Problem Scenarios | HP UX Encrypted Volume and Filesystem (EVFS)

Problem Scenarios

This section describes the following problem scenarios and solutions for the scenarios:

•“evfspkey Cannot Generate Key Pairs” (page 135)

•“evfspkey Cannot Store Keys” (page 135)

•“evfsvol Cannot Retrieve Private Key” (page 136)

•“evfsvol create Fails, EVFS Device File Not Found in evfstab File” (page 136)

•“evfsvol create Fails, Valid EMD Already Exists” (page 136)

•“evfsvol disable Fails, EVFS Volume Is Busy” (page 137)

•“evfsadm map Fails, Invalid Device” (page 137)

•“EMD Is Dirty” (page 138)

evfspkey Cannot Generate Key Pairs

Symptom

The evfspkey keygen command fails and evfspkey displays a message similar to the following:

evfspkey: keygen error: cannot generate key pair

Description

The evfspkey utility cannot generate a key pair because no cryptography threads are running.

Solution

Use the evfsadm start command to start the EVFS subsystem and kernel cryptography threads.

evfspkey Cannot Store Keys

Symptom

The evfspkey keygen command fails and evfspkey displays a message similar to the following:

evfspkey: keygen error: cannot store public key "user_name.key_name", key loading failure

Description

The evfspkey utility cannot store a public key file in the EVFS key database.

Solution

Verify that the account exists for the owner of the key pair. If you are creating a recovery key pair, verify that the EVFS pseudo-user account exists. The user name for the EVFS pseudo-user is set using the evfs_user attribute in the file /etc/evfs/evfs.conf. The default name is evfs.

Determine the directories used for the key database by checking the pub_key attribute statement in the /etc/evfs/evfs.conf file. By default, EVFS stores the user key database in subdirectories below the /etc/evfs/pkey directory. Verify that the attribute statement contains no line breaks. Verify the file permissions, owner and group for the directories, as described in the section, “Restoring User Keys” (page 84).

Problem Scenarios 135

Image 135

HP UX Encrypted Volume and Filesystem (EVFS) manual Problem Scenarios, Evfspkey Cannot Generate Key Pairs

Contents

Encrypted Volume and File System v1.1 Administrators Guide Trademark Notice Table of Contents Upgrading from Evfs v1.0 to Evfs Preparing Evfs for Configuration Administering Evfs 101 129 141 145153 171 169Page Software Types List of FiguresPage List of Tables Page Typographic Conventions About This DocumentIntended Audience Document Organization Related Information HP Encourages Your CommentsUser input Features and Benefits Evfs provides the following featuresEvfs Introduction LVM DLO Support Evfs Architecture Evfs Data Flow Encryption Metadata EMDEvfs Encryption Keys Volume Encryption Keys Using HP-UX Trusted Computing Services with EvfsUser Keys How Evfs Uses Keys 3illustrates how Evfs uses keys to enable an Evfs volume Alternate Storage Databases and Distributed Key Storage Key Names and Key IDsUser Key and Passphrase Storage File Names Summary of Key Type and Privileged User Capabilities User Key Privileges Evfspkey Evfs CommandsEvfsvol utility configures and manages the Evfs volumes Evfsadm Software Types Supported Software Product Limitations and Precautions Evfs Introduction Workaround Known ProblemsSymptoms Possible Device File Collision Feedback and Enhancement Requests Installation Operating System Requirements System RebootPrerequisites Hardware Requirements Log on to the target system as the root user Installing EvfsUse the following procedure to install Evfs Swinstall utility will install the Evfs components Upgrading from Evfs v1.0 to Evfs Verifying for Preconfiguration Preparing Evfs for Configuration Start the Evfs subsystem. See Starting the Evfs Subsystem Preparation Overview Creating the Evfs Pseudo-User Account Configuring an Alternate Evfs Pseudo-UserSetting the evfsuser Attribute Creating the User Group Preparing Evfs for Configuration Passphrases that secure user private keys Optional Configuring Alternate Key Database DirectoriesKeys Private keys Key Storage Directory Requirements Default pubkey, privkey and passkey Attribute Statements Example Alternate Directory for Public Keys Example NFS Directory for Public and Private KeysExample Fallback Directory for Nonprivileged Users Pbe EmdbackupOptional Modifying Evfs Global Parameters Datacipher Starting the Evfs Subsystem ExampleEvfsadm start -n numberthreads Evfspkey keygen -p-s -c cipher -u user -k keyname Creating Keys for Evfs Volume OwnersCreating User Key Pairs Guidelines for Creating User Keys Evfspkey keygen -c rsa-2048 -r -k keyname Creating Recovery KeysStoring the recovery users Private Key Examples User name as the key name Creating Keys for authorized usersEncrypted file Rsa-2048 RSA 2048-bit keys # evfspkey keygen -u root -k rootkey1 ExamplesUser Session # evfsadm startPage Configuration Overview Configuring an Evfs Volume Before using this procedure, you must complete the tasks Option 1 Creating a New Evfs Volume Configuring an Evfs Volume Creating an LVM or VxVM Volume for EvfsCreating Evfs Volume Device Files Creating the EMD Evfsadm map volumepath Optional Adding Recovery Keys and authorized user Keys Evfsvol enable -p-k keyname evfsvolumepath Enabling the Evfs VolumeSpecifies that the key pair is a recovery key pair Evfsvol add -u user -k keyname evfsvolumepath where Evfsvol prompts you for the passphrase for the private key Etc/evfs/evfstab file for this volume and have a storedSpecifies non-interactive mode. Evfs uses the key ID from Option, you must add a key ID to the entry # newfs -F vxfs /dev/evfs/vg01/rlvol5 Creating and Mounting a File System on an Evfs VolumeOptional Using fsck to Check the File Volume Creating a New File System with newfs Mount the File System on the Evfs Volume Creating the Mount PointOptional Adding an Entry to /etc/fstab Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0 Evfsadm stat -a Verifying the ConfigurationEvfsvol display evfsvolumepath Evfsadm stat -a Evfsvol display evfsvolumepath Remount the file system using the mount command Optional Migrating Existing Data to an Evfs Volume Optional Configuring the Autostart Feature See evfstab4 for more information Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal Backing Up Your Configuration Page Preparing the File System and Data Map the regular volume to an Evfs volume Start inline encryption Mount the file system to the Evfs volumePerforming Inline Encryption Iencrypt Inline Encryption Configuring an Evfs Volume Verifying the Configuration Remount the file system using the mount command # strings /dev/vg01/lvol5 grep TOP Secret Optional Configuring the Autostart Feature Example Backing Up Your Configuration Option Existing size is 96 MB we now extend it by 4 MB, to 100 MB Existing size is 96 MB we now extend it by 4 MB, to 100 MB Page Administering Evfs Enabling Encryption and Decryption Access to Evfs Volumes Starting and Stopping EvfsStarting the Evfs Subsystem Disabling Encryption/Decryption Access to Evfs Volumes Causes Evfs to use a stored passphrase to enable encryptionUses the user name as the key name Stopping the Evfs Subsystem Evfsvol disable -p evfsvolumepathEvfsvol disable -a Enter the following evfsadm stop command evfsadm stop Closing Raw Access to Evfs Volumes Opening Raw Access to Evfs Volumes Restoring User Keys Displaying Key IDs for an Evfs VolumeInformation for the volume Managing Evfs Keys and Users User Specifies the name of the file containing private key that Changing Owner Keys for an Evfs VolumeCorresponds to a recovery users key in the EMD. If you do To execute this command evfsvol prompts you for Evfspkey delete -u username-r -p -k keyname Recovering from Problems with Owner KeysRemoving Keys from an Evfs Volume Changing the Passphrase for a Key Evfspkey passgen -u username -k keyname Evfspkey passgen -r recovkeyfile whereEvfspkey passgen -f-p-s -u username -k keyname where EMD Backup Directory Recovering from EMD Corruption # evfsvol destroy /dev/evfs/vg01/lvol5 Removing a Volume from the Evfs Subsystem Exporting an Evfs Volume Exporting and Importing Evfs Volumes Evfspkey keygen -c cipher -u user -k keyname Use the following evfspkey keygen command syntax Importing an Evfs Volume Key owners name and keyname is the key nameIs the key owners name and keyname is the key name Administering Evfs Managing Data on Evfs Volumes Vxresize -F Might Cause Data Loss or Corruption Creating a New Evfs Volume Overwrites Existing Data Resizing Evfs Volumes and File Systems LVM Example Increasing Volume and File System SizesCorrect Incorrect LVM Example Reducing Volume and File System Sizes VxVM Example Reducing Volume and File System Sizes VxVM Example Increasing Volume and File System Sizes # fsadm -F vxfs -b 65536 /test5 Backing Up and Restoring Data on Evfs Volumes Backing Up Evfs Volumes Backup Types with LVM or VxVM Mirrored Volumes Backup Types with Nonmirrored Volumes Backups Using LVM Mirrored Volumes Map the backup volume to EVFS. For exampleThis creates the device files /dev/evfs/vg01/lvol5backup Evfsvol check -r evfsvolumepath Syntax is as follows Dev/vg01/lvol5backup # evfsvol display /dev/evfs/vg01/lvol6 Evfsvol check -r evfsvolumepath Disable the Evfs backup volume. For example Example File Utility Creating Cleartext Backup Media LVM Mirrored Volumes Map the backup VxVM volume to EVFS. For example Backups Using VxVM Mirrored Volumes # evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol Backing Up and Restoring Data on Evfs Volumes # vxplex -g testdg -v vol05 dis vol05-02 # evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol Evfsvol check -r evfsvolumepath # fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol Backing Up Evfs Volumes Creating Cleartext Backup Media VxVM Mirrored Volumes Example Block Device UtilityExample File Utility Backups Using Nonmirrored Volumes # evfsvol raw /dev/evfs/vg01/lvol5 Evfsadm stat -a Cp -r /opt/encrypteddata /opt/evfsbackup Restoring Backup Media Restoring Backup Data from an Evfs Volume to an Evfs Volume # cp -r /opt/backupevfs /opt/encrypteddata 128 Troubleshooting Tools Overview Troubleshooting Evfs Meaning of each field is as follows Displaying Evfs Volume InformationDisplaying I/O and Encryption Statistics evfsadm stat Evfsadm stat -a-s-z Number of data blocks encrypted ADisplays the EMD information for all enabled Evfs volumes Size of the encrypted metadata EMD area, in kilobytes Syntax Verifying the EMD evfsvol check # evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1 Verifying User Keys evfspkey lookup Problem Scenarios Evfspkey Cannot Generate Key PairsEvfspkey Cannot Store Keys Evfsvol Cannot Retrieve Private Key Evfsvol create Fails, Valid EMD Already ExistsSee the evfstab4 man page for more information Evfsadm map Fails, Invalid Device Evfsvol disable Fails, Evfs Volume Is BusyEvfsvol disable command returns the following error Evfsadm map command returns the following error Evfsvol check -r -aevfsvolumepathwhere Resets the dirty bit for the specified volumeEMD Is Dirty Collecting Data Reporting Problems 140 Product Specifications User Files Evfs provides the following commands Commands and Tools 144 This appendix contains reference information about Evfs Evfs Quick Reference Preparing Evfs Configuring Evfs # evfsadm map volumepath Option 1 Creating New Evfs Volume Perform inline encryption Start inline encryption Table B-1 Starting and Stopping Evfs Evfs Tasks and Commands Table B-3 Managing Evfs Keys and Users Table B-4 Troubleshooting Evfs 152 Using Evfs with Serviceguard Evfs and Serviceguard OverviewRequirements Restrictions Evfs Attribute Definition File ADF Installing Evfs Configuration Node Creating the Serviceguard Storage InfrastructureCreating an LVM Serviceguard Storage Infrastructure Creating a VxVM Serviceguard Storage Structure Adoptive Nodes Modifying /etc/evfs/evfstab Entries Configuring Evfs on the Configuration NodeCreating a Cluster Key Pair Adding the Cluster Keys to the EMD Preparing Evfs Volumes for Adoptive Nodes # vgchange -a n /dev/vg02# vxdg deport evfsdg Creating a Local Passphrase File Configuring Evfs Volumes on the Adoptive NodesCopying the Evfs Configuration Files and Keys Restoring the Cluster Key Pair Files Verifying Evfs Mapping the LVM or VxVM Volumes to EvfsDeactivating the Volumes Modifying the /etc/evfs/evfstab File Configuring the Autostart Feature Copying the Evfs Control and Module Scripts Configuring Serviceguard using Modular packagesInstalling the Evfs Attribute Definition File Halting an Existing Package # cmmigratepkg -p pkgname -o outputfile.conf where Creating a Modular Package Configuration FileMigrating a Legacy Package Configuration File Adding the Evfs package to the Configuration File Adding the Evfs Volumes to the Package Configuration File Verifying the ScriptLVM and VxVM Modular package example Converting a Package Control Script Configuring Serviceguard using Legacy packagesCreating the Package Configuration File Creating a Package Control Script LVM and VxVM Legacy package example Adding the Evfs Volumes to the Package Control ScriptInstalling the Evfs Control Script Modifying the Package Configuration File AES Glossary Volume EMD Index Permissions, 85 /etc/rc.config.d/evfs, 62, 72 RSA Vxresize command Renaming