Encrypted Volume and File System v1.1 Administrators Guide
Trademark Notice
Table of Contents
Preparing Evfs for Configuration
Upgrading from Evfs v1.0 to Evfs
Administering Evfs
101
129
141
145
153
169
171
Page
List of Figures
Software Types
Page
List of Tables
Page
Document Organization
About This Document
Intended Audience
Typographic Conventions
Related Information
HP Encourages Your Comments
User input
Features and Benefits
Evfs provides the following features
Evfs Introduction
LVM DLO Support
Evfs Architecture
Evfs Data Flow
Encryption Metadata EMD
Evfs Encryption Keys
Volume Encryption Keys
Using HP-UX Trusted Computing Services with Evfs
User Keys
3illustrates how Evfs uses keys to enable an Evfs volume
How Evfs Uses Keys
File Names
Key Names and Key IDs
User Key and Passphrase Storage
Alternate Storage Databases and Distributed Key Storage
User Key Privileges
Summary of Key Type and Privileged User Capabilities
Evfsadm
Evfs Commands
Evfsvol utility configures and manages the Evfs volumes
Evfspkey
Supported Software
Software Types
Product Limitations and Precautions
Evfs Introduction
Possible Device File Collision
Known Problems
Symptoms
Workaround
Feedback and Enhancement Requests
Installation
Hardware Requirements
System Reboot
Prerequisites
Operating System Requirements
Swinstall utility will install the Evfs components
Installing Evfs
Use the following procedure to install Evfs
Log on to the target system as the root user
Upgrading from Evfs v1.0 to Evfs
Preparing Evfs for Configuration
Verifying for Preconfiguration
Preparation Overview
Start the Evfs subsystem. See Starting the Evfs Subsystem
Creating the User Group
Configuring an Alternate Evfs Pseudo-User
Setting the evfsuser Attribute
Creating the Evfs Pseudo-User Account
Preparing Evfs for Configuration
Private keys
Optional Configuring Alternate Key Database Directories
Keys
Passphrases that secure user private keys
Default pubkey, privkey and passkey Attribute Statements
Key Storage Directory Requirements
Example Alternate Directory for Public Keys
Example NFS Directory for Public and Private Keys
Example Fallback Directory for Nonprivileged Users
Datacipher
Emdbackup
Optional Modifying Evfs Global Parameters
Pbe
Starting the Evfs Subsystem
Example
Evfsadm start -n numberthreads
Guidelines for Creating User Keys
Creating Keys for Evfs Volume Owners
Creating User Key Pairs
Evfspkey keygen -p-s -c cipher -u user -k keyname
Examples
Creating Recovery Keys
Storing the recovery users Private Key
Evfspkey keygen -c rsa-2048 -r -k keyname
Rsa-2048 RSA 2048-bit keys
Creating Keys for authorized users
Encrypted file
User name as the key name
# evfsadm start
Examples
User Session
# evfspkey keygen -u root -k rootkey1
Page
Configuring an Evfs Volume
Configuration Overview
Option 1 Creating a New Evfs Volume
Before using this procedure, you must complete the tasks
Configuring an Evfs Volume
Creating an LVM or VxVM Volume for Evfs
Creating Evfs Volume Device Files
Evfsadm map volumepath
Creating the EMD
Optional Adding Recovery Keys and authorized user Keys
Evfsvol add -u user -k keyname evfsvolumepath where
Enabling the Evfs Volume
Specifies that the key pair is a recovery key pair
Evfsvol enable -p-k keyname evfsvolumepath
Option, you must add a key ID to the entry
Etc/evfs/evfstab file for this volume and have a stored
Specifies non-interactive mode. Evfs uses the key ID from
Evfsvol prompts you for the passphrase for the private key
Creating a New File System with newfs
Creating and Mounting a File System on an Evfs Volume
Optional Using fsck to Check the File Volume
# newfs -F vxfs /dev/evfs/vg01/rlvol5
Mount the File System on the Evfs Volume
Creating the Mount Point
Optional Adding an Entry to /etc/fstab
Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0
Evfsadm stat -a Evfsvol display evfsvolumepath
Verifying the Configuration
Evfsvol display evfsvolumepath
Evfsadm stat -a
Remount the file system using the mount command
Optional Migrating Existing Data to an Evfs Volume
Optional Configuring the Autostart Feature
Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal
See evfstab4 for more information
Backing Up Your Configuration
Page
Map the regular volume to an Evfs volume
Preparing the File System and Data
Iencrypt Inline Encryption
Mount the file system to the Evfs volume
Performing Inline Encryption
Start inline encryption
Configuring an Evfs Volume
Verifying the Configuration
Remount the file system using the mount command
# strings /dev/vg01/lvol5 grep TOP Secret
Optional Configuring the Autostart Feature
Example
Backing Up Your Configuration
Option
Existing size is 96 MB we now extend it by 4 MB, to 100 MB
Existing size is 96 MB we now extend it by 4 MB, to 100 MB
Page
Administering Evfs
Enabling Encryption and Decryption Access to Evfs Volumes
Starting and Stopping Evfs
Starting the Evfs Subsystem
Disabling Encryption/Decryption Access to Evfs Volumes
Causes Evfs to use a stored passphrase to enable encryption
Uses the user name as the key name
Enter the following evfsadm stop command evfsadm stop
Evfsvol disable -p evfsvolumepath
Evfsvol disable -a
Stopping the Evfs Subsystem
Opening Raw Access to Evfs Volumes
Closing Raw Access to Evfs Volumes
Managing Evfs Keys and Users
Displaying Key IDs for an Evfs Volume
Information for the volume
Restoring User Keys
User
To execute this command evfsvol prompts you for
Changing Owner Keys for an Evfs Volume
Corresponds to a recovery users key in the EMD. If you do
Specifies the name of the file containing private key that
Changing the Passphrase for a Key
Recovering from Problems with Owner Keys
Removing Keys from an Evfs Volume
Evfspkey delete -u username-r -p -k keyname
Evfspkey passgen -u username -k keyname
Evfspkey passgen -r recovkeyfile where
Evfspkey passgen -f-p-s -u username -k keyname where
Recovering from EMD Corruption
EMD Backup Directory
Removing a Volume from the Evfs Subsystem
# evfsvol destroy /dev/evfs/vg01/lvol5
Exporting and Importing Evfs Volumes
Exporting an Evfs Volume
Use the following evfspkey keygen command syntax
Evfspkey keygen -c cipher -u user -k keyname
Importing an Evfs Volume
Key owners name and keyname is the key name
Is the key owners name and keyname is the key name
Administering Evfs
Managing Data on Evfs Volumes
Creating a New Evfs Volume Overwrites Existing Data
Vxresize -F Might Cause Data Loss or Corruption
Resizing Evfs Volumes and File Systems
LVM Example Increasing Volume and File System Sizes
Correct
LVM Example Reducing Volume and File System Sizes
Incorrect
VxVM Example Increasing Volume and File System Sizes
VxVM Example Reducing Volume and File System Sizes
# fsadm -F vxfs -b 65536 /test5
Backing Up and Restoring Data on Evfs Volumes
Backing Up Evfs Volumes
Backup Types with LVM or VxVM Mirrored Volumes
Backup Types with Nonmirrored Volumes
Backups Using LVM Mirrored Volumes
Map the backup volume to EVFS. For example
This creates the device files /dev/evfs/vg01/lvol5backup
Evfsvol check -r evfsvolumepath
Dev/vg01/lvol5backup
Syntax is as follows
# evfsvol display /dev/evfs/vg01/lvol6
Evfsvol check -r evfsvolumepath
Disable the Evfs backup volume. For example
Creating Cleartext Backup Media LVM Mirrored Volumes
Example File Utility
Backups Using VxVM Mirrored Volumes
Map the backup VxVM volume to EVFS. For example
# evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol
Backing Up and Restoring Data on Evfs Volumes
# vxplex -g testdg -v vol05 dis vol05-02
# evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol
Evfsvol check -r evfsvolumepath
# fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol
Backing Up Evfs Volumes
Creating Cleartext Backup Media VxVM Mirrored Volumes
Example Block Device Utility
Example File Utility
Backups Using Nonmirrored Volumes
# evfsvol raw /dev/evfs/vg01/lvol5
Evfsadm stat -a
Cp -r /opt/encrypteddata /opt/evfsbackup
Restoring Backup Media
Restoring Backup Data from an Evfs Volume to an Evfs Volume
# cp -r /opt/backupevfs /opt/encrypteddata
128
Troubleshooting Evfs
Troubleshooting Tools Overview
Evfsadm stat -a-s-z
Displaying Evfs Volume Information
Displaying I/O and Encryption Statistics evfsadm stat
Meaning of each field is as follows
ADisplays the EMD information for all enabled Evfs volumes
Number of data blocks encrypted
Size of the encrypted metadata EMD area, in kilobytes
Verifying the EMD evfsvol check
Syntax
Verifying User Keys evfspkey lookup
# evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1
Problem Scenarios
Evfspkey Cannot Generate Key Pairs
Evfspkey Cannot Store Keys
Evfsvol Cannot Retrieve Private Key
Evfsvol create Fails, Valid EMD Already Exists
See the evfstab4 man page for more information
Evfsadm map command returns the following error
Evfsvol disable Fails, Evfs Volume Is Busy
Evfsvol disable command returns the following error
Evfsadm map Fails, Invalid Device
Evfsvol check -r -aevfsvolumepathwhere
Resets the dirty bit for the specified volume
EMD Is Dirty
Reporting Problems
Collecting Data
140
Product Specifications
User Files
Commands and Tools
Evfs provides the following commands
144
Evfs Quick Reference
This appendix contains reference information about Evfs
Configuring Evfs
Preparing Evfs
Option 1 Creating New Evfs Volume
# evfsadm map volumepath
Perform inline encryption Start inline encryption
Evfs Tasks and Commands
Table B-1 Starting and Stopping Evfs
Table B-3 Managing Evfs Keys and Users
Table B-4 Troubleshooting Evfs
152
Using Evfs with Serviceguard
Evfs and Serviceguard Overview
Requirements
Restrictions
Evfs Attribute Definition File ADF
Installing Evfs
Creating a VxVM Serviceguard Storage Structure
Creating the Serviceguard Storage Infrastructure
Creating an LVM Serviceguard Storage Infrastructure
Configuration Node
Adoptive Nodes
Adding the Cluster Keys to the EMD
Configuring Evfs on the Configuration Node
Creating a Cluster Key Pair
Modifying /etc/evfs/evfstab Entries
Preparing Evfs Volumes for Adoptive Nodes
# vgchange -a n /dev/vg02
# vxdg deport evfsdg
Restoring the Cluster Key Pair Files
Configuring Evfs Volumes on the Adoptive Nodes
Copying the Evfs Configuration Files and Keys
Creating a Local Passphrase File
Modifying the /etc/evfs/evfstab File
Mapping the LVM or VxVM Volumes to Evfs
Deactivating the Volumes
Verifying Evfs
Configuring the Autostart Feature
Halting an Existing Package
Configuring Serviceguard using Modular packages
Installing the Evfs Attribute Definition File
Copying the Evfs Control and Module Scripts
Adding the Evfs package to the Configuration File
Creating a Modular Package Configuration File
Migrating a Legacy Package Configuration File
# cmmigratepkg -p pkgname -o outputfile.conf where
Adding the Evfs Volumes to the Package Configuration File
Verifying the Script
LVM and VxVM Modular package example
Creating a Package Control Script
Configuring Serviceguard using Legacy packages
Creating the Package Configuration File
Converting a Package Control Script
Modifying the Package Configuration File
Adding the Evfs Volumes to the Package Control Script
Installing the Evfs Control Script
LVM and VxVM Legacy package example
Glossary
AES
Volume
Index
EMD
Permissions, 85 /etc/rc.config.d/evfs, 62, 72
RSA
Vxresize command Renaming
