1-7
Cisco MDS 9000 Family NX-OS Storage Media Encryption Configuration Guide
OL-29289-01
Chapter 1 Storage Media Encryption Overview
About SME
•
Tape volume group—A logical set of tape volumes that are configured for a specific use, for
example, a group of tape volumes used to backup a database.
•
Disk group—The disks that are grouped functionally to form disk groups.
•
Disk—Disk is a LUN. A LUN is a logical unit that is exported to the host by the storage controller.
•
IT-NEXUS—Initiator or Target pWWNs that defines a host to target connection.
•
SME node—Each switch in the cluster is called an SME node and plays a role in determining if the
cluster has a quorum.
•
Cisco Key Management Center (CKMC)—A component of DCNM-SAN that stores the encryption
keys.
•
Master key—An encryption key generated when an SME cluster is created. The master key encrypts
the tape volume keys and tape keys and it is required to decrypt those keys in order to retrieve
encrypted data.
•
Media key—A key that is used for encrypting and authenticating the data on specific tapes.
•
Disk key—A key that is used for encrypting and authenticating the data on specific disks.
•
SmartCard—A card (approximately the size of a credit card) with a built-in microprocessor and
memory used for authentication.
•
SME Administrator—An administrator who configures SME. This role includes the Cisco Storage
Administrator role where the administrator manages the SME operations and the SME KMC
Administrator role where the administrator is responsible for the SME key management operations.
•
Storage Administrator —An administrator who manages the SME operations.
•
SME KMC Administrator—An administrator who is responsible for the SME key management
operations.
•
SME Recovery Officer—A data security officer entrusted with smart cards and the associated PINs.
Each smart card stores a share of the cluster master key. Recovery officers must present their cards
and PINs to recover the key database of a deactivated cluster. A quorum of recovery officers are
required to execute this operation.
Supported Topologies
SME supports single-and dual-fabric topologies. The Cisco MSM-18/4 module, the MDS 9222i switch,
and the SSN-16 provides the SME engines used by SME to encrypt and compress data-at-rest. Multiple
modules can be deployed in a Fibre Channel fabric to easily scale-up performance, to enable simplified
load balancing, and to increase availability. In a typical configuration, one MSM-18/4 module is required
in each SME cluster.
SME clusters include designated backup servers, tape libraries, and one or more MDS switches running
Cisco SAN-OS Release 3.2(2c) or later or NX-OS 4.x or later. One cluster switch must include an
MSM-18/4 module. With easy-to-use provisioning, traffic between any host and tape on the fabric can
utilize the SME services.
Required SME engines are included in the following Cisco products:
•
Cisco MDS 9000 Family 18/4-Port Multiservice Module (MSM-18/4)
•
Cisco MDS 9222i Multiservice Module Switch
•
Cisco MDS 16-Port Storage Services Node (SSN-16)
