Brocade Communications Systems Brocade 8/12c, Fabric OS Encryption Administrator's Manual

53-1002159-03

®

53-1002159-03

28 July 2011

Fabric OS Encryption

Administrator’s Guide Supporting
HP Secure Key Manager (SKM)
Environments and HP Enterprise Secure
Key Manager (ESKM) Environments

Supporting Fabric OS v7.0.0

Copyright © 2010-2011 Brocade Communications Systems, Inc. All Rights Reserved.

Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron,
SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health
are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. All other brands,
products, or service names are or may be trademarks or service marks of, and are used to identify, products or services of their
respective owners.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning
any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to
this document at any time, without notice, and assumes no responsibility for its use. This informational document describes
features that may not be currently available. Contact a Brocade sales office for information on feature and product availability.
Export of technical data contained in this document may require an export license from the United States government.

The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with
respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that
accompany it.

The product described by this document may contain “open source” software covered by the GNU General Public License or other
open source license agreements. To find out which open source software is included in Brocade products, view the licensing
terms applicable to the open source software, and obtain a copy of the programming source code, please visit
http://www.brocade.com/support/oscd.

Brocade Communications Systems, Incorporated

Corporate and Latin American Headquarters
Brocade Communications Systems, Inc.
130 Holger Way
San Jose, CA 95134
Tel: 1-408-333-8000
Fax: 1-408-333-8101
E-mail: info@brocade.com

European Headquarters
Brocade Communications Switzerland Sàrl
Centre Swissair
Tour B - 4ème étage
29, Route de l'Aéroport
Case Postale 105
CH-1215 Genève 15
Switzerland
Tel: +41 22 799 5640
Fax: +41 22 799 5641
E-mail: emea-info@brocade.com

Asia-Pacific Headquarters
Brocade Communications Systems China HK, Ltd.
No. 1 Guanghua Road
Chao Yang District
Units 2718 and 2818
Beijing 100020, China
Tel: +8610 6588 8888
Fax: +8610 6588 9999
E-mail: china-info@brocade.com

Asia-Pacific Headquarters
Brocade Communications Systems Co., Ltd. (Shenzhen WFOE)
Citic Plaza
No. 233 Tian He Road North
Unit 1308 – 13th Floor
Guangzhou, China
Tel: +8620 3891 2000
Fax: +8620 3891 2111
E-mail: china-info@brocade.com

Document History

Title Publication number Summary of changes Date

Fabric OS Encryption Administrator’s
Guide for SKM Environments

Fabric OS Encryption Administrator’s
Guide for SKM Environments

Fabric OS Encryption Administrator’s
Guide for SKM Environments

Fabric OS Encryption Administrator’s
Guide for SKM Environments

Fabric OS Encryption Administrator’s
Guide for SKM Environments

53-1001864-01 New product release March 2010

53-1001864-02 Maintenance release November 2010

53-1002159-01 Revised to support new

features

53-1002159-02 Maintenance release June 2011

53-1002159-03 Added support for ESKM July 2011

April 2011

Fabric OS Encryption Administrator’s Guide iii
53-1002159-03

iv Fabric OS Encryption Administrator’s Guide

53-1002159-03

Contents

About This Document

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

What’s new in this document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Getting technical help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvii

Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Chapter 1 Encryption Overview

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Host and LUN considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

The Brocade Encryption Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Performance licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Adding a license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Licensing best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Recommendation for connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Usage limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Brocade encryption solution overview. . . . . . . . . . . . . . . . . . . . . . . . . 7

Data flow from server to storage . . . . . . . . . . . . . . . . . . . . . . . . . 8

Data encryption key life cycle management . . . . . . . . . . . . . . . . . . . . 9

Master key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Master key generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Master key backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Support for Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Cisco Fabric Connectivity support . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Fabric OS Encryption Administrator’s Guide v
53-1002159-03

Chapter 2 Encryption configuration

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Encryption Center features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Encryption user privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Registering authentication cards from a card reader . . . . . . . . 16

Registering authentication cards from the database . . . . . . . .18

Deregistering an authentication card. . . . . . . . . . . . . . . . . . . . .19

Using authentication cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Enabling or disabling the system card requirement . . . . . . . . .20

Registering system cards from a card reader . . . . . . . . . . . . . . 21

Deregistering a system card . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Tracking smart cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Editing smart cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Configuring blade processor links . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Encryption node initialization and certificate generation. . . . . . . . .25

Steps for connecting to an SKM or ESKM appliance . . . . . . . . . . . .26

Configuring a Brocade group on SKM or ESKM. . . . . . . . . . . . . 27

Registering the SKM or ESKM Brocade group user name

and password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

Setting up the local Certificate Authority (CA) on SKM or

ESKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Downloading the local CA certificate from SKM or ESKM . . . .30

Creating and installing the SKM or ESKM server certificate . .30
Enabling SSL on the Key Management System (KMS)

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Creating an SKM or ESKM High Availability cluster. . . . . . . . . .32

Copying the local CA certificate for a clustered SKM or

ESKM appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Adding SKM or ESKM appliances to the cluster . . . . . . . . . . . .33

Signing the Brocade encryption node KAC certificates. . . . . . .34

Importing a signed KAC certificate into a switch . . . . . . . . . . . . 35

SKM or ESKM key vault high availability deployment . . . . . . . .36

Steps for Migrating from SKM to ESKM. . . . . . . . . . . . . . . . . . . . . . .36

Steps required from the BES CLI . . . . . . . . . . . . . . . . . . . . . . . .36

Steps required using Brocade Management application . . . . . 37

Encryption preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

vi Fabric OS Encryption Administrator’s Guide

Creating a new encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Understanding configuration status results. . . . . . . . . . . . . . . .46

Adding a switch to an encryption group. . . . . . . . . . . . . . . . . . . . . . . 47

Replacing an encryption engine in an encryption group . . . . . . . . . 53

53-1002159-03

Creating high availability (HA) clusters . . . . . . . . . . . . . . . . . . . . . . . 54

Removing engines from an HA cluster . . . . . . . . . . . . . . . . . . . .55

Swapping engines in an HA cluster . . . . . . . . . . . . . . . . . . . . . .55

Failback option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Invoking failback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Adding encryption targets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Configuring hosts for encryption targets . . . . . . . . . . . . . . . . . . . . . . 64

Adding target disk LUNs for encryption . . . . . . . . . . . . . . . . . . . . . . .65

Configuring Storage Arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Adding target tape LUNs for encryption. . . . . . . . . . . . . . . . . . . . . . .68

Tape LUN write early and read ahead . . . . . . . . . . . . . . . . . . . . . . . . 71

Enabling and disabling tape LUN write early and read

ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Tape LUN statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Viewing and clearing tape container statistics . . . . . . . . . . . . .73

Viewing and clearing tape LUN statistics for a container . . . . . 74

Viewing and clearing statistics for specific tape LUNs . . . . . . .75

Re-balancing the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . 77

Master keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Active master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Alternate master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Master key actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Reasons master keys can be disabled. . . . . . . . . . . . . . . . . . . .79

Saving the master key to a file . . . . . . . . . . . . . . . . . . . . . . . . . .79

Saving a master key to a key vault . . . . . . . . . . . . . . . . . . . . . . .81

Saving a master key to a smart card set . . . . . . . . . . . . . . . . . .82

Restoring a master key from a file . . . . . . . . . . . . . . . . . . . . . . .84

Restoring a master key from a key vault . . . . . . . . . . . . . . . . . .85

Restoring a master key from a smart card set. . . . . . . . . . . . . .86

Creating a new master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Viewing master key IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Zeroizing an encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Using the Encryption Targets dialog box . . . . . . . . . . . . . . . . . . . . . .90

Redirection zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Fabric OS Encryption Administrator’s Guide vii
53-1002159-03

Re-keying all disk LUNs manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Viewing the progress of manual re-key operations . . . . . . . . . .93

Viewing time left for auto re-key. . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Viewing and editing switch encryption properties . . . . . . . . . . . . . .95

Exporting the public key certificate signing request (CSR)

from Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Importing a signed public key certificate from Properties . . . . 97

Enabling and disabling the encryption engine state from

Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Viewing and editing group properties . . . . . . . . . . . . . . . . . . . . . . . .98

General tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

Members tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

Consequences of removing an encryption switch . . . . . . . . . .101

Security tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

HA Clusters tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

Tape Pools tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

Engine Operations tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Encryption-related acronyms in log messages . . . . . . . . . . . . . . . .109

Chapter 3 Configuring Brocade Encryption Using the CLI

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112

Command validation checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112

Command RBAC permissions and AD types . . . . . . . . . . . . . . . . . .113

Cryptocfg Help command output . . . . . . . . . . . . . . . . . . . . . . . . . . .115

Management LAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .116

Configuring cluster links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116

Special consideration for blades . . . . . . . . . . . . . . . . . . . . . . .117

IP Address change of a node within an encryption group. . . . 117

Steps for connecting to an SKM or ESKM appliance . . . . . . . . . . .119

Configuring a Brocade group. . . . . . . . . . . . . . . . . . . . . . . . . . .119

Setting up the local Certificate Authority (CA) . . . . . . . . . . . . .120

Downloading the local CA certificate . . . . . . . . . . . . . . . . . . . .121

Creating and installing the SKM or ESKM server

certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

Enabling SSL on the Key Management System (KMS)

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Creating an SKM or ESKM high availability cluster . . . . . . . . .124

Copying the local CA certificate. . . . . . . . . . . . . . . . . . . . . . . . .124

Adding SKM or ESKM appliances to the cluster . . . . . . . . . . .125

Initializing the Brocade encryption engines . . . . . . . . . . . . . . .126

Signing the Brocade encryption node KAC certificates. . . . . .127

Registering SKM or ESKM on a Brocade encryption group

leader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

Registering the SKM or ESKM Brocade group user name

and password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

SKM or ESKM key vault high availability deployment . . . . . . .131

Adding a member node to an encryption group . . . . . . . . . . .132

Generating and backing up the master key . . . . . . . . . . . . . . . . . .135

viii Fabric OS Encryption Administrator’s Guide

High availability cluster configuration . . . . . . . . . . . . . . . . . . . . . . .137

HA cluster configuration rules. . . . . . . . . . . . . . . . . . . . . . . . . .137

Creating an HA cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138

Adding an encryption engine to an HA cluster. . . . . . . . . . . . .139

Failover/failback policy configuration. . . . . . . . . . . . . . . . . . . .139

53-1002159-03

Re-exporting a master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Exporting an additional key ID . . . . . . . . . . . . . . . . . . . . . . . . . 141

Viewing the master key IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . .142

Enabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . . .143

Checking encryption engine status . . . . . . . . . . . . . . . . . . . . .143

Zoning considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

Setting default zoning to no access . . . . . . . . . . . . . . . . . . . . .144

Frame redirection zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

Creating an initiator - target zone . . . . . . . . . . . . . . . . . . . . . . .145

CryptoTarget container configuration . . . . . . . . . . . . . . . . . . . . . . .147

LUN re-balancing when hosting both disk and tape

targets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148

Gathering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149

Creating a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .149

Removing an initiator from a CryptoTarget container . . . . . . . 151

Deleting a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .152

Moving a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . . .153

Crypto LUN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

Discovering a LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154

Configuring a Crypto LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154

Crypto LUN parameters and policies . . . . . . . . . . . . . . . . . . . .156

Configuring a tape LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158

Removing a LUN from a CryptoTarget container . . . . . . . . . . .159

Modifying Crypto LUN parameters . . . . . . . . . . . . . . . . . . . . . .160

LUN modification considerations . . . . . . . . . . . . . . . . . . . . . . . 161

Impact of tape LUN configuration changes. . . . . . . . . . . . . . . . . . .161

Force-enabling a disabled disk LUN for encryption . . . . . . . . .162

Tape pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

Tape pool labeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

Creating a tape pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Deleting a tape pool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165

Modifying a tape pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165

Impact of tape pool configuration changes . . . . . . . . . . . . . . .166

Configuring a multi-path Crypto LUN . . . . . . . . . . . . . . . . . . . . . . . .166

Multi-path LUN configuration example. . . . . . . . . . . . . . . . . . .166

First-time encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

Resource allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

First time encryption modes . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Configuring a LUN for first time encryption . . . . . . . . . . . . . . .170

Data re-keying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Resource Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Re-keying modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Configuring a LUN for automatic re-keying. . . . . . . . . . . . . . . . 171

Initiating a manual re-key session . . . . . . . . . . . . . . . . . . . . . .172

Suspension and resumption of re-keying operations . . . . . . .173

Fabric OS Encryption Administrator’s Guide ix
53-1002159-03

Chapter 4 Deployment Scenarios

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175

Single encryption switch, two paths from host to target . . . . . . . .176

Single fabric deployment - HA cluster . . . . . . . . . . . . . . . . . . . . . . .177

Single fabric deployment - DEK cluster . . . . . . . . . . . . . . . . . . . . . .178

Dual fabric deployment - HA and DEK cluster. . . . . . . . . . . . . . . . .179

Multiple paths, one DEK cluster, and two HA clusters . . . . . . . . . .180

Multiple paths, DEK cluster, no HA cluster . . . . . . . . . . . . . . . . . . .182

Deployment in Fibre Channel routed fabrics. . . . . . . . . . . . . . . . . .183

Deployment as part of an edge fabric . . . . . . . . . . . . . . . . . . . . . . .185

Deployment with FCIP extension switches . . . . . . . . . . . . . . . . . . .186

VMware ESX server deployments. . . . . . . . . . . . . . . . . . . . . . . . . . .187

Chapter 5 Best Practices and Special Topics

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189

Firmware download considerations. . . . . . . . . . . . . . . . . . . . . . . . .190

Firmware upgrades and downgrades. . . . . . . . . . . . . . . . . . . .190

Data-at-rest encryption support for IBM SVC LUNs

configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191

Specific guidelines for HA clusters . . . . . . . . . . . . . . . . . . . . . .191

Configuration upload and download considerations . . . . . . . . . . .192

Configuration upload at an encryption group leader node . . .192
Configuration upload at an encryption group member

node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

Information not included in an upload . . . . . . . . . . . . . . . . . . .193

Steps before configuration download. . . . . . . . . . . . . . . . . . . .193

Configuration download at the encryption group leader. . . . .194

Configuration download at an encryption group member . . .194

Steps after configuration download . . . . . . . . . . . . . . . . . . . . .194

HP-UX considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

AIX Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Enable of a disabled LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Disk metadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Tape metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196

Tape data compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196

Tape pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196

Tape block zero handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Tape key expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Configuring CryptoTarget containers and LUNs . . . . . . . . . . . . . . .197

Redirection zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

Deployment with Admin Domains (AD) . . . . . . . . . . . . . . . . . . . . . .199

x Fabric OS Encryption Administrator’s Guide

53-1002159-03

Do not use DHCP for IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . .199

Ensure uniform licensing in HA clusters . . . . . . . . . . . . . . . . . . . . .199

Tape library media changer considerations . . . . . . . . . . . . . . . . . .199

Turn off host-based encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Avoid double encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

PID failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200

Turn off compression on extension switches . . . . . . . . . . . . . . . . .200

Re-keying best practices and policies . . . . . . . . . . . . . . . . . . . . . . .200

Manual re-key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200

Latency in re-key operations . . . . . . . . . . . . . . . . . . . . . . . . . . .200

Allow re-key to complete before deleting a container . . . . . . .201

Re-key operations and firmware upgrades . . . . . . . . . . . . . . .201

Do not change LUN configuration while re-keying . . . . . . . . . .201

Recommendation for Host I/O traffic during online

rekeying and first time encryption . . . . . . . . . . . . . . . . . . . . . .201

KAC certificate registration expiry . . . . . . . . . . . . . . . . . . . . . . . . . .201

Changing IP addresses in encryption groups . . . . . . . . . . . . . . . . .202

Disabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . .202

Recommendations for Initiator Fan-Ins . . . . . . . . . . . . . . . . . . . . . .202

Best practices for host clusters in an encryption environment . . .204

HA Cluster deployment considerations and best practices . . . . . .204

Key Vault Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204

Tape Device LUN Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204

Chapter 6 Maintenance and Troubleshooting

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

Encryption group and HA cluster maintenance. . . . . . . . . . . . . . . .205

Displaying encryption group configuration or status

information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

Removing a member node from an encryption group. . . . . . .206

Deleting an encryption group . . . . . . . . . . . . . . . . . . . . . . . . . .208

Removing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . .208

Displaying the HA cluster configuration . . . . . . . . . . . . . . . . . .208

Replacing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . .209

Deleting an HA cluster member . . . . . . . . . . . . . . . . . . . . . . . .211

Performing a manual failback of an encryption engine . . . . .212

Fabric OS Encryption Administrator’s Guide xi
53-1002159-03

Encryption group merge and split use cases . . . . . . . . . . . . . . . . .213

A member node failed and is replaced . . . . . . . . . . . . . . . . . .213

A member node reboots and comes back up . . . . . . . . . . . . .214

A member node lost connection to the group leader . . . . . . .215

A member node lost connection to all other nodes in the

encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215

Several member nodes split off from an encryption group . .216

Adjusting heartbeat signaling values . . . . . . . . . . . . . . . . . . . .217

EG split possibilities requiring manual recovery . . . . . . . . . . .217

Configuration impact of encryption group split or node

isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

Encryption group database manual operations . . . . . . . . . . . . . . .223

Manually synchronizing the encryption group database. . . . .223

Manually synchronizing the security database . . . . . . . . . . . .223

Aborting a pending database transaction . . . . . . . . . . . . . . . .223

Key vault diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223

General encryption troubleshooting . . . . . . . . . . . . . . . . . . . . . . . .226

Troubleshooting examples using the CLI. . . . . . . . . . . . . . . . . . . . .229

Encryption Enabled Crypto Target LUN. . . . . . . . . . . . . . . . . . .229

Encryption Disabled Crypto Target LUN . . . . . . . . . . . . . . . . . .230

Management application encryption wizard troubleshooting . . . .231

Errors related to adding a switch to an existing group . . . . . .231

Errors related to adding a switch to a new group . . . . . . . . . .232

General errors related to the Configure Switch Encryption

wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233

LUN policy troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234

Loss of encryption group leader after power outage . . . . . . . . . . .235

MPIO and internal LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236

Suspension and resumption of re-keying operations . . . . . . .236

FS8-18 blade removal and replacement. . . . . . . . . . . . . . . . . . . . .237

BES removal and replacement. . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

Multi Node EG Case. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

Single Node EG Replacement . . . . . . . . . . . . . . . . . . . . . . . . . .242

Reclaiming the WWN base of a failed Brocade Encryption

Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244

Splitting an encryption group into two encryption groups . . . . . . .244

Moving a blade from one EG to another EG in the same fabric. . . 245

Moving a BES from one EG to another EG in the same fabric . . . . 246

Removing stale rekey information for a LUN. . . . . . . . . . . . . . . . . .247

Appendix A State and Status Information

In this appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249

Encryption engine security processor (SP) states. . . . . . . . . . . . . .249

xii Fabric OS Encryption Administrator’s Guide

53-1002159-03

Index

Security processor KEK status. . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

Encrypted LUN states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

Fabric OS Encryption Administrator’s Guide xiii
53-1002159-03

xiv Fabric OS Encryption Administrator’s Guide

53-1002159-03

About This Document

In this chapter

•How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

•Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

•What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

•Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

•Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

•Command syntax conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

•Key terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

•Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

•Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

•Brocade resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

•Other industry resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

•Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

•Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

How this document is organized

. This document is organized to help you find the information that you want as quickly and easily as

possible.

The document contains the following components:

• Chapter 1, “Encryption Overview,” provides a task matrix, an overview of the data encryption

switch and the encryption solution, and the terminology used in this document.

• Chapter 2, “Encryption configuration using the Management application,” describes how to

configure and manage encryption features using Brocade Network Advisor.

• Chapter 3, “Configuring Brocade Encryption Using the CLI,” describes how to configure and

manage encryption features using the command line interface.

• Chapter 4, “Deployment Scenarios,” describes SAN configurations in which encryption may be

deployed.

• Chapter 5, “Best Practices and Special Topics,” summarizes best practices and addresses

special topics relevant to the implementation of encryption features.

Fabric OS Encryption Administrator’s Guide xiii
53-1002159-03

• Chapter 6, “Maintenance and Troubleshooting,” provides information on troubleshooting and

the most common commands and procedures to use to diagnose and recover from problems.

• Appendix A, “State and Status Information,” lists the encryption engine security processor (SP)

states, security processor key encryption key (KEK) status information, and encrypted LUN
states.

Supported hardware and software

. The following hardware platforms support data encryption as described in this manual.

• Brocade DCX and DCX-4S with an FS8-18 encryption blade.

• Brocade Encryption Switch.

What’s new in this document

The purpose of this release is to note that HP Enterprise Secure Key Manager (ESKM) is now
supported.

Document conventions

This section describes text formatting conventions and important notice formats used in this
document.

Text formatting

The narrative-text formatting conventions that are used are as follows:

bold text Identifies command names

italic text Provides emphasis

code text Identifies CLI output

For readability, command names in the narrative portions of this guide are presented in mixed
lettercase: for example, switchShow. In actual examples, command lettercase is often all
lowercase. Otherwise, this manual specifically notes those cases in which a command is case
sensitive.

Identifies the names of user-manipulated GUI elements
Identifies keywords and operands
Identifies text to enter at the GUI or CLI

Identifies variables
Identifies paths and Internet addresses
Identifies document titles

Identifies command syntax examples

xiv Fabric OS Encryption Administrator’s Guide

53-1002159-03

Command syntax conventions

NOTE

ATTENTION

CAUTION

DANGER

Command syntax in this manual follows these conventions:

command Commands are printed in bold.

--option, option Command options are printed in bold.

-argument, arg Arguments.

[ ] Optional element.

variable Variables are printed in italics. In the help pages, variables are underlined

enclosed in angled brackets < >.

... Repeat the previous element, for example “member[;member...]”

value Fixed values following arguments are printed in plain font. For example,

--show WWN

| Boolean. Elements are exclusive. Example:

\ Backslash. Indicates that the line continues through the line break. For

command line input, type the entire line without the backslash.

--show -mode egress | ingress

or

Notes, cautions, and warnings

The following notices and statements are used in this manual. They are listed below in order of
increasing severity of potential hazards.

A note provides a tip, guidance or advice, emphasizes important information, or provides a reference
to related information.

An Attention statement indicates potential damage to hardware or data.

A Caution statement alerts you to situations that can cause damage to hardware, firmware,
software, or data.

A Danger statement indicates conditions or situations that can be potentially lethal or extremely
hazardous to you. Safety labels are also attached directly to products to warn of these conditions
or situations.

Key terms

For definitions specific to Brocade and Fibre Channel, see the technical glossaries on Brocade
Connect. See “Brocade resources” on page xvi for instructions on accessing MyBrocade.

Fabric OS Encryption Administrator’s Guide xv
53-1002159-03

For definitions specific to this document, see “Terminology” on page 2.

For definitions of SAN-specific terms, visit the Storage Networking Industry Association online
dictionary at:

http://www.snia.org/education/dictionary

Notice to the reader

This document may contain references to the trademarks of the following corporations. These
trademarks are the properties of their respective companies and corporations.

These references are made for informational purposes only.

Corporation Referenced Trademarks and Products

IBM Tivoli Key Lifecycle Manager (TKLM)

IBM IBM Tivoli Storage Manager (TSM)

Microsoft Corporation Windows, Windows NT, Internet Explorer

Net App Lifetime Key Manager (LKM)

EMC RSA Key Manager (RKM)

Hewlett Packard Secure Key Manager (SKM)

Hewlett Packard Enterprise Secure Key Manager (ESKM)

Thales Thales Encryption Manager for Storage (TEMS)

EMC EMC Networker

Symantec Symantec Veritas NetBackup Enterprise Server

CommVault CommVault Galaxy Data Protection

Additional information

This section lists additional Brocade and industry-specific documentation that you might find
helpful.

Brocade resources

To get up-to-the-minute information, go to http://my.brocade.com and register at no cost for a user
ID and password.

For practical discussions about SAN design, implementation, and maintenance, you can obtain

Building SANs with Brocade Fabric Switches through:

http://www.amazon.com

For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource
Library location:

http://www.brocade.com

xvi Fabric OS Encryption Administrator’s Guide

53-1002159-03

Release notes are available on the MyBrocade website and are also bundled with the Fabric OS
firmware.

Other industry resources

• White papers, online demos, and data sheets are available through the Brocade website at

http://www.brocade.com/products-solutions/products/index.page.

• Best practice guides, white papers, data sheets, and other documentation is available through

the Brocade Partner website.

For additional resource information, visit the Technical Committee T11 Web site. This website
provides interface standards for high-performance and mass storage applications for Fibre
Channel, storage management, and other applications:

http://www.t11.org

For information about the Fibre Channel industry, visit the Fibre Channel Industry Association
website:

http://www.fibrechannel.org

Getting technical help

Contact your switch support supplier for hardware, firmware, and software support, including
product repairs and part ordering. To expedite your call, have the following information available:

1. General Information

• Switch model

• Switch operating system version

• Error numbers and messages received

• supportSave command output

• Detailed description of the problem, including the switch or fabric behavior immediately

following the problem, and specific questions

• Description of any troubleshooting steps already performed and the results

• Serial console and Telnet session logs

• syslog message logs

2. Switch Serial Number

The switch serial number and corresponding bar code are provided on the serial number label,
as illustrated below.:

*FT00X0054E9*

FT00X0054E9

Fabric OS Encryption Administrator’s Guide xvii
53-1002159-03

The serial number label is located as follows:

• Brocade Encryption Switch—On the switch ID pull-out tab located inside the chassis on the

port side of the switch on the left.

• Brocade DCX—On the bottom right on the port side of the chassis

• Brocade DCX-4S—On the bottom right on the port side of the chassis, directly above the

cable management comb.

3. World Wide Name (WWN)

Use the licenseIdShow command to display the WWN of the chassis.

If you cannot use the licenseIdShow command because the switch is inoperable, you can get
the WWN from the same place as the serial number, except for the Brocade DCX. For the
Brocade DCX, access the numbers on the WWN cards by removing the Brocade logo plate at
the top of the non-port side of the chassis.

Document feedback

Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and
completeness of this document. However, if you find an error or an omission, or you think that a
topic needs further development, we want to hear from you. Forward your feedback to:

documentation@brocade.com

Provide the title and version number of the document and as much detail as possible about your
comment, including the topic heading and page number and your suggestions for improvement.

xviii Fabric OS Encryption Administrator’s Guide

53-1002159-03

Chapter

CAUTION

Encryption Overview

In this chapter

•Host and LUN considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

•Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

•The Brocade Encryption Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

•The FS8-18 blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

•FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

•Performance licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

•Recommendation for connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

•Usage limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

•Brocade encryption solution overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

•Data encryption key life cycle management . . . . . . . . . . . . . . . . . . . . . . . . . . 9

•Master key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

•Support for Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

•Cisco Fabric Connectivity support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1

Host and LUN considerations

Encrypting data-at-rest provides peace of mind in terms of protecting data from loss or theft, but
very careful planning must be done to ensure encrypted data is handled correctly. Much of the
planning must come from careful evaluation of host application and LUN resources, and of the
path that the data will take to get from one or more hosts to a LUN.

When implementing encryption for data-at-rest, all hosts that access a LUN that is to hold
encrypted data need to be configured for encryption to avoid data corruption. If a host, possibly in
another fabric, writes cleartext to an encrypted LUN, the data on the LUN will be lost. The user
must ensure that all hosts that can access a LUN are configured in the same manner.

Fabric OS Encryption Administrator’s Guide 1
53-1002159-03

Terminology

1

Terminology

The following are definitions of terms used extensively in this document.

ciphertext

cleartext

CryptoModule

Data Encryption Key (DEK)

Data Encryption Key Cluster
(DEK Cluster)

Encryption Engine

Encryption Group

Failback

Failover

Group Leader

High Availability Cluster
(HA Cluster)

Encrypted data.

Unencrypted data.

The secure part of an encryption engine that is protected to the FIPS 140-2 level 3
standard. The term CryptoModule is used primarily in the context of FIPS
authentication.

An encryption key generated by the encryption engine. The DEK is used to encrypt
cleartext received from a host before it is sent to a target LUN, and to decrypt that data
when it is retrieved by the host.

A cluster of encryption engines which can host all paths to a LUN and share the same
data encryption key (DEK) set. The encryption engines can be in the same or different
fabrics. DEK clusters enable host MPIO failover.

The entity within a node that performs encryption operations, including the generation
of Data Encryption Keys.

A collection of one or more DEK clusters, HA clusters, or both, which share the same key
vault and device configuration, and is managed as a single group.

In the context of this implementation of encryption, failback refers to behavior after a
failed encryption switch recovers. Devices that were transferred to another switch by
failover processing may automatically be transferred back, or they may be manually
switched back. This is determined as a configuration option.

In the context of this implementation of encryption, failover refers to the automatic
transfer of devices hosted by one encryption switch to another encryption switch within
a high availability cluster (HA cluster).

A group leader is a special node within an encryption group which acts as a group and
cluster manager, and manages and distributes all group-wide and cluster-wide
configurations to all members of the group or cluster.

A collection of peer-level encryption engines that provide failover capabilities within a
fabric.

Key Encryption Key

Link Key

Logical Unit Number (LUN)

Master Key

Node

2 Fabric OS Encryption Administrator’s Guide

A key used to encrypt and decrypt Data Encryption Keys (DEKs) within encryption
devices so that DEKs are transmitted in a secure manner outside of the encryption
engines, and stored persistently inside key vaults.

A shared secret exchanged between an encryption engine and a FIPS 140-2 level 3
certified key management appliance and key vault. The link key is an Key Encryption
Key (KEK) that is used to encrypt Data Encryption Keys (DEKs) in transit over a secure
connection to and from the key vault. The key management appliance decrypts the
DEKs and stores them encrypted with its own master key.

The identifier of a SCSI logical unit.

An Key Encryption Key (KEK) used to encrypt and decrypt DEKs when storing DEKs in
opaque key vaults. There is one master key per encryption group. That means all node
encryption engines within an encryption group use the same master key to encrypt and
decrypt the DEKs.

In terms of encryption, a Brocade Encryption Switch, DCX, or DCX-4S through which
users can manage an encryption engine.

53-1002159-03

Terminology

1

Opaque Key Vault

Recovery cards

Redirection zone

Re-keying

Trusted Key Vault

Virtual Initiator

Virtual Target

A storage location that provides untrusted key management functionality. Its contents
may be visible to a third party. DEKs in an opaque key vault are stored encrypted in a
master key to protect them.

A set of smart cards that contain a backup master key. Each recovery card holds a
portion of the master key. The cards must be gathered and read together from a card
reader attached to a PC running the Brocade Data Center Fabric Manager (DCFM)
application to restore the master key. Recovery cards may be stored in different
locations, making it very difficult to steal the master key. The cards should not be stored
together, as that defeats the purpose.

When encryption is implemented, data traffic is routed to and from virtual initiators and
virtual targets. Redirection zones are automatically created to enable frame redirection
to the virtual initiators and virtual targets.

Re-keying refers to decrypting data with the current Data Encryption Key (DEK), and
encrypting it with a new DEK. This is done when the security of the current key is
compromised, or when a DEK is configured to expire in a specific time frame. The
re-keying operation can be used to encrypt existing data currently stored as cleartext. In
that case, there is no existing DEK, and the data does not have to be decr ypted before it
is encrypted using the new DEK.

Very secure storage on a hardware appliance that establishes a trusted link with the
encryption device for secure exchange of DEKs. DEKs are encrypted with the link for
transit between the encryption device and the hardware appliance. At the hardware
appliance, the DEKs are re-encrypted, using master key created and maintained by
hardware appliance, and then stored in the trusted key vault.

A logical entity that acts as a stand-in for a physical host when communicating with a
physical target LUN.

A logical entity that acts as a stand-in for a physical target LUN when communicating
with a physical host. A virtual target is mapped one to one to a specific physical target.

Fabric OS Encryption Administrator’s Guide 3
53-1002159-03

The Brocade Encryption Switch

1

The Brocade Encryption Switch

The Brocade Encryption Switch (BES) is a high performance 32 port auto-sensing 8 Gbps Fibre
Channel switch with data cryptographic (encryption/decryption) and data compression capabilities.
The switch is a network-based solution that secures data-at-rest for heterogeneous tape drives,
disk array LUNs, and virtual tape libraries by encrypting the data using Advanced Encryption
Standard (AES) 256-bit algorithms. Encryption and decryption engines provide in-line encryption
services with up to 96 Gbps throughput for disk I/O (mix of ciphertext and cleartext traffic) and up
to 48 Gbps throughput for tape I/O (mix of ciphertext and cleartext traffic). Refer to “The FS8-18

blade” on page 5 for information about license requirements for 48 Gbps and 96 Gbps throughput.

In addition to its 32 Fibre Channel ports, the switch has one RJ45 Gigabit Ethernet (GE)
management port, two RJ45 GE ports for clustering interconnection and re-key synchronization,
one RJ45 Serial console port, and one USB port for serviceability, error logging, and firmware
upgrades (Figure 1) .

FIGURE 1 Brocade Encryption Switch

1

2

3

4

5

6

7

8

Power LED.

Status LED.

RJ45 gigabit Ethernet ports (labeled eth0 and eth1) for clustering and centralized
management of multiple encryption switches through a group leader.

Smart card reader.

RJ45 gigabit Ethernet port for the management interface. This interface is used for the secure
connection to the key vault location and to the Data Center Fabric Manager (DCFM).

RJ45 serial console port.

USB port for firmware upgrades and other support services.

Fibre Channel ports (0-31) - 1, 2, 4, or 8 Gbps auto-sensing F, FL, E, EX, or M ports to connect
host servers, SAN disks, SAN tapes, edge switches, or core switches.

4 Fabric OS Encryption Administrator’s Guide

53-1002159-03

The FS8-18 blade

The FS8-18 blade provides the same features and functionality as the encryption switch. The
FS8-18 blade installs on the Brocade DCX and DCX-4S. Four FS8-18 blades may be installed in a
single DCX or DCX-4S.

FIPS mode

Both the BES and the FS8-18 blade always boot up in FIPS mode, which cannot be disabled. In this
mode, only FIPS-compliant algorithms are allowed.

Performance licensing

Encryption processing power is scalable, and may be increased by purchasing and installing an
encryption performance license. The base unit Brocade Encryption Switch and FS8-18 Encryption
Blade have a standard capacity of 48 Gbps of encryption processing power. Additional encryption
processing power can be added for disk I/O by purchasing and installing an Advanced Disk
Encryption Performance Upgrade license. When the performance upgrade license is applied,
encryption processing power of up to 96 Gbps is available for disk encryption. Note that when the
license is applied to a DCX or DCX-4S chassis, it applies to all FS8-18 blades installed on that
chassis.

The FS8-18 blade

1

Adding a license

The encryption performance licenses are added just like any other Fabric OS feature license. After
the license is added, the encryption switch, DCX, or DCX-4S with encryption blades installed must
be rebooted for the license to take effect. See the Fabric OS Administrator’s Guide for information
about obtaining and adding licenses.

Licensing best practices

Licenses installed on the switches and blades must have identical performance numbers when
used together in high availability (HA) clusters or data encryption key (DEK) clusters.

Fabric OS Encryption Administrator’s Guide 5
53-1002159-03

Recommendation for connectivity

NOTE

1

Recommendation for connectivity

In order to achieve high performance and throughput, the encryption engines perform what is
referred to as “cut-through” encryption. In simple terms, this is achieved by encrypting the data in
data frames on a per-frame basis. This enables the encryption engine to buffer only one frame,
encrypt it, and send out the frame to the target on write I/Os. For read I/Os, the reverse is done.
This puts some constraints on the topology and the container configurations to support acceptable
performance for encrypted and decrypted I/O to and from LUNs, and to support acceptable levels
of scale in terms of the number of LUNs and the number of flows. The topology and container
configuration constraint are stated below:

Care must be taken when connecting the encryption engines to the fabric and configuring
crypto-target containers to be sure that the traffic flow between the host initiator and the physical
storage array LUN through the container flows through only one encryption engine that is hosting
the container. This is to avoid crisscrossing of flows to and from virtual entities; that is, from virtual
targets and virtual initiators on two different encryption engines over the same path.

Although there is considerable flexibility in connecting and configuring the containers for
encryption, the following guidelines are the recommended best practices:

• Host and Storage Array ports that are not involved in any encryption flow can be connected to

any encryption engines (EEs).

• Recommendations for host and target ports with respect to encryption flows are as follows:

- For high availability (HA) purposes, only ISLs are connected to the Brocade Encryption

Switch encryption engine to connect it to the fabric. No devices (initiators and targets) are
connected to it.

- To maintain HA, we recommend that devices (hosts and targets) and ISLs not be

connected directly to the encryption blades (FS8-18) in a DCX/DCX-4S in a single-path
configuration.

Usage limitations

There are usage limitations to be aware of when planning an encryption implementation:

• Special redirection zones are created to handle data that is redirected to an encryption switch

or blade. Quality of Service (QoS) cannot be applied to a redirection zone.

• For frame redirection to be applied, regular zones for hosts and targets must be defined in the

effective configuration. Hosts and targets must be zoned together by worldwide port name
(WWPN) rather than worldwide node name (WWNN) in configurations where frame redirection
will be used. If hosts or targets are zoned together using worldwide node name, frame
redirection will not occur properly.

Alias zoning is not supported in containers. You must use the real WWPN.

• On tapes written in DataFort format, the encryption switch or blade cannot read and decrypt

files with a block size of 1 MB or greater.

• Th e To p Talker fe a t ure is not compa tible with redirectio n z o n e s. The Top Talke r feature should

not be enabled when an encryption switch or blade is present in the fabric.

6 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Brocade encryption solution overview

Host

Encryption Switch

Cleartext

DEKs

Ciphertext

based on

AES256-GCM

Ciphertext

based on

AES256-XTS

Disk Storage

Tape Storage

Key Management

System

Ciphertext

Cleartext

The loss of stored private data, trade secrets, intellectual properties, and other sensitive
information through theft or accidental loss of disk or tape media can have widespread negative
consequences for governments, businesses, and individuals. This threat is countered by an
increasing demand from governments and businesses for solutions that create and enforce
policies and procedures that protect stored data. Encryption is a powerful tool for data protection.
Brocade provides an encryption solution that resides in a Storage Area Network (SAN) fabric. This
location, between computers and storage, is ideal for implementing a solution that works
transparently with heterogeneous servers, disk storage subsystems, and tape libraries. Data
entering the SAN from a server is encrypted before it is written to storage. When stored data is
encrypted, theft or loss of storage media does not pose a security threat.

Figure 2 provides a high-level view of the Brocade encryption solution. Cleartext is sent from the

server to the encryption engine, where it is encrypted into ciphertext using one of two encryption
algorithms: one for disk storage targets, and one for tape storage targets. The encrypted data
cannot be read without first being decrypted. The key management system is required for
management of the data encryption keys (DEKs) that are generated by the encryption engine, and
used for encrypting and decrypting the data. The key management system is provided by a
third-party vendor.

Brocade encryption solution overview

1

FIGURE 2 Encryption overview

Fabric OS Encryption Administrator’s Guide 7
53-1002159-03

Brocade encryption solution overview

Host

Encryption

Switch

Ciphertext

Cleartext

Virtual

Initiator

Lun

X

Virtual
Target

Fabric 1

Target

1

Data flow from server to storage

The Brocade Encryption Switch can be introduced into a SAN with minimum disruption, with no
need for SAN reconfiguration, and with no need to reconfigure host applications. Frames sent from
a host and a target LUN are redirected to a virtual target associated with the encryption switch. The
encryption switch then acts as a virtual initiator to forward the frames to the target LUN.

FIGURE 3 Frame redirection

8 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Data encryption key life cycle management

Node 1

Key Management

System

EE

Node 2

Group Leader

Encryption Group

EE

Node 3

EE

Node 4

EE

IO Sync LAN

LAN

Data encryption key life cycle management

Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and
decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the
ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly,
and some data may be stored for years or decades before it is accessed. To be sure the data
remains accessible, DEKs may also need to be stored for years or decades. Key management
systems provide life cycle management for all DEKs created by the encryption engine. Key
management systems are provided by third-party vendors.

Figure 4 shows the relationship of the LAN connections to the key vault and between encryption

nodes.

1

FIGURE 4 LAN connections to the key vault, and between encryption nodes

Regardless of the length of the life cycle, there are four stages in the life of a DEK, as shown in

Figure 5. A DEK is created by an encryption engine, distributed, then stored in a key vault. The key

is used to encrypt and decrypt data at least once, and possibly many times. A DEK may be
configured to expire in a certain time frame to avoid becoming compromised. Under those
conditions, it must be used one more time to decrypt the data, and the resulting cleartext is
encrypted with a new key (re-keyed).

Fabric OS Encryption Administrator’s Guide 9
53-1002159-03

Master key management

1

FIGURE 5 DEK life cycle

Master key management

Communications with opaque key vaults are encrypted using a master key that is created by the
encryption engine on the encryption switch. Currently, this includes the key vaults of all supported
key management systems except NetApp LKM.

Master key generation

A master key must be generated by the group leader encryption engine. The master key can be
generated once by the group leader, then propagated to the other members of an encryption group.

Master key backup

It is essential to back up the master key immediately after it is generated. The master key may be
backed up to any of the following:

• A file as an encrypted key

• The key management system as an encrypted key record

10 Fabric OS Encryption Administrator’s Guide

53-1002159-03