Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June 2010)

Fabric OS Encryption Administrator’s Guide 177
53-1001864-01
Re-keying best practices and policies
5
Re-keying best practices and policies
Re-keying should be done only when necessary. In key management systems, DEKs are never
exposed in an unwrapped or unencrypted state. You must re-key if the master key is compromised.
The practice of re-keying should be limited to the following cases:
Master key compromise.
Insider security breaches.
As a general security policy as infrequently as every six months or once per year.
When using LKM, DEKs are accessible only to privileged users, and can be compromised only by an
insider breach of security.
Manual re-key
Ensure that the link to the key management system is up and running before you attempt a manual
re-key.
Latency in re-key operations
Host I/O for regions other than the current re-key region has no latency during a re-key operation.
Host I/O for the region where the current re-key is happening has minimal latency (a few
milliseconds) because I/O is held until re-key is complete. The I/O sync links (the Ethernet ports
labeled Ge0 and Ge1) must be configured, and must both be connected to the I/O sync LAN to
enable proper handling of re-key state synchronization in high availability (HA cluster)
configurations.
Allow re-key to complete before deleting a container
Do not delete a crypto container while re-key is in session or if re-key is not completed. If you want
to delete a container, use the command cryptocfg --show -rekey –all to display the status of re-key
sessions. If any re-key session is not 100% completed, do not delete the container. If you do delete
the container before re-key is complete, and subsequently add the LUN back as cleartext, all data
on the LUN is destroyed.
Re-key operations and firmware upgrades
All nodes in an encryption group must be at the same firmware level before starting a re-key or first
time encryption operation. Make sure that existing re-key or first time encryption operations
complete before upgrading any of the encryption products in the encryption group, and that the
upgrade completes before starting a rekey or first time encryption operation.