Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June 2010)
Fabric OS Encryption Administrator’s Guide 145
53-1001864-01
First time encryption
3
First time encryption
First time encryption, also referred to as encryption of existing data, is similar to the re-keying
process described in the previous section, except that there is no expired key and the data present
in the LUN is cleartext to begin with.
In a first time encryption operation, cleartext data is read from a LUN, encrypted with the current
key and written back to the same LUN at the same logical block address (LBA) location. This
process effectively encrypts the LUN and is referred to as “in-place encryption.”
Resource allocation
System resources for first time encryption sessions are shared with re-key sessions. There is an
upper limit of twelve sessions with two concurrent sessions per target. Refer to the re-key
“Resource allocation” on page 145 section for details.
First time encryption modes
First-time encryption can be performed under the following conditions:
• Offline encryption - The hosts accessing the LUN are offline or host I/O is halted while
encryption is in process.
• Online encryption - The hosts accessing the LUN are online and host I/O is active during the
encryption operation.
Configuring a LUN for first time encryption
First time encryption options are configured at the LUN level either during LUN configuration with
the cryptocfg
--add -LUN command, or at a later time with the cryptocfg --modify -LUN command.
1. Set the LUN policy to encrypt to enable encryption on the LUN. All other options related to
encryption are enabled. A DEK is generated and associated with the LUN.
2. Enable first time encryption by setting the -enable_encexistingdata parameter. The existing
data on the disk is encrypted using the configured DEK.
3. Optionally set the auto re-keying feature with the cryptocfg --enable_rekey command and
specify the interval at which the key expires and automatic re-keying should take place (time
period in days) Enabling automatic re-keying is valid only if the LUN policy is set to encrypt and
the encryption format is Brocade native. Refer to the section “Crypto LUN parameters and
policies” on page 129 for more information.
The following example configures a LUN for first time encryption with re-keying scheduled at a
6-month interval. You must commit the operation to take effect.
FabricAdmin:switch>cryptocfg --add -LUN my_disk_tgt 0x0 \
10:00:00:00:c9:2b:c9:3a 20:00:00:00:c9:2b:c9:3a -encrypt \
-enable_encexistingdata -enable_rekey 180
Operation Succeeded