Preparing Evfs | HP UX Encrypted Volume and Filesystem (EVFS)

Preparing EVFS

This section briefly describes the steps in the EVFS preparation procedure. For more information, refer to Chapter 3 (page 35).

1.At installation, EVFS attempts to create the evfs user account and group for the EVFS pseudo-user. If you cannot use evfs as the user and group name for the EVFS pseudo-user, set the evfs_user attribute in the /etc/evfs/evfs.conf file to a different user name.

Create a new group and user account for the EVFS pseudo-user:

#groupadd my_evfs_group

#useradd -g evfs -c "EVFS pseudo-user" \

-d /home/evfs -s /usr/bin/false my_evfs_user

2.(Optional) Configure alternative directories for key storage using the pub_key, priv_key, and pass_key attribute statements in the file /etc/evfs/evfs.conf.

3.(Optional) Modify EVFS global parameters. Edit the file /etc/evfs/evfs.conf.

4.Start the EVFS subsystem:

# evfsadm start [-n number_threads]

5.Create user key pairs.

a.Create keys for EVFS volume owners:

#evfspkey keygen [-p] [-c cipher] [-u user] [-k keyname]

b.(Optional, but recommended) Create recovery keys:

#evfspkey keygen -c rsa-2048 -r [-k keyname]

EVFS creates the recovery user's private key in the current directory, with the file name key_name.priv. Store this file off line.

c.(Optional) Create keys for authorized users:

# evfspkey keygen [-p-s] [-c cipher ] [-u user] [-k keyname]

Configuring EVFS

This section briefly describes the steps in the EVFS procedure. After preparing EVFS, you can use Option 1 or Option 2 to configure an EVFS volume. For more information about selecting the appropriate option, see Chapter 4 (page 49).

146 EVFS Quick Reference

Image 146

HP UX Encrypted Volume and Filesystem (EVFS) manual Preparing Evfs, Configuring Evfs

Contents

Encrypted Volume and File System v1.1 Administrators Guide Trademark Notice Table of Contents Preparing Evfs for Configuration Upgrading from Evfs v1.0 to Evfs Administering Evfs 101 129 153 141145 169 171Page List of Figures Software TypesPage List of Tables Page Document Organization About This DocumentIntended Audience Typographic Conventions User input Related InformationHP Encourages Your Comments Evfs Introduction Features and BenefitsEvfs provides the following features LVM DLO Support Evfs Architecture Evfs Encryption Keys Evfs Data FlowEncryption Metadata EMD User Keys Volume Encryption KeysUsing HP-UX Trusted Computing Services with Evfs 3illustrates how Evfs uses keys to enable an Evfs volume How Evfs Uses Keys File Names Key Names and Key IDsUser Key and Passphrase Storage Alternate Storage Databases and Distributed Key Storage User Key Privileges Summary of Key Type and Privileged User Capabilities Evfsadm Evfs CommandsEvfsvol utility configures and manages the Evfs volumes Evfspkey Supported Software Software Types Product Limitations and Precautions Evfs Introduction Possible Device File Collision Known ProblemsSymptoms Workaround Feedback and Enhancement Requests Installation Hardware Requirements System RebootPrerequisites Operating System Requirements Swinstall utility will install the Evfs components Installing EvfsUse the following procedure to install Evfs Log on to the target system as the root user Upgrading from Evfs v1.0 to Evfs Preparing Evfs for Configuration Verifying for Preconfiguration Preparation Overview Start the Evfs subsystem. See Starting the Evfs Subsystem Creating the User Group Configuring an Alternate Evfs Pseudo-UserSetting the evfsuser Attribute Creating the Evfs Pseudo-User Account Preparing Evfs for Configuration Private keys Optional Configuring Alternate Key Database DirectoriesKeys Passphrases that secure user private keys Default pubkey, privkey and passkey Attribute Statements Key Storage Directory Requirements Example Fallback Directory for Nonprivileged Users Example Alternate Directory for Public KeysExample NFS Directory for Public and Private Keys Datacipher EmdbackupOptional Modifying Evfs Global Parameters Pbe Evfsadm start -n numberthreads Starting the Evfs SubsystemExample Guidelines for Creating User Keys Creating Keys for Evfs Volume OwnersCreating User Key Pairs Evfspkey keygen -p-s -c cipher -u user -k keyname Examples Creating Recovery KeysStoring the recovery users Private Key Evfspkey keygen -c rsa-2048 -r -k keyname Rsa-2048 RSA 2048-bit keys Creating Keys for authorized usersEncrypted file User name as the key name # evfsadm start ExamplesUser Session # evfspkey keygen -u root -k rootkey1Page Configuring an Evfs Volume Configuration Overview Option 1 Creating a New Evfs Volume Before using this procedure, you must complete the tasks Creating Evfs Volume Device Files Configuring an Evfs VolumeCreating an LVM or VxVM Volume for Evfs Evfsadm map volumepath Creating the EMD Optional Adding Recovery Keys and authorized user Keys Evfsvol add -u user -k keyname evfsvolumepath where Enabling the Evfs VolumeSpecifies that the key pair is a recovery key pair Evfsvol enable -p-k keyname evfsvolumepath Option, you must add a key ID to the entry Etc/evfs/evfstab file for this volume and have a storedSpecifies non-interactive mode. Evfs uses the key ID from Evfsvol prompts you for the passphrase for the private key Creating a New File System with newfs Creating and Mounting a File System on an Evfs VolumeOptional Using fsck to Check the File Volume # newfs -F vxfs /dev/evfs/vg01/rlvol5 Optional Adding an Entry to /etc/fstab Mount the File System on the Evfs VolumeCreating the Mount Point Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0 Evfsadm stat -a Evfsvol display evfsvolumepath Verifying the ConfigurationEvfsvol display evfsvolumepath Evfsadm stat -a Remount the file system using the mount command Optional Migrating Existing Data to an Evfs Volume Optional Configuring the Autostart Feature Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal See evfstab4 for more information Backing Up Your Configuration Page Map the regular volume to an Evfs volume Preparing the File System and Data Iencrypt Inline Encryption Mount the file system to the Evfs volumePerforming Inline Encryption Start inline encryption Configuring an Evfs Volume Verifying the Configuration Remount the file system using the mount command # strings /dev/vg01/lvol5 grep TOP Secret Optional Configuring the Autostart Feature Example Backing Up Your Configuration Option Existing size is 96 MB we now extend it by 4 MB, to 100 MB Existing size is 96 MB we now extend it by 4 MB, to 100 MB Page Administering Evfs Starting the Evfs Subsystem Enabling Encryption and Decryption Access to Evfs VolumesStarting and Stopping Evfs Uses the user name as the key name Disabling Encryption/Decryption Access to Evfs VolumesCauses Evfs to use a stored passphrase to enable encryption Enter the following evfsadm stop command evfsadm stop Evfsvol disable -p evfsvolumepathEvfsvol disable -a Stopping the Evfs Subsystem Opening Raw Access to Evfs Volumes Closing Raw Access to Evfs Volumes Managing Evfs Keys and Users Displaying Key IDs for an Evfs VolumeInformation for the volume Restoring User Keys User To execute this command evfsvol prompts you for Changing Owner Keys for an Evfs VolumeCorresponds to a recovery users key in the EMD. If you do Specifies the name of the file containing private key that Changing the Passphrase for a Key Recovering from Problems with Owner KeysRemoving Keys from an Evfs Volume Evfspkey delete -u username-r -p -k keyname Evfspkey passgen -f-p-s -u username -k keyname where Evfspkey passgen -u username -k keynameEvfspkey passgen -r recovkeyfile where Recovering from EMD Corruption EMD Backup Directory Removing a Volume from the Evfs Subsystem # evfsvol destroy /dev/evfs/vg01/lvol5 Exporting and Importing Evfs Volumes Exporting an Evfs Volume Use the following evfspkey keygen command syntax Evfspkey keygen -c cipher -u user -k keyname Is the key owners name and keyname is the key name Importing an Evfs VolumeKey owners name and keyname is the key name Administering Evfs Managing Data on Evfs Volumes Creating a New Evfs Volume Overwrites Existing Data Vxresize -F Might Cause Data Loss or Corruption Correct Resizing Evfs Volumes and File SystemsLVM Example Increasing Volume and File System Sizes LVM Example Reducing Volume and File System Sizes Incorrect VxVM Example Increasing Volume and File System Sizes VxVM Example Reducing Volume and File System Sizes # fsadm -F vxfs -b 65536 /test5 Backing Up and Restoring Data on Evfs Volumes Backing Up Evfs Volumes Backup Types with LVM or VxVM Mirrored Volumes Backup Types with Nonmirrored Volumes This creates the device files /dev/evfs/vg01/lvol5backup Backups Using LVM Mirrored VolumesMap the backup volume to EVFS. For example Evfsvol check -r evfsvolumepath Dev/vg01/lvol5backup Syntax is as follows # evfsvol display /dev/evfs/vg01/lvol6 Evfsvol check -r evfsvolumepath Disable the Evfs backup volume. For example Creating Cleartext Backup Media LVM Mirrored Volumes Example File Utility Backups Using VxVM Mirrored Volumes Map the backup VxVM volume to EVFS. For example # evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol Backing Up and Restoring Data on Evfs Volumes # vxplex -g testdg -v vol05 dis vol05-02 # evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol Evfsvol check -r evfsvolumepath # fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol Backing Up Evfs Volumes Example File Utility Creating Cleartext Backup Media VxVM Mirrored VolumesExample Block Device Utility Backups Using Nonmirrored Volumes # evfsvol raw /dev/evfs/vg01/lvol5 Evfsadm stat -a Cp -r /opt/encrypteddata /opt/evfsbackup Restoring Backup Media Restoring Backup Data from an Evfs Volume to an Evfs Volume # cp -r /opt/backupevfs /opt/encrypteddata 128 Troubleshooting Evfs Troubleshooting Tools Overview Evfsadm stat -a-s-z Displaying Evfs Volume InformationDisplaying I/O and Encryption Statistics evfsadm stat Meaning of each field is as follows ADisplays the EMD information for all enabled Evfs volumes Number of data blocks encrypted Size of the encrypted metadata EMD area, in kilobytes Verifying the EMD evfsvol check Syntax Verifying User Keys evfspkey lookup # evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1 Evfspkey Cannot Store Keys Problem ScenariosEvfspkey Cannot Generate Key Pairs See the evfstab4 man page for more information Evfsvol Cannot Retrieve Private KeyEvfsvol create Fails, Valid EMD Already Exists Evfsadm map command returns the following error Evfsvol disable Fails, Evfs Volume Is BusyEvfsvol disable command returns the following error Evfsadm map Fails, Invalid Device EMD Is Dirty Evfsvol check -r -aevfsvolumepathwhereResets the dirty bit for the specified volume Reporting Problems Collecting Data 140 Product Specifications User Files Commands and Tools Evfs provides the following commands 144 Evfs Quick Reference This appendix contains reference information about Evfs Configuring Evfs Preparing Evfs Option 1 Creating New Evfs Volume # evfsadm map volumepath Perform inline encryption Start inline encryption Evfs Tasks and Commands Table B-1 Starting and Stopping Evfs Table B-3 Managing Evfs Keys and Users Table B-4 Troubleshooting Evfs 152 Requirements Using Evfs with ServiceguardEvfs and Serviceguard Overview Restrictions Evfs Attribute Definition File ADF Installing Evfs Creating a VxVM Serviceguard Storage Structure Creating the Serviceguard Storage InfrastructureCreating an LVM Serviceguard Storage Infrastructure Configuration Node Adoptive Nodes Adding the Cluster Keys to the EMD Configuring Evfs on the Configuration NodeCreating a Cluster Key Pair Modifying /etc/evfs/evfstab Entries # vxdg deport evfsdg Preparing Evfs Volumes for Adoptive Nodes# vgchange -a n /dev/vg02 Restoring the Cluster Key Pair Files Configuring Evfs Volumes on the Adoptive NodesCopying the Evfs Configuration Files and Keys Creating a Local Passphrase File Modifying the /etc/evfs/evfstab File Mapping the LVM or VxVM Volumes to EvfsDeactivating the Volumes Verifying Evfs Configuring the Autostart Feature Halting an Existing Package Configuring Serviceguard using Modular packagesInstalling the Evfs Attribute Definition File Copying the Evfs Control and Module Scripts Adding the Evfs package to the Configuration File Creating a Modular Package Configuration FileMigrating a Legacy Package Configuration File # cmmigratepkg -p pkgname -o outputfile.conf where LVM and VxVM Modular package example Adding the Evfs Volumes to the Package Configuration FileVerifying the Script Creating a Package Control Script Configuring Serviceguard using Legacy packagesCreating the Package Configuration File Converting a Package Control Script Modifying the Package Configuration File Adding the Evfs Volumes to the Package Control ScriptInstalling the Evfs Control Script LVM and VxVM Legacy package example Glossary AES Volume Index EMD Permissions, 85 /etc/rc.config.d/evfs, 62, 72 RSA Vxresize command Renaming