Encrypted Volume and File System v1.1 Administrators Guide
Trademark Notice
Table of Contents
Upgrading from Evfs v1.0 to Evfs
Preparing Evfs for Configuration
Administering Evfs
101
129
141
145
153
171
169
Page
Software Types
List of Figures
Page
List of Tables
Page
Typographic Conventions
About This Document
Intended Audience
Document Organization
Related Information
HP Encourages Your Comments
User input
Features and Benefits
Evfs provides the following features
Evfs Introduction
LVM DLO Support
Evfs Architecture
Evfs Data Flow
Encryption Metadata EMD
Evfs Encryption Keys
Volume Encryption Keys
Using HP-UX Trusted Computing Services with Evfs
User Keys
How Evfs Uses Keys
3illustrates how Evfs uses keys to enable an Evfs volume
Alternate Storage Databases and Distributed Key Storage
Key Names and Key IDs
User Key and Passphrase Storage
File Names
Summary of Key Type and Privileged User Capabilities
User Key Privileges
Evfspkey
Evfs Commands
Evfsvol utility configures and manages the Evfs volumes
Evfsadm
Software Types
Supported Software
Product Limitations and Precautions
Evfs Introduction
Workaround
Known Problems
Symptoms
Possible Device File Collision
Feedback and Enhancement Requests
Installation
Operating System Requirements
System Reboot
Prerequisites
Hardware Requirements
Log on to the target system as the root user
Installing Evfs
Use the following procedure to install Evfs
Swinstall utility will install the Evfs components
Upgrading from Evfs v1.0 to Evfs
Verifying for Preconfiguration
Preparing Evfs for Configuration
Start the Evfs subsystem. See Starting the Evfs Subsystem
Preparation Overview
Creating the Evfs Pseudo-User Account
Configuring an Alternate Evfs Pseudo-User
Setting the evfsuser Attribute
Creating the User Group
Preparing Evfs for Configuration
Passphrases that secure user private keys
Optional Configuring Alternate Key Database Directories
Keys
Private keys
Key Storage Directory Requirements
Default pubkey, privkey and passkey Attribute Statements
Example Alternate Directory for Public Keys
Example NFS Directory for Public and Private Keys
Example Fallback Directory for Nonprivileged Users
Pbe
Emdbackup
Optional Modifying Evfs Global Parameters
Datacipher
Starting the Evfs Subsystem
Example
Evfsadm start -n numberthreads
Evfspkey keygen -p-s -c cipher -u user -k keyname
Creating Keys for Evfs Volume Owners
Creating User Key Pairs
Guidelines for Creating User Keys
Evfspkey keygen -c rsa-2048 -r -k keyname
Creating Recovery Keys
Storing the recovery users Private Key
Examples
User name as the key name
Creating Keys for authorized users
Encrypted file
Rsa-2048 RSA 2048-bit keys
# evfspkey keygen -u root -k rootkey1
Examples
User Session
# evfsadm start
Page
Configuration Overview
Configuring an Evfs Volume
Before using this procedure, you must complete the tasks
Option 1 Creating a New Evfs Volume
Configuring an Evfs Volume
Creating an LVM or VxVM Volume for Evfs
Creating Evfs Volume Device Files
Creating the EMD
Evfsadm map volumepath
Optional Adding Recovery Keys and authorized user Keys
Evfsvol enable -p-k keyname evfsvolumepath
Enabling the Evfs Volume
Specifies that the key pair is a recovery key pair
Evfsvol add -u user -k keyname evfsvolumepath where
Evfsvol prompts you for the passphrase for the private key
Etc/evfs/evfstab file for this volume and have a stored
Specifies non-interactive mode. Evfs uses the key ID from
Option, you must add a key ID to the entry
# newfs -F vxfs /dev/evfs/vg01/rlvol5
Creating and Mounting a File System on an Evfs Volume
Optional Using fsck to Check the File Volume
Creating a New File System with newfs
Mount the File System on the Evfs Volume
Creating the Mount Point
Optional Adding an Entry to /etc/fstab
Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0
Evfsadm stat -a
Verifying the Configuration
Evfsvol display evfsvolumepath
Evfsadm stat -a Evfsvol display evfsvolumepath
Remount the file system using the mount command
Optional Migrating Existing Data to an Evfs Volume
Optional Configuring the Autostart Feature
See evfstab4 for more information
Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal
Backing Up Your Configuration
Page
Preparing the File System and Data
Map the regular volume to an Evfs volume
Start inline encryption
Mount the file system to the Evfs volume
Performing Inline Encryption
Iencrypt Inline Encryption
Configuring an Evfs Volume
Verifying the Configuration
Remount the file system using the mount command
# strings /dev/vg01/lvol5 grep TOP Secret
Optional Configuring the Autostart Feature
Example
Backing Up Your Configuration
Option
Existing size is 96 MB we now extend it by 4 MB, to 100 MB
Existing size is 96 MB we now extend it by 4 MB, to 100 MB
Page
Administering Evfs
Enabling Encryption and Decryption Access to Evfs Volumes
Starting and Stopping Evfs
Starting the Evfs Subsystem
Disabling Encryption/Decryption Access to Evfs Volumes
Causes Evfs to use a stored passphrase to enable encryption
Uses the user name as the key name
Stopping the Evfs Subsystem
Evfsvol disable -p evfsvolumepath
Evfsvol disable -a
Enter the following evfsadm stop command evfsadm stop
Closing Raw Access to Evfs Volumes
Opening Raw Access to Evfs Volumes
Restoring User Keys
Displaying Key IDs for an Evfs Volume
Information for the volume
Managing Evfs Keys and Users
User
Specifies the name of the file containing private key that
Changing Owner Keys for an Evfs Volume
Corresponds to a recovery users key in the EMD. If you do
To execute this command evfsvol prompts you for
Evfspkey delete -u username-r -p -k keyname
Recovering from Problems with Owner Keys
Removing Keys from an Evfs Volume
Changing the Passphrase for a Key
Evfspkey passgen -u username -k keyname
Evfspkey passgen -r recovkeyfile where
Evfspkey passgen -f-p-s -u username -k keyname where
EMD Backup Directory
Recovering from EMD Corruption
# evfsvol destroy /dev/evfs/vg01/lvol5
Removing a Volume from the Evfs Subsystem
Exporting an Evfs Volume
Exporting and Importing Evfs Volumes
Evfspkey keygen -c cipher -u user -k keyname
Use the following evfspkey keygen command syntax
Importing an Evfs Volume
Key owners name and keyname is the key name
Is the key owners name and keyname is the key name
Administering Evfs
Managing Data on Evfs Volumes
Vxresize -F Might Cause Data Loss or Corruption
Creating a New Evfs Volume Overwrites Existing Data
Resizing Evfs Volumes and File Systems
LVM Example Increasing Volume and File System Sizes
Correct
Incorrect
LVM Example Reducing Volume and File System Sizes
VxVM Example Reducing Volume and File System Sizes
VxVM Example Increasing Volume and File System Sizes
# fsadm -F vxfs -b 65536 /test5
Backing Up and Restoring Data on Evfs Volumes
Backing Up Evfs Volumes
Backup Types with LVM or VxVM Mirrored Volumes
Backup Types with Nonmirrored Volumes
Backups Using LVM Mirrored Volumes
Map the backup volume to EVFS. For example
This creates the device files /dev/evfs/vg01/lvol5backup
Evfsvol check -r evfsvolumepath
Syntax is as follows
Dev/vg01/lvol5backup
# evfsvol display /dev/evfs/vg01/lvol6
Evfsvol check -r evfsvolumepath
Disable the Evfs backup volume. For example
Example File Utility
Creating Cleartext Backup Media LVM Mirrored Volumes
Map the backup VxVM volume to EVFS. For example
Backups Using VxVM Mirrored Volumes
# evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol
Backing Up and Restoring Data on Evfs Volumes
# vxplex -g testdg -v vol05 dis vol05-02
# evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol
Evfsvol check -r evfsvolumepath
# fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol
Backing Up Evfs Volumes
Creating Cleartext Backup Media VxVM Mirrored Volumes
Example Block Device Utility
Example File Utility
Backups Using Nonmirrored Volumes
# evfsvol raw /dev/evfs/vg01/lvol5
Evfsadm stat -a
Cp -r /opt/encrypteddata /opt/evfsbackup
Restoring Backup Media
Restoring Backup Data from an Evfs Volume to an Evfs Volume
# cp -r /opt/backupevfs /opt/encrypteddata
128
Troubleshooting Tools Overview
Troubleshooting Evfs
Meaning of each field is as follows
Displaying Evfs Volume Information
Displaying I/O and Encryption Statistics evfsadm stat
Evfsadm stat -a-s-z
Number of data blocks encrypted
ADisplays the EMD information for all enabled Evfs volumes
Size of the encrypted metadata EMD area, in kilobytes
Syntax
Verifying the EMD evfsvol check
# evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1
Verifying User Keys evfspkey lookup
Problem Scenarios
Evfspkey Cannot Generate Key Pairs
Evfspkey Cannot Store Keys
Evfsvol Cannot Retrieve Private Key
Evfsvol create Fails, Valid EMD Already Exists
See the evfstab4 man page for more information
Evfsadm map Fails, Invalid Device
Evfsvol disable Fails, Evfs Volume Is Busy
Evfsvol disable command returns the following error
Evfsadm map command returns the following error
Evfsvol check -r -aevfsvolumepathwhere
Resets the dirty bit for the specified volume
EMD Is Dirty
Collecting Data
Reporting Problems
140
Product Specifications
User Files
Evfs provides the following commands
Commands and Tools
144
This appendix contains reference information about Evfs
Evfs Quick Reference
Preparing Evfs
Configuring Evfs
# evfsadm map volumepath
Option 1 Creating New Evfs Volume
Perform inline encryption Start inline encryption
Table B-1 Starting and Stopping Evfs
Evfs Tasks and Commands
Table B-3 Managing Evfs Keys and Users
Table B-4 Troubleshooting Evfs
152
Using Evfs with Serviceguard
Evfs and Serviceguard Overview
Requirements
Restrictions
Evfs Attribute Definition File ADF
Installing Evfs
Configuration Node
Creating the Serviceguard Storage Infrastructure
Creating an LVM Serviceguard Storage Infrastructure
Creating a VxVM Serviceguard Storage Structure
Adoptive Nodes
Modifying /etc/evfs/evfstab Entries
Configuring Evfs on the Configuration Node
Creating a Cluster Key Pair
Adding the Cluster Keys to the EMD
Preparing Evfs Volumes for Adoptive Nodes
# vgchange -a n /dev/vg02
# vxdg deport evfsdg
Creating a Local Passphrase File
Configuring Evfs Volumes on the Adoptive Nodes
Copying the Evfs Configuration Files and Keys
Restoring the Cluster Key Pair Files
Verifying Evfs
Mapping the LVM or VxVM Volumes to Evfs
Deactivating the Volumes
Modifying the /etc/evfs/evfstab File
Configuring the Autostart Feature
Copying the Evfs Control and Module Scripts
Configuring Serviceguard using Modular packages
Installing the Evfs Attribute Definition File
Halting an Existing Package
# cmmigratepkg -p pkgname -o outputfile.conf where
Creating a Modular Package Configuration File
Migrating a Legacy Package Configuration File
Adding the Evfs package to the Configuration File
Adding the Evfs Volumes to the Package Configuration File
Verifying the Script
LVM and VxVM Modular package example
Converting a Package Control Script
Configuring Serviceguard using Legacy packages
Creating the Package Configuration File
Creating a Package Control Script
LVM and VxVM Legacy package example
Adding the Evfs Volumes to the Package Control Script
Installing the Evfs Control Script
Modifying the Package Configuration File
AES
Glossary
Volume
EMD
Index
Permissions, 85 /etc/rc.config.d/evfs, 62, 72
RSA
Vxresize command Renaming
