Enabling and Disabling CPv4 Cipher Suites
Cipher suites for CPv4 are used for cloning to-and-from partitions, if the individual suites are enabled for a partition, and the use of CPv4 is not prevented by CPv1 being active (see Allow CPv1).
By default, eight CPv4 cipher suites are available and active, and the system negotiates the best/most secure suite for the current cloning operation, based on which suites are available to both the source and target partitions. If you have reason to do so, you can disable some cipher suites, which reduces negotiation time among those that remain enabled. You can also enable desired cloning cipher suites that have been disabled.
To show the current status of enabled and disabled cipher suites
1.Run partition ciphershow command.
lunacm:>partition ciphershow Cipher ID Cipher Suite Enabled __________________________________________________________________________________ 0 CPv3 RSA-4096-PKCS-SHA-384 AES-256-GCM Yes 1 CPv4 ECDSA-P521-SHA-512 ECDH-P521-SHA512 AES-256-GCM No 2 CPv4 ECDSA-P521-SHA-512 ECDH-P521-SHA512 No AES-256-CTR-SHA256-HMAC 3 CPv4 ECDSA-BP521-SHA-512 ECDH-BP521-SHA512 AES-256-GCM No 4 CPv4 ECDSA-BP521-SHA-512 ECDH-BP521-SHA512 No AES-256-CTR-SHA256-HMAC 5 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 AES-256-GCM No 6 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 No AES-256-CTR-SHA256-HMAC 7 CPv4 ECDSA-BP521-SHA3-512 ECDH-BP521-SHA3-512 No AES-256-GCM 8 CPv4 ECDSA-BP521-SHA3-512 ECDH-BP521-SHA3-512 No AES-256-CTR-SHA256-HMAC
To enable a cipher suite
1.Run the partition cipherenable command with the ID of the cloning cipher suite you want to enable.
lunacm:>partition cipherenable -id 1 CPv4 ECDSA-P521-SHA-512 ECDH-P521-SHA512 AES-256-GCM is now enabled Command Result : No Error
2.Run partition ciphershow command to verify the result.
lunacm:>partition ciphershow Cipher ID Cipher Suite Enabled __________________________________________________________________________________ 0 CPv3 RSA-4096-PKCS-SHA-384 AES-256-GCM Yes 1 CPv4 ECDSA-P521-SHA-512 ECDH-P521-SHA512 AES-256-GCM Yes 2 CPv4 ECDSA-P521-SHA-512 ECDH-P521-SHA512 No AES-256-CTR-SHA256-HMAC 3 CPv4 ECDSA-BP521-SHA-512 ECDH-BP521-SHA512 AES-256-GCM No 4 CPv4 ECDSA-BP521-SHA-512 ECDH-BP521-SHA512 No AES-256-CTR-SHA256-HMAC 5 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 AES-256-GCM No 6 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 No AES-256-CTR-SHA256-HMAC 7 CPv4 ECDSA-BP521-SHA3-512 ECDH-BP521-SHA3-512 No AES-256-GCM 8 CPv4 ECDSA-BP521-SHA3-512 ECDH-BP521-SHA3-512 No AES-256-CTR-SHA256-HMAC
To disable a cipher suite
1.Run the partition cipherdisable command with the ID of the cloning cipher suite you want to disable.
lunacm:>partition cipherdisable -id 0 CPv3 RSA-4096-PKCS-SHA-384 AES-256-GCM is now disabled Command Result : No Error
2.Run the partition ciphershow command to verify the result.
lunacm:>partition ciphershow
Cipher ID Cipher Suite Enabled
__________________________________________________________________________________
0 CPv3 RSA-4096-PKCS-SHA-384 AES-256-GCM No
1 CPv4 ECDSA-P521-SHA-512 ECDH-P521-SHA512 AES-256-GCM Yes
2 CPv4 ECDSA-P521-SHA-512 ECDH-P521-SHA512 Yes
AES-256-CTR-SHA256-HMAC
3 CPv4 ECDSA-BP521-SHA-512 ECDH-BP521-SHA512 AES-256-GCM Yes
4 CPv4 ECDSA-BP521-SHA-512 ECDH-BP521-SHA512 Yes
AES-256-CTR-SHA256-HMAC
5 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 AES-256-GCM Yes
6 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 Yes
AES-256-CTR-SHA256-HMAC
7 CPv4 ECDSA-BP521-SHA3-512 ECDH-BP521-SHA3-512 Yes
AES-256-GCM
8 CPv4 ECDSA-BP521-SHA3-512 ECDH-BP521-SHA3-512 Yes
AES-256-CTR-SHA256-HMAC
Command Result : No Error