Brocade Fabric OS Command Reference Manual v6.2.0 (53-1001186-01, April 2009)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/256 SAN Director Switch Power Pack

141

142

143

144

145

146

147

148

149

150

122 Fabric OS Command Reference

53-1001186-01

cryptoCfg

cryptocfg --eject -membernode node_WWN

cryptocfg --leave_encryption_group

cryptocfg --genmasterkey

cryptocfg --exportmasterkey [-file]

cryptocfg --recovermasterkey currentMK | alternateMK

-keyID keyID | -srcfile filename

cryptocfg --show -groupcfg

cryptocfg --show -groupmember -all | node_WWN

Description Use these cryptoCfg commands to create or delete an encryption group, to add or remove group

member nodes or key vaults, to manage keys including key recovery from backup, and to configure

group-wide policies, such as failover and Heartbeat.

An encryption group is a collection of encryption engines that share the same key vault and are

managed as a group. All EEs in a node are part of the same encryption group. Fabric OS v6.2.0

supports up to four nodes per encryption group, and up to two encryption engines per node. The

maximum number of EEs per encryption group is eight.

With the exception of the --help and --show commands, all group configuration functions must

be performed from the designated group leader. The encryption switch or blade on which you

create the encryption group becomes the designated group leader. The group leader distributes all

relevant configuration data to the member nodes in the encryption group.

The groupCfg commands includes two display options that show group configuration and group

member information. Refer to the Appendix of the Fabric OS Encryption Administrator’s Guide for a

more comprehensive explanation of system states.

Use --show -groupcfg to display encryption group and member configuration parameters,

including the following:

• Encryption group name

• Encryption group policies:

- Failback mode: Auto or Manual

- Heartbeat misses: value

- Heartbeat timeout: value in seconds

• For each configured key vault, primary and secondary, the command shows:

- IP address

- Certificate ID

- Certificate label: user-generated file name

- State: connected, disconnected, up, authentication failure, or unknown.

- Key vault type: LKM, RKM, SKM

If an SKM key vault is configured in HA mode, no connection information is displayed

because the system is unable to detect the connection status of an SKM appliance in an

HA configuration. Refer to the example section for an illustration.

• Node list display includes:

- Total number of defined nodes