Fabric OS Encryption Administrator's Guide
2 Fabric OS Encryption Administrator’s Guide
53-1002159-03
Terminology
1
Terminology
The following are definitions of terms used extensively in this document.
ciphertext
Encrypted data.
cleartext
Unencrypted data.
CryptoModule
The secure part of an encryption engine that is protected to the FIPS 140-2 level 3
standard. The term CryptoModule is used primarily in the context of FIPS
authentication.
Data Encryption Key (DEK)
An encryption key generated by the encryption engine. The DEK is used to encrypt
cleartext received from a host before it is sent to a target LUN, and to decrypt that data
when it is retrieved by the host.
Data Encryption Key Cluster
(DEK Cluster)
A cluster of encryption engines which can host all paths to a LUN and share the same
data encryption key (DEK) set. The encryption engines can be in the same or different
fabrics. DEK clusters enable host MPIO failover.
Encryption Engine
The entity within a node that performs encryption operations, including the generation
of Data Encryption Keys.
Encryption Group
A collection of one or more DEK clusters, HA clusters, or both, which share the same key
vault and device configuration, and is managed as a single group.
Failback
In the context of this implementation of encryption, failback refers to behavior after a
failed encryption switch recovers. Devices that were transferred to another switch by
failover processing may automatically be transferred back, or they may be manually
switched back. This is determined as a configuration option.
Failover
In the context of this implementation of encryption, failover refers to the automatic
transfer of devices hosted by one encryption switch to another encryption switch within
a high availability cluster (HA cluster).
Group Leader
A group leader is a special node within an encryption group which acts as a group and
cluster manager, and manages and distributes all group-wide and cluster-wide
configurations to all members of the group or cluster.
High Availability Cluster
(HA Cluster)
A collection of peer-level encryption engines that provide failover capabilities within a
fabric.
Key Encryption Key
A key used to encrypt and decrypt Data Encryption Keys (DEKs) within encryption
devices so that DEKs are transmitted in a secure manner outside of the encryption
engines, and stored persistently inside key vaults.
Link Key
A shared secret exchanged between an encryption engine and a FIPS 140-2 level 3
certified key management appliance and key vault. The link key is an Key Encryption
Key (KEK) that is used to encrypt Data Encryption Keys (DEKs) in transit over a secure
connection to and from the key vault. The key management appliance decrypts the
DEKs and stores them encrypted with its own master key.
Logical Unit Number (LUN)
The identifier of a SCSI logical unit.
Master Key
An Key Encryption Key (KEK) used to encrypt and decrypt DEKs when storing DEKs in
opaque key vaults. There is one master key per encryption group. That means all node
encryption engines within an encryption group use the same master key to encrypt and
decrypt the DEKs.
Node
In terms of encryption, a Brocade Encryption Switch, DCX, or DCX-4S through which
users can manage an encryption engine.