the <NO GROUP DEFINED> encryption group. (The switch must not be assigned to an encryption group.)

3. Select Encryption > Create/Add to Group, from the menu task bar, or right-click the switch and select Create/Add to Group.

The Configure Switch Encryption wizard welcome panel displays.

FIGURE 21 Configure Switch Encryption wizard - welcome panel

4. Click Next.

The Designate Switch Membership dialog box displays.

Fabric OS Encryption Administrator’s Guide 39 53-1002159-03

Creating a new encryption group

FIGURE 22 Designate Switch Membership dialog box

5. Verify that Create a new encryption group containing just this switch is selected.

6. Click Next.

The Create a New Encryption Group dialog box displays.

FIGURE 23 Create a New Encryption Group dialog box

7. En te r a n Encryption Group Name for the encryption group and select Automatic failback mode. Encryption group names can have up to 15 characters. Letters, digits, and underscores are allowed.

40 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Creating a new encryption group

If the name for the encryption group already exists, a pop-up warning message displays. Although unique group names avoid confusion while managing multiple groups, you are not prevented from using duplicate group names. Click Yes to use the same name for the new encryption group, or click No to enter another name.

8. Click Next.

The Select Key Vault dialog box displays.

FIGURE 24 Select Key Vault dialog box for SKM/ESKM

9. Select SKM as the Key Vault Type, which is used for both HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM). (SKM and ESKM are both opaque key repositories.)

a. Enter the IP address or host name for the primary key vault.

b. Enter the name of the file that holds the primary key vault’s CA key certificate or browse to

the desired location.

c. Enter the password you established for the Brocade user group.

d. If you are using a backup key vault, also enter the IP address or host name and the name

of the file holding the backup key vault’s public key certificate in the fields provided. The same user name and password used for the primary key vault are automatically applied to the backup key vault.

10. Click Next.

The Specify Public Key Certificate File Name dialog box displays.

Fabric OS Encryption Administrator’s Guide 41 53-1002159-03

Creating a new encryption group

FIGURE 25 Specify Public Key Certificate filename dialog box

11. Enter the location of the file where you want to store the certificate information, or browse to the desired location.

12. Click Next.

The Specify Master Key File Name dialog box displays.

FIGURE 26 Specify Master Key File Name dialog box

42 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Creating a new encryption group

13. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed.

14. Re-enter the passphrase for verification.

15. Click Next.

The Select Security Settings dialog box displays.

FIGURE 27 Select Security Settings dialog box

16. Set quorum size and system card requirements.

Setting quorum size to a value greater than zero and/or setting system cards to Required launches additional wizard dialog boxes.

17. Click Next.

The Confirm Configuration dialog box displays. The dialog box displays the encryption group name and switch public key certificate file name you specified.

Fabric OS Encryption Administrator’s Guide 43 53-1002159-03

Creating a new encryption group

FIGURE 28 Confirm Configuration dialog box

18. Verify the information, then click Next.

The Configuration Status dialog box displays.

44 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Creating a new encryption group

FIGURE 29 Configuration Status dialog box

All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified.

After configuration of the encryption group is completed, the Management application sends API commands to verify the switch configuration. See “Understanding configuration status

results” on page 46 for more information.

19. Review important messages, then click Next.

The Next Steps dialog box displays. Instructions for installing public key certificates for the encryption switch are displayed.

Fabric OS Encryption Administrator’s Guide 45 53-1002159-03

Creating a new encryption group

FIGURE 30 Next Steps dialog box

20. Review post-configuration instructions, which you can copy to a clipboard or print for later.

21. Click Finish to exit the Configure Switch Encryption wizard.

22. Review “Understanding configuration status results”.

Understanding configuration status results

After configuration of the encryption group is completed, the Management application sends API commands to verify the switch configuration. The CLI commands are detailed in encryption administrator’s guide for your key vault management system.

• Initialize the switch. If the switch is not already in the initiated state, the Management

application performs the cryptocfg

• Create an encryption group on the switch. The Management application creates a new group

using the cryptocfg cryptocfg

--set -keyvault command.

--create -encgroup command, and sets the key vault type using the

• Register the key vault. The Management application registers the key vault using the

cryptocfg

--reg keyvault command.

• Enable the encryption engines. The Management application initializes an encryption switch

using the cryptocfg commands.

--initEE [<slotnumber>] and cryptocfg --regEE [<slotnumber>]

• Create a new master key. (Opaque key vaults only). The Management application checks for a

new master key. New master keys are generated from the Security tab located in the Encryption Group Properties dialog box. See “Creating a new master key” on page 87 for more information.

• Save the switch’s public key certificate to a file. The Management application saves the KAC

certificate into the specified file.

--initnode command.

46 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Adding a switch to an encryption group

NOTE

• Back up the master key to a file. (Opaque key vaults only). The Management application saves

the master key into the specified file.

• Enable the encryption engines

initializes an encryption switch using the cryptocfg cryptocfg

--regEE [<slotnumber>] commands.

--initEE [<slotnumber>] and

• Create a new master key

The Management application checks for a new master key. New master keys are generated from the Encryption Group Properties dialog box, Security tab. See “Creating a new master key” on page 87 for more information.

• Save the switch’s public key certificate to a file

The Management application saves the KAC certificate into the specified file.

• Back up the master key to a file

The Management application saves the master key into the specified file.

NOTES:

• If any configuration item is unsuccessful, instructions for providing the remedy can be found in

the Next Steps dialog box in the Configure Switch Encryption wizard.

• If connectivity to the SKM/ESKM results in authentication failure, complete the following steps:

• Export the switch’s public certificate file.

• Get the certificate signed by the SKM/ESKM local CA.

• Import the signed certificate onto the switch.

• From the switch, select Key Vault Credentials and provide the user name and password.

When completed, all operations should be successful and the switch should show that it is connected to the SKM/ESKM. Refer to the Next Steps dialog box in the Configure Switch Encryption wizard for brief instructions that are specific to certificate exchanges between the switch and key manager you are using.

Adding a switch to an encryption group

The setup wizard allows you to either create a new encryption group, or add an encryption switch to an existing encryption group. Use the following procedure to add a switch to an encryption group.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select a switch to add from the Encryption Center Devices table, then select Switch > Create/Add to Group from the menu task bar, or right-click a switch and select Create/Add to Group.

The switch must not already be in an encryption group.

The Configure Switch Encryption wizard welcome panel displays.

Fabric OS Encryption Administrator’s Guide 47 53-1002159-03

Adding a switch to an encryption group

FIGURE 31 Configure Switch Encryption wizard - welcome panel

3. Click Next.

The Designate Switch Membership dialog box displays.

FIGURE 32 Designate Switch Membership dialog box

a. Select Add this switch to an existing encryption group.

b. Click Next.

48 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Adding a switch to an encryption group

The Add Switch to Existing Encryption Group dialog box displays.

FIGURE 33 Add Switch to Existing Encryption Group dialog box

4. Select the group in which to add the switch, then click Next.

The Specify Public Key Certificate Filename dialog box displays.

FIGURE 34 Specify Public Key Certificate (KAC) File Name dialog box

Fabric OS Encryption Administrator’s Guide 49 53-1002159-03

Adding a switch to an encryption group

5. Specify the name of the file in which to store the public key certificate that is used to authenticate connections to the key vault, then click Next.

The Confirm Configuration panel displays. The dialog box shows the encryption group name and switch public key certificate file name you specified.

FIGURE 35 Confirm Configuration dialog box

6. Click Next.

The Configuration Status dialog box displays.

50 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Adding a switch to an encryption group

FIGURE 36 Configuration Status dialog box

7. Review important messages, then click Next.

The Error Instructions dialog box displays. Instructions for installing public key certificates for the encryption switch are displayed.

Fabric OS Encryption Administrator’s Guide 51 53-1002159-03

Adding a switch to an encryption group

FIGURE 37 Error Instructions dialog box

8. Review the post-configuration instructions, which you can copy to a clipboard or print for later.

9. Click Finish to exit the Configure Switch Encryption wizard.

10. Review “Understanding configuration status results” on page 46.

NOTES:

• If any configuration item is unsuccessful, instructions for providing the remedy can be found in

the Next Steps dialog box in the Configure Switch Encryption wizard.

• If connectivity to the SKM/ESKM results in authentication failure, complete the following steps:

• Export the switch’s public certificate file.

• Get the certificate signed by the SKM/ESKM local CA.

• Import the signed certificate onto the switch.

• From the switch, select Key Vault Credentials and provide the user name and password.

52 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Replacing an encryption engine in an encryption group

To replace an encryption engine in an encryption group with another encryption engine within the same DEK Cluster, complete the following steps.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

1. Select an encryption engine from the Encryption Center Devices table, then select Engine > Replace from the menu task bar, or right click an encryption engine and select Replace.

The Encryption Group Properties dialog box displays with the Engine Operations tab selected.

You can also display the Engine Operations tab by selecting an encryption group from the tree, and selecting Group > Properties from the menu task bar and selecting the Engine Operations tab, or you can right-click the encryption group, select Properties and select the Engine Operations tab.

FIGURE 38 Engine Operations tab

2. Select the engine to replace from the Engine list.

3. Select the engine to use as the replacement from the Replacement list.

4. Click Replace.

All containers hosted by the current engine (Engine list) are replaced by the new engine (Replacement list).

Fabric OS Encryption Administrator’s Guide 53 53-1002159-03

Creating high availability (HA) clusters

NOTE

Creating high availability (HA) clusters

A high availability (HA) cluster is a group of exactly two encryption engines. One encryption engine can take over encryption and decryption tasks for the other encryption engine, if that member fails or becomes unreachable.

When creating a new HA Cluster, add one engine to create the cluster, then add the second engine. You can make multiple changes to the HA Clusters list; the changes are not applied to the switch until you click OK.

Both engines in an HA cluster must be in the same fabric, as well as the same encryption group.

An IP address is required for the management port for any cluster-related operations.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select an encryption group from the Encryption Center Devices table, then select Group > HA Cluster from the menu task bar, or right-click an encryption group and select HA Cluster.

If groups are not visible in the Encryption Center Devices table, select View > Groups from the menu task bar.

The Encryption Group Properties dialog box displays, with the HA Clusters tab selected.

3. Select an available encryption engine from the Non HA Encryption Engines table and a destination HA cluster from the High Availability Clusters table. Select New HA Cluster if you are creating a new cluster.

4. Click the right arrow button to add the encryption engine to the selected HA cluster.

FIGURE 39 Encryption Group Properties dialog box - HA Clusters tab

54 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Creating high availability (HA) clusters

NOTE

If you are creating a new HA cluster, a dialog box displays requesting a name for the new HA cluster. HA Cluster names can have up to 31 characters. Letters, digits, and underscores are allowed.

Removing engines from an HA cluster

Removing the last engine from an HA cluster also removes the HA cluster.

If only one engine is removed from a two-engine cluster, you must either add another engine to the cluster, or remove the other engine.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select an encryption group from the Encryption Center Devices table, then select Group > HA Cluster from the menu task bar, or right-click an encryption group and select HA Cluster.

The Encryption Group Properties dialog box displays with the HA Clusters tab selected.

3. Select an engine from the High Availability Clusters table, then click the left arrow button.

4. Either remove the second engine or add a replacement second engine, making sure all HA clusters have exactly two engines.

5. Click OK.

FIGURE 40 Encryption Group Properties dialog box - HA Clusters tab

Swapping engines in an HA cluster

Swapping engines is useful when replacing hardware. Swapping engines is different from removing an engine and adding another because when you swap engines, the configured targets on the former HA cluster member are moved to the new HA cluster member.

Fabric OS Encryption Administrator’s Guide 55 53-1002159-03

Creating high availability (HA) clusters

NOTE

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select an encryption group from the Encryption Center Devices table, then select Group > HA Cluster from the menu task bar, or right-click an encryption group and select HA Cluster.

The Encryption Group Properties dialog box displays, with the HA Clusters tab selected.

To swap engines, select one engine from the High Availability Clusters table and one unclustered engine from encryption engine from the Non HA Encryption Engines table, then click the double-arrow button.

The two engines being swapped must be in the same fabric.

FIGURE 41 Encryption Group Properties dialog box - HA Clusters tab

Failback option

The Failback option determines the behavior when a failed encryption engine is restarted. When the first encryption engine comes back online, the encryption group’s failback setting (auto or manual) determines how the encryption engine resumes encrypting and decrypting traffic to its encryption targets.

• In auto mode, when the first encryption engine restarts, it automatically resumes encrypting

and decrypting traffic to its encryption targets.

• In manual mode, the second encryption engine continues handling the traffic until you

manually invoke failback using the CLI or Management application, or until the second encryption engine fails. When the encryption engine recovers, it can automatically fail back its Crypto Target containers if the second encryption engine is not hosting them.

56 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Invoking failback

NOTE

To invoke failback to the restarted encryption engine from the Management application, complete the following steps.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select an encryption group from the Encryption Center Devices table to which the encryption engine belongs, then click Group > HA Clusters, or right-click the group and select HA Clusters.

The Encryption Group Properties dialog box displays, with the HA Clusters tab selected.

3. Select the online encryption engine, then click Failback.

4. Click OK.

5. Click Close on the Encryption Center dialog box.

Adding encryption targets

Adding an encryption target maps storage devices and hosts to virtual targets and virtual initiators within the encryption switch.

Adding encryption targets

It is recommended that you configure the host and target in the same zone before configuring them for encryption. If the host and target are not already in the same zone, you can still configure them for encryption, but you will need to configure them in the same zone before you can commit the changes. If you attempt to close the Encryption Targets dialog box without committing the changes, you are reminded of uncommitted changes in the Management application.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select a group, switch, or engine from the Encryption Center Devices table to which to add the target, then select Group/Switch/Engine > Targets from the menu task bar, or right-click a group, switch, or engine and select Targets.

You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon.

The Encryption Targets dialog box displays.

Fabric OS Encryption Administrator’s Guide 57 53-1002159-03

Adding encryption targets

FIGURE 42 Encryption Targets dialog box

3. Click Add.

The Configure Storage Encryption wizard dialog box displays. The dialog box explains the wizard’s purpose, which is to configure encryption for a storage device (target).

FIGURE 43 Configure Storage Encryption wizard dialog box

4. Click Next to begin.

The Select Encryption Engine dialog box displays.

58 Fabric OS Encryption Administrator’s Guide

53-1002159-03

FIGURE 44 Select Encryption Engine dialog box

Adding encryption targets

The list of engines depends on the scope being viewed.

• If the Targets dialog box is showing all targets in an encryption group, the list includes all

engines in the group.

• If the Targets dialog box is showing all targets for a switch, the list includes all encryption

engines for the switch.

• If the Targets dialog box is showing targets for a single encryption engine, the list contains

only that engine.

5. Select the encryption engine (blade or switch) to configure, then click Next.

The Select Target dialog box displays. The dialog box lists all target ports and target nodes in the same fabric as the encryption engine. The Targets in Fabric table does not show targets that are already configured in an encryption group.

You can select targets from the list of known targets, or manually enter the port and node WWNs.

Fabric OS Encryption Administrator’s Guide 59 53-1002159-03

Adding encryption targets

FIGURE 45 Select Target dialog box

a. Select a target from the list. (The Tar g e t Por t W W N and Target Node WWN fields contain all

target information that displays when using the nsshow command.) You can also enter WWNs manually, for example, to specify a target that is not on the list.

b. Select a target type from the Type list. If the target node is disk storage, choose Disk. If the

target node is tape storage, choose Tape.

6. Click Next.

The Select Hosts dialog box displays. The dialog box lists all hosts that are in the same fabric as the encryption engine.

FIGURE 46 Select Hosts dialog box

60 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Adding encryption targets

7. Select hosts using either of the following methods:

a. Select a maximum of 1024 hosts from the Hosts in Fabric table, then click the right arrow

to move the hosts to the Selected Hosts table. (The Port WWN column contains all target information that displays when using the nsshow command.)

b. Manually enter world wide names in the Port WWN and Node WWN text boxes if the hosts

are not included in the table. You must fill in both the Port WWN and the Node WWN. Click Add to move the host to the Selected Hosts table.

8. Click Next.

The Name Container dialog box displays. The dialog box enables you to specify a name for the target container that is created in the encryption engine to hold the target configuration data.

The container name defaults to the target WWPN. You can, however, rename the container name. Target container names can have up to 31 characters. Letters, digits, and underscores are allowed.

FIGURE 47 Name Container dialog box

9. Click Next.

The Confirmation dialog box displays.

Fabric OS Encryption Administrator’s Guide 61 53-1002159-03

Adding encryption targets

NOTE

FIGURE 48 Confirmation dialog box

10. Click Next after you have verified the contents. Clicking Next creates the configuration.

The Configuration Status dialog box displays. The dialog box lists the target and host that are configured in the target container, as well as the virtual targets (VT) and virtual initiators (VI).

If you can view the VI/VT Port WWNs and VI/VT Node WWNs, the container has been successfully added to the switch.

FIGURE 49 Configuration Status dialog box

62 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Adding encryption targets

11. Review any post-configuration instructions or messages, which you can copy to a clipboard or print for later.

12. Click Next.

The Next Steps dialog box displays. Instructions for installing public key certificates for the encryption switch are displayed.

FIGURE 50 Next Steps dialog box

13. Review the post-configuration instructions, which you can copy to a clipboard or print for later.

14. Click Finish to exit the Configure Switch Encryption wizard.

15. Review “Understanding configuration status results” on page 46.

Fabric OS Encryption Administrator’s Guide 63 53-1002159-03

Configuring hosts for encryption targets

NOTE

Configuring hosts for encryption targets

Use the Encryption Target Hosts dialog box to edit (add or remove) hosts for an encrypted target.

Hosts are normally selected as part of the Configure Storage Encryption wizard but you can also edit hosts later using the Encryption Target Hosts dialog box.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select a group, switch, or engine from the Encryption Center Devices table that contains the storage device to be configured, then select Group/Switch/Engine > Targets from the menu task bar, or right-click a group, switch, or engine and select Targets.

You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon.

The Encryption Targets dialog box displays.

3. Select a Target storage device from the list, then click Hosts.

The Encryption Target Hosts dialog box displays. This dialog box lists configured hosts in a fabric.

FIGURE 51 Encryption Target Hosts dialog box

4. Select one or more hosts in a fabric, then move them to the Selected Hosts table using the right arrow, or manually enter world wide names in the Port WWN and Node WWN text boxes if the hosts are not included in the list. You must fill in both the Port WWN and the Node WWN. Click Add to move the host to the Selected Hosts list.

64 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Adding target disk LUNs for encryption

You can add a new path to an existing disk LUN or add a new LUN and path by launching the Add New Path wizard. Take the following steps to launch the Add New Path wizard.

Before You Begin Before you can add a target disk LUN for encryption, you must first configure the Storage Arrays.

For more information, see “Configuring Storage Arrays” on page 68.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select a group, switch, or engine from the Encryption Center Devices table, then select Group/Switch/Engine > Disk LUNs from the menu task bar, or right-click a group, switch, or engine and select Disk LUNs.

The Encryption Disk LUN View dialog box displays.

Adding target disk LUNs for encryption

FIGURE 52 Encryption Disk LUN view dialog box

3. Click Add.

The Select Target Port dialog box displays.

FIGURE 53 Select Target Port dialog box

Fabric OS Encryption Administrator’s Guide 65 53-1002159-03

Adding target disk LUNs for encryption

4. Select the target port from the Target Po r t table.

5. Click Next.

The Select Initiator Port dialog box displays.

FIGURE 54 Select Initiator Port dialog box

6. Select the initiator port from the Initiator Port table.

7. C l ic k Next.

LUN discovery is launched and a progress bar displays. There are four possible outcomes:

- A message displays indicating no LUNs were discovered. Click OK to dismiss the message

and exit the wizard.

- A message displays indicating LUNs have been discovered, but are already configured.

Click OK to dismiss the message and exit the wizard.

- A message displays indicating that the target is not in the right state for discovering LUNs.

Click OK to dismiss the message and exit the wizard.

- The Select LUN dialog box displays, showing discovered LUNs that are available. Select the

LUN from LUN list.

8. Click Finish.

The new LUN path is added to the Encryption Disk LUN view.

In environments where there are multiple paths to the same LUNs, it is critical that the same LUN policies are configured on all instances of the LUN. Be sure to return to the Encryption Disk LUN View dialog box to determine if there are configuration mismatches. Check under Encryption Mode for any entries showing Mismatch. To correct the mismatch, click the incorrect mode to display the options (as shown in the figure), then select the correct mode.

66 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Adding target disk LUNs for encryption

NOTE

FIGURE 55 Correcting an Encryption Mode mismatch

9. Select the LUN from LUN list.

10. Set the LUN state to Encrypted or Clear Text as required.

If the LUN already has an existing key ID, the State field is automatically set to Encrypted. You can accept this state or change it as desired.

If the LUN does not have an existing key ID, you must select the LUN state.

When you correct a policy on a LUN, it is automatically selected for all paths to the selected LUN. When you modify LUN policies, a Modify icon appears to identify the modified LUN entry.

11. Click Add or Apply to apply the modifications.

12. Click OK to commit the transaction.

If the LUN state is not showing correctly (for example, Not Ready), enter the cryptocfg --discoverLUN command from the CLI and it should help resolve the issue. When the command finishes, refresh the screen to check the new status of LUNs.

Fabric OS Encryption Administrator’s Guide 67 53-1002159-03

Adding target tape LUNs for encryption

NOTE

Configuring Storage Arrays

The Storage Array contains a list of storage ports that will be used later in the LUN centric view. You must assign storage ports from the same storage array for multi-path I/O purposes. On the LUN centric view, storage ports in the same storage array are used to get the associated CryptoTarget containers and initiators from the database. Storage ports that are not assigned to any storage array but are within the fabrics of the encryption group will be listed as a single target port on the LUN centric view. Storage Arrays are configured using the Storage Port Mapping dialog box. You will need to:

• Configure target and zone initiator ports in the same zone in order for the target container to

come online and discover LUNs in the storage system.

• Create CryptoTarget containers for each target port in the storage array from the Target

Container dialog box. Add initiator ports to the container. You must create target containers for those target ports in the configured storage arrays or unassigned target ports before mapping any LUN on the LUN centric view. If you do not create the container, LUN discovery will not function.

For more detailed information on creating a crypto target container, refer to the chapter describing storage arrays in this administrator’s guide.

Adding target tape LUNs for encryption

You configure a Crypto LUN by adding the LUN to the CryptoTarget container and enabling the encryption property on the Crypto LUN. You must add LUNs manually. After you add the LUNs, you must specify the encryption settings.

When configuring a LUN with multiple paths, the same LUN policies must be configured on all paths to the LUN. If there are multiple paths to the same physical LUNs, then the LUNs are added to multiple target containers (one target per storage device port).

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon.

The Encryption Targets dialog box displays.

68 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Adding target tape LUNs for encryption

FIGURE 56 Encryption Targets dialog box

3. Select a target storage device from the Encryption Targets table, then click LUNs.

The Encryption Target LUNs dialog box displays.

FIGURE 57 Encryption Target Tape LUNs dialog box

4. Click Add.

The Add Encryption Target Tape LUNs dialog box displays. The dialog box includes a table of all LUNs in the storage device that are visible to hosts. LUNs are identified by the Host world wide name, LUN number, Volume Label Prefix number, and Enable Write Early ACK and Enable Read Ahead status.

Fabric OS Encryption Administrator’s Guide 69 53-1002159-03

Adding target tape LUNs for encryption

NOTE

FIGURE 58 Add Encryption Target Tape LUNs dialog box

5. Select a host from the Host list.

Before you encrypt a LUN, you must select a host, then either discover LUNs that are visible to the virtual initiator representing the selected host, or enter a range of LUN numbers to be configured for the selected host.

6. Choose a LUN to be added to an encryption target container using one of the two following methods:

• Discover. Click to identify the exposed logical unit number for a specified initiator. If you

already know the exposed LUNs for the various initiators accessing the LUN, you can enter the range of LUNs using the alternative method.

• Enter a LUN number range. Click Show LUNs to add a range of LUNs to be configured for

the selected host. The LUN needed for configuring a Crypto LUN is the LUN that is exposed to a particular initiator.

7. Select the desired encryption mode. Options are: Native Encryption, DF-Compatible Encryption, and Cleartext.

• If you change a LUN policy from Native Encryption or DF-Compatible Encryption to Clear

Text, you disable encryption.

• The LUNs of the target that are not enabled for encryption must still be added to the

CryptoTarget container with the Clear Text encryption mode option.

The Re-keying interval can only be changed for disk LUNs. For tape LUNs, expiration of the re-keying interval simply triggers the generation of a new key to be used on future tape volumes. Tapes that are already made are not re-keyed. To re-key a tape, you need to read the tape contents using a host application that decrypts the tape contents using the old key, then rewrite the tape, which re-encrypts the data with the new key.

8. Click OK. The selected tape LUNs are added to the encryption target container.

70 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Tape LUN write early and read ahead

NOTE

Tape LUN write early and read ahead feature uses tape pipelining and prefetch to speed serial access to tape. These features are particularly useful for performing backup and restore operations, especially over long distances.

You can enable tape LUN write early or read ahead while adding the tape LUN for encryption, or you can enable or disable these features after the tape LUN has been added for encryption.

For more information, see the following topics:

• “Adding target tape LUNs for encryption” on page 68

• “Enabling and disabling tape LUN write early and read ahead” on page 71

Enabling and disabling tape LUN write early and read ahead

To enable or disable tape LUN read ahead or tape LUN write early, follow these steps:

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select a group, switch, or engine from the Encryption Center Devices table, then select Group/Switch/Engine > Targets from the menu task bar, or right-click the group, switch, or engine and select Tar get s.

Tape LUN write early and read ahead

You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon.

The Encryption Targets dialog box displays.

FIGURE 59 Encryption Targets dialog box

3. Select a target tape storage device from the table, then click LUNs.

The Encryption Target Tape LU N s dialog box displays.

Fabric OS Encryption Administrator’s Guide 71 53-1002159-03

Tape LUN write early and read ahead

NOTE

FIGURE 60 Encryption Target Tape LUNs dialog box - Setting tape LUN read ahead and write early

4. In the EnableWriteEarlyAck and EnableRead/Ahead columns, set these features as desired for each LUN:

• To enable write early for a specific tape LUN, check Enable Write Early Ack for that LUN.

• To enable read ahead for a specific LUN, check Enable Read Ahead for that LUN.

• To disable write early for a specific tape LUN, clear Enable Write Early Ack for that LUN.

• To disable read ahead for a specific LUN, clear Enable Read Ahead for that LUN.

5. Click OK.

6. Commit the changes on the related crypto target container:

a. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

b. Select a group, switch, or engine from the Encryption Center Devices table that contains

the storage device to be configured, then select Group/Switch/Engine > Targets from the menu task bar, or right-click a group, switch, or engine and select Targ ets.

You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon.

c. Select the appropriate crypto target container.

d. Click Commit.

For related information, see the following topics:

• “Tape LUN write early and read ahead” on page 71

• “Using the Encryption Targets dialog box” on page 90

72 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Tape LUN statistics

This feature enables you to view and clear statistics for tape LUNs. These statistics include the number of compressed blocks, uncompressed blocks, compressed bytes and uncompressed bytes written to a tape LUN.

The tape LUN statistics are cumulative and change as the host writes more data on tape. You can clear the statistics to monitor compression ratio of ongoing host I/O.

The encryption management application allows you to select tape LUN from either a tape LUN container through the Encryption Targets dialog box, or from the Target Tape LUN s dialog box.

For operational details, see the following topics:

• “Viewing and clearing tape container statistics” on page 73

• “Viewing and clearing tape LUN statistics for a container” on page 74

• “Viewing and clearing statistics for specific tape LUNs” on page 75

Viewing and clearing tape container statistics

To view or clear statistics for tape LUNs in a container, follow these steps:

Tape LUN statistics

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select a group from the Encryption Center Devices table, then select Group > Targets from the menu task bar, or right-click a group and select Targ ets.

The Encryption Targets dialog box displays. The dialog box lists the configured crypto target containers.

FIGURE 61 Encryption Targets dialog box

3. From the Encryption Targets table, select the container of type Tape for which to display or clear statistics.

4. Click Statistics.

The Tape LUN Statistics dialog box displays. The dialog box lists statistics for all LUNs that are members of the selected tape container.

Fabric OS Encryption Administrator’s Guide 73 53-1002159-03

Tape LUN statistics

NOTE

FIGURE 62 Tape LUN Statistics dialog box

5. To clear the tape LUN statistics for all member LUNs for the container, click Clear.

6. When prompted with a confirmation dialog box, click Yes.

7. To update the tape LUN statistics, click Refresh.

Viewing and clearing tape LUN statistics for a container

To view or clear statistics for tape LUNs in a container, follow these steps:

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon.

The Encryption Targets dialog box displays. The dialog box lists configured crypto target containers.

FIGURE 63 Encryption Targets dialog box

74 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Tape LUN statistics

NOTE

3. Select the container of type Tap e for which to display or clear statistics.

4. Click Statistics.

The Tape LUN Statistics dialog box displays. The dialog box lists the statistics for all LUNs that are members of the selected tape container.

FIGURE 64 Tape LUN Statistics dialog box

5. To clear the tape LUN statistics, select one or more LUNs from the table, and then click Clear.

6. In the confirmation dialog box, click Yes.

7. To update the tape LUN statistics, select one or more LUNs from the table, and then click Refresh.

Viewing and clearing statistics for specific tape LUNs

To view or clear statistics for tape LUNs in a container, complete these steps:

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon.

The Encryption Targets dialog box displays.

3. Select a tape target storage device, then click LUNs.

The Targe t Ta p e LUNs dialog box displays. The dialog box lists configured tape LUNs.

Fabric OS Encryption Administrator’s Guide 75 53-1002159-03

Tape LUN statistics

FIGURE 65 Target Tape LUNs dialog box

4. Select the LUN or LUNs for which to display or clear statistics.

5. Click Statistics.

The Tape LUN Statistics dialog box displays. The dialog box displays the statistic results based on the LUN or LUNs you selected.

FIGURE 66 Tape LUN Statistics dialog box

6. To clear the tape LUN statistics, click Clear.

7. When prompted with a confirmation dialog box, click Yes.

8. To update the tape LUN statistics, click Refresh.

76 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Re-balancing the encryption engine

If you are currently using encryption and running Fabric OS 6.3.x or earlier, you are hosting tape and disk target containers on different encryption switches or blades. Beginning with Fabric OS 6.4, disk and tape target containers can be hosted on the same switch or blade. Hosting both disk and tape target containers on the same switch or blade might result in a drop in throughput, but it can reduce cost by reducing the number of switches or blades needed to support encrypted I/O in environments that use both disk and tape.

The throughput drop can be mitigated by re-balancing the tape and disk target containers across the encryption engine. This ensures that the tape and disk target containers are distributed within the encryption engine for maximum throughput.

All nodes within an encryption group must be upgraded to Fabric OS 6.4 or later to support hosting disk and tape target containers on the same encryption engine. If any node within an encryption group is running an earlier release, disk and tape containers must continue to be hosted on separate encryption engines.

During re-balancing operations, be aware of the following:

• You might notice a slight disruption in Disk I/O. In some cases, manual intervention may be

needed.

• Backup jobs to tapes might need to be restarted after re-balancing is completed.

To determine if re-balancing is recommended for an encryption engine, check the encryption engine properties. Beginning with Fabric OS 6.4, a field is added that indicates whether or not re-balancing is recommended.

Re-balancing the encryption engine

You might be prompted to re-balance during the following operations:

• When adding a new disk or tape target container.

• When removing an existing disk or tape target container.

• After failover to a backup encryption engine in an HA cluster.

• After a failed encryption engine in an HA cluster is recovered, and failback processing has

occurred.

To re-balance an encryption engine, complete the following steps:

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select an engine, then select Engine > Re-Balance from the menu task bar, or right click an engine and select Re-Balance.

A warning message displays, noting the potential disruption of disk and tape I/O, and that the operation may take several minutes.

3. Click Yes to begin re-balancing.

Fabric OS Encryption Administrator’s Guide 77 53-1002159-03

Master keys

NOTE

Master keys

When an opaque key vault is used, a master key is used to encrypt the data encryption keys. The master key status indicates whether a master key is used and whether it has been backed up. Encryption is not allowed until the master key has been backed up.

Only the active master key can be backed up, and multiple backups are recommended. You can back up or restore the master key to the key vault, to a file, or to a recovery card set. A recovery card set is set of smart cards. Each recovery card holds a portion of the master key. The cards must be gathered and read together from a card reader attached to a PC running the Management application to restore the master key.

Master keys belong to the group and are managed from Group Properties.

It is important to back up the master key because if the master key is lost, none of the data encryption keys can be restored and none of the encrypted data can be decrypted.

For more information, see the following topics:

• “Active master key” on page 78

• “Alternate master key” on page 78

• “Master key actions” on page 79

• “Reasons master keys can be disabled” on page 79

Active master key

The active master key is used to encrypt newly-created data encryption keys (DEKs) prior to sending them to a key vault to be stored. You can restore the active master key under the following conditions:

• The active master key has been lost, which happens if all encryption engines in the group have

been zeroized or replaced with new hardware at the same time.

• You want multiple encryption groups to share the same active master key. Groups should

share the same master key if the groups share the same key vault and tapes (or disks) are going to be regularly exchanged between the groups.

Alternate master key

The alternate master key is used to decrypt data encryption keys that were not encrypted with the active master key. Restore the alternate master key for the following reasons:

• To read an old tape that was created when the group used a different active master key.

• To read a tape (or disk) from a different encryption group that uses a different active master

key.

78 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Master keys

Master key actions

Master key actions are as follows:

• Backup master key, which is enabled any time a master key exists.

You can back up the master key to a file, to a key vault, or to a smart card. You can back up the master key multiple times to any of these media in case you forget the passphrase you originally used to back up the master key, or if multiple administrators each needs a passphrase for recovery.

• Restore master key, which is enabled when no master key exists or the previous master key

has been backed up.

• Create new master key, which is enabled when no master key exists or the previous master key

has been backed up.

Reasons master keys can be disabled

Master key actions are disabled if unavailable. There are several ways a master key can be disabled:

• The user does not have Storage Encryption Security permissions. See “Encryption user

privileges” on page 15 for more information.

• The group leader is not discovered or managed by the Management application.

Saving the master key to a file

Use the following procedure to save the master key to a file.

1. Select Configure > Encryption from the menu task bar.

The Encryption Center dialog box displays.

2. Select a group from the Encryption Center Devices table, then select Group > Security from the menu task bar, or right-click a group and select Security.

The Encryption Group Properties dialog box displays with the Security tab selected.

3. Select Backup Master Key as the Master Key Action.

The Master Key Backup dialog box displays, but only if the master key has already been generated.

Fabric OS Encryption Administrator’s Guide 79 53-1002159-03

ATTENTION

Master keys

4. Select Backup Master Key as the Master Key Action.

The Master Key Backup dialog box displays, but only if the master key has already been generated.

FIGURE 67 Backup Destination (to file) dialog box

5. Select File as the Backup Destination.

6. Enter a file name, or browse to the desired location.

7. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed.

8. Re-enter the passphrase for verification.

9. Click OK.

Save the passphrase. This passphrase is required if you ever need to restore the master key from the file.

80 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Brocade Communications Systems Brocade 8/12c, Fabric OS Encryption Administrator's Manual

Specifications and Main Features

Frequently Asked Questions

User Manual