02-20-2010 10:51 PM
Before i begin, let me say I am not familiar with encryption hardware.
The question is maybe stupid, but what happens with the files in the productive environment by
encrypted hardware failure ?
What happens with all the file when i decide to complete remove or replace encrypted
hardware/switches with standard SAN Switches?
I have a mixed Fabric contain Standard SAN Switches, additional "ONE" Brocade Encryption
SAN Switch and the encryption SAN Switch Crash/Fail.
I'll continue to have access to the file when encryption hardware failure?
02-22-2010 07:59 AM
The Brocade encryption switch encrypts block-level data at the LUN on disks or on tape media - i.e. has no knowledge or understanding of content and file-level data. Once you encrypt data on a disk drive using a Brocade encryption switch, you must use a Brocade encryption switch to decrypt the data. If you were to replace the encryption switch with a regular switch then the servers would be reading encrypted data only.
In this case, since you become dependent on the encryption switches to access the data, you would configure these solutions with at least one encryption switch per fabric (in a typical dual fabric configuration) to prevent a loss of availability. For tape implementations where you may only have one fabric, you could use just one encryption switch for this. In the case of a hardware failure in a single fabric configuration, you would need to physicallly replace the failed encryption switch and reconfigure it - which can take time obviously. However, you can optionally implement an HA configuration where you can have two encryption switches in any given fabric configured such that one unit will take over the load of the other in the event of a hardware failure.
By the way, you can use the Brocade encryption switch as a standalone switch with all of the servers and storage devices directly connected to it or, you can simply connect it to an existing fabric using ISLs and the data will be encrypted at the LUN level regardless of where the servers or storage devices are physically connected in the fabric. This is accomplished using the Brocade frame redirection technology introduced back in FOS 5.3.
02-22-2010 08:37 AM
Most encryption configurations are typically made of a pair of encryption devices and a pair of key vaults in a Highly-available redundant configuration.
Once you do the initial keying of your data you move to an encrypted world in your SAN where data-at-rest is always encrypted.
If one device fails the failover feature takes over and continues processing.
Careful planning is highly recommended in that you shoulod not deploy encryption in a SAN and then arbitrarily decide to remove it.