Implementing the Storwize V7000 and the IBM System Storage SAN32B-E4 Encryption Switch > Maintenance and troubleshooting > Master key maintenance

Table of Contents

Download Safari Books Online apps: Apple iOS | Android

Entire Site

Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

This Book

Implementing the Storwize V7000 and the IBM System Storage SAN32B-E4 Encryption Switch

Search

Table of Contents

Notices

Preface

Ch. 1. Introduction to SAN encryption using the Storwize V7000 and the SAN32B-E4 Encryption Switch

Ch. 2. Terminology and technology

Ch. 3. Initial setup for the IBM Tivoli Key Lifecycle Manager and the SAN32B-E4 Encryption Switch

Ch. 4. Implementation scenarios and recommendations for managing the SAN32B-E4 Encryption Switch

Ch. 5. Advanced techniques and functionality

Ch. 6. Maintenance and troubleshooting

Firmware upgrades

Master key maintenance

Configuration upload and download

Adjusting heartbeat signaling values

Removing and replacing the IBM SAN768/384 Encryption Blade

Removing stale rekey information for a LUN

Important: All nodes in an EG must be at the same firmware level before starting a rekey or first-time encryption operation. A firmware consistency check for Fabric OS V6.4.0(x) and later is enforced in an EG if any of the Version 6.4.0(x) features are enabled. If any Fabric OS V6.4.0(x) feature is in an enabled state, any firmware download to Fabric OS v6.3.x or earlier is blocked: Do not try registering a node running Fabric OS v6.3.x or earlier to an EG when all nodes are running Fabric OS V6.4.0(X) with one or more Fabric OS V6.4.0(X) features enabled. Disable all Fabric OS V6.4.0(X) features before ejecting a node running Fabric OS V6.4.0(X) and registering the node as a member of an EG with nodes running Fabric OS v6.3.x or earlier. A firmware consistency check for Fabric OS V6.4.1 or later is enforced if the key vault is set to Tivoli Key Lifecycle Manager (TKLM). When firmware consistency check is enabled, any firmware download to any Fabric OS V6.4.0 or earlier is blocked. Do not try registering a node running Fabric OS V6.4.0 or earlier to an EG when all nodes are running Fabric OS v6.4.1 or later and the key vault is set to TKLM. After ejecting a node running Fabric OS v6.4.1 or later, set the key vault to any key vault other than TKLM before registering the node as a member of an EG with nodes running Fabric OS v6.4.0 or earlier. Reboot: Changing the key vault type (cryptocfg --set -key vault) is a disruptive operation that requires you to reboot the node, or both Control Processors in the case of an IBM SAN768/384. 6.2 Master key maintenance The master key is a Key Encryption Key (KEK) that is used to encrypt and decrypt DEKs when storing DEKs in the key vaults. One master key exists per EG. Therefore, all node EEs within an EG use the same master key to encrypt and decrypt the DEKs. A master key must be generated by the group leader EE. The master key can be generated once by the group leader and then propagated to the other members of an EG. Back up the master key: It is important to back up the master key, because if the master key is lost, none of the DEKs can be restored and none of the encrypted data can be decrypted. Only the active master key can be backed up, and multiple backups are advised. The master key can be backed up to any of the following devices or locations: A file as an encrypted key. The key vault as an encrypted key record. A set of recovery smart cards. This option is only available if the switch is managed by the Data Center Fabric Manager (DCFM) workstation, and if a card reader is available for attachment to the workstation. Chapter 6. Maintenance and troubleshooting 211

Download Safari Books Online apps: Apple iOS | Android

This Book

Search

Contents

Chapter 6. Maintenance and troubleshooting > Master key maintenance - Pg. 211