Querying the encryption setting of a channel path

Red Hat Enterprise Linux 8.6 LPAR mode z/VM guest KVM guest

A read-only attribute shows the Fibre Channel Endpoint Security status of the connection to the DASD device.

About this task

Fibre Channel Endpoint Security (FCES) is a hardware feature that encrypts traffic between the Z host system and storage server transparently. You can read the current state of the FCES for a DASD from the fc_security attribute. The attribute is available per DASD device and per path.

For a device, the attribute can take the following values:
Authentication
The connection is authenticated.
Encryption
The connection is encrypted.
Inconsistent
At least one of the operational paths is in a different state from all others.
Unsupported
The DASD device does not support FCES.

The sysfs attributes per path are organized in a directory called paths_info with sub-directories for each path. For example:

/sys/bus/ccw/devices/0.0.4711/paths_info/
|-- 0.38
| ’-- fc_security
|-- 0.39
| ’-- fc_security
|-- 0.3a
| ’-- fc_security
For a path, the fc_security attribute can be Authentication, Encrypted, and Unsupported.

Procedure

FCES for a device is available if the fc_security sysfs attribute is Encryption.

To query the FCES status of a DASD device, issue a command of this form:
# lsdasd -l <device_bus_id>
or, using lszdev:
# lszdev <device_bus_id> -a -c TYPE,ID,ATTR:fc_security,ATTRPATH:fc_security
Alternatively, you can read the sysfs attribute directly:
# cat /sys/bus/ccw/devices/<device_bus_id>/fc_security

where /sys/bus/ccw/devices/<device_bus_id> represents the device in sysfs.

Examples

  • To query the FCES status for a device 0.0.4711, issue:
    # lsdasd -l 0.0.4711
    
    0.0.4711/dasdc/94:8
      status:                           active
      type:                             ECKD
      ...                               ...
      fc_security:                      Encryption
    This example indicates that the connection to the DASD is encrypted.
  • To query the FCES status for a device 0.0.4711 using the lszdev command, issue:
    $ lszdev 0.0.4711 -a -c TYPE,ID,ATTR:fc_security,ATTRPATH:fc_security
    TYPE       ID       ATTR:fc_security  ATTRPATH:fc_security
    dasd-eckd  0.0.4711 Encryption        /sys/bus/ccw/drivers/dasd-eckd/0.0.4711/fc_security
  • To query the FCES status for a device 0.0.4712 by reading from the fc_security sysfs attribute:
    # cat /sys/bus/ccw/devices/0.0.4712/fc_security
    Unsupported
    This example indicates that DASD 0.0.4712 does not support FCES.
  • To read the fc_security attribute of path 0.38 for DASD 0.0.4711, issue:
    # cat /sys/bus/ccw/devices/0.0.4711/paths_info/0.38/fc_security
    Encrypted