HP UX Encrypted Volume and Filesystem (EVFS) specs

The options field must contain the keyword boot_local, boot_local2, or boot_remote.

See “Step 5: (Optional) Configuring the Autostart Feature” (page 62) for more information.

6.Back up your configuration. Back up all files in the /etc/evfs directory and all subdirectories below it.

Option 2: Converting an Existing Volume into an EVFS Volume (Inline Encryption)

1.Prepare the file system and data.

1.Verify the file systems or volumes you want to secure with EVFS are suitable for encryption.

2.For data consistency, stop all applications accessing the data.

3.Back up the data on the volume.

4.Unmount the file system:

#umount file_system

5.Extend the volume if there is no spare disk space at the end of the volume. Inline encryption requires 3MB of spare disk space.

6.Map the volume to an EVFS volume:

#evfsadm map volume_name

2.Perform inline encryption.

1.Start inline encryption:

#evfsvol iencrypt [-f] [-k keyname] [-c cipher] evfs_volume_path

2.Enable the EVFS volume:

#evfsvol enable evfs_volume_path

3.Mount the file system to the EVFS volume:

#mount evfs_volume_path file_system

3.Verify EVFS operation. Use the following commands:

• evfsadm stat -a

• evfsvol display evfs_volume_path

4.(Optional) Configure the EVFS autostart feature. The autostart feature enables you to enable EVFS encryption and mount file systems on EVFS volumes at system startup without manual intervention. You must have stored passphrases to use the autostart feature.

To configure the autostart feature, edit the /etc/rc.config.d/evfs file to contain the following entry:

EVFS_ENABLED = 1

You must also edit the /etc/evfs/evfstab file. The syntax for each entry is as follows: v volume_path evfs_volume_path user_name.key_name options

The options field must contain the keyword boot_local, boot_local2, or boot_remote.

See “Step 5: (Optional) Configuring the Autostart Feature” (page 62) for more information.

5.Back up your configuration. Back up all files in the /etc/evfs directory and all subdirectories below it.

148 EVFS Quick Reference

Image 148

HP UX Encrypted Volume and Filesystem (EVFS) Perform inline encryption Start inline encryption, Enable the Evfs volume

Contents

Encrypted Volume and File System v1.1 Administrators Guide Trademark Notice Table of Contents Preparing Evfs for Configuration Upgrading from Evfs v1.0 to Evfs Administering Evfs 101 129 145 141153 169 171Page List of Figures Software TypesPage List of Tables Page About This Document Intended AudienceDocument Organization Typographic Conventions HP Encourages Your Comments Related InformationUser input Evfs provides the following features Features and BenefitsEvfs Introduction LVM DLO Support Evfs Architecture Encryption Metadata EMD Evfs Data FlowEvfs Encryption Keys Using HP-UX Trusted Computing Services with Evfs Volume Encryption KeysUser Keys 3illustrates how Evfs uses keys to enable an Evfs volume How Evfs Uses Keys Key Names and Key IDs User Key and Passphrase StorageFile Names Alternate Storage Databases and Distributed Key Storage User Key Privileges Summary of Key Type and Privileged User Capabilities Evfs Commands Evfsvol utility configures and manages the Evfs volumesEvfsadm Evfspkey Supported Software Software Types Product Limitations and Precautions Evfs Introduction Known Problems SymptomsPossible Device File Collision Workaround Feedback and Enhancement Requests Installation System Reboot PrerequisitesHardware Requirements Operating System Requirements Installing Evfs Use the following procedure to install EvfsSwinstall utility will install the Evfs components Log on to the target system as the root user Upgrading from Evfs v1.0 to Evfs Preparing Evfs for Configuration Verifying for Preconfiguration Preparation Overview Start the Evfs subsystem. See Starting the Evfs Subsystem Configuring an Alternate Evfs Pseudo-User Setting the evfsuser AttributeCreating the User Group Creating the Evfs Pseudo-User Account Preparing Evfs for Configuration Optional Configuring Alternate Key Database Directories KeysPrivate keys Passphrases that secure user private keys Default pubkey, privkey and passkey Attribute Statements Key Storage Directory Requirements Example NFS Directory for Public and Private Keys Example Alternate Directory for Public KeysExample Fallback Directory for Nonprivileged Users Emdbackup Optional Modifying Evfs Global ParametersDatacipher Pbe Example Starting the Evfs SubsystemEvfsadm start -n numberthreads Creating Keys for Evfs Volume Owners Creating User Key PairsGuidelines for Creating User Keys Evfspkey keygen -p-s -c cipher -u user -k keyname Creating Recovery Keys Storing the recovery users Private KeyExamples Evfspkey keygen -c rsa-2048 -r -k keyname Creating Keys for authorized users Encrypted fileRsa-2048 RSA 2048-bit keys User name as the key name Examples User Session# evfsadm start # evfspkey keygen -u root -k rootkey1Page Configuring an Evfs Volume Configuration Overview Option 1 Creating a New Evfs Volume Before using this procedure, you must complete the tasks Creating an LVM or VxVM Volume for Evfs Configuring an Evfs VolumeCreating Evfs Volume Device Files Evfsadm map volumepath Creating the EMD Optional Adding Recovery Keys and authorized user Keys Enabling the Evfs Volume Specifies that the key pair is a recovery key pairEvfsvol add -u user -k keyname evfsvolumepath where Evfsvol enable -p-k keyname evfsvolumepath Etc/evfs/evfstab file for this volume and have a stored Specifies non-interactive mode. Evfs uses the key ID fromOption, you must add a key ID to the entry Evfsvol prompts you for the passphrase for the private key Creating and Mounting a File System on an Evfs Volume Optional Using fsck to Check the File VolumeCreating a New File System with newfs # newfs -F vxfs /dev/evfs/vg01/rlvol5 Creating the Mount Point Mount the File System on the Evfs VolumeOptional Adding an Entry to /etc/fstab Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0 Verifying the Configuration Evfsvol display evfsvolumepathEvfsadm stat -a Evfsvol display evfsvolumepath Evfsadm stat -a Remount the file system using the mount command Optional Migrating Existing Data to an Evfs Volume Optional Configuring the Autostart Feature Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal See evfstab4 for more information Backing Up Your Configuration Page Map the regular volume to an Evfs volume Preparing the File System and Data Mount the file system to the Evfs volume Performing Inline EncryptionIencrypt Inline Encryption Start inline encryption Configuring an Evfs Volume Verifying the Configuration Remount the file system using the mount command # strings /dev/vg01/lvol5 grep TOP Secret Optional Configuring the Autostart Feature Example Backing Up Your Configuration Option Existing size is 96 MB we now extend it by 4 MB, to 100 MB Existing size is 96 MB we now extend it by 4 MB, to 100 MB Page Administering Evfs Starting and Stopping Evfs Enabling Encryption and Decryption Access to Evfs VolumesStarting the Evfs Subsystem Causes Evfs to use a stored passphrase to enable encryption Disabling Encryption/Decryption Access to Evfs VolumesUses the user name as the key name Evfsvol disable -p evfsvolumepath Evfsvol disable -aEnter the following evfsadm stop command evfsadm stop Stopping the Evfs Subsystem Opening Raw Access to Evfs Volumes Closing Raw Access to Evfs Volumes Displaying Key IDs for an Evfs Volume Information for the volumeManaging Evfs Keys and Users Restoring User Keys User Changing Owner Keys for an Evfs Volume Corresponds to a recovery users key in the EMD. If you doTo execute this command evfsvol prompts you for Specifies the name of the file containing private key that Recovering from Problems with Owner Keys Removing Keys from an Evfs VolumeChanging the Passphrase for a Key Evfspkey delete -u username-r -p -k keyname Evfspkey passgen -r recovkeyfile where Evfspkey passgen -u username -k keynameEvfspkey passgen -f-p-s -u username -k keyname where Recovering from EMD Corruption EMD Backup Directory Removing a Volume from the Evfs Subsystem # evfsvol destroy /dev/evfs/vg01/lvol5 Exporting and Importing Evfs Volumes Exporting an Evfs Volume Use the following evfspkey keygen command syntax Evfspkey keygen -c cipher -u user -k keyname Key owners name and keyname is the key name Importing an Evfs VolumeIs the key owners name and keyname is the key name Administering Evfs Managing Data on Evfs Volumes Creating a New Evfs Volume Overwrites Existing Data Vxresize -F Might Cause Data Loss or Corruption LVM Example Increasing Volume and File System Sizes Resizing Evfs Volumes and File SystemsCorrect LVM Example Reducing Volume and File System Sizes Incorrect VxVM Example Increasing Volume and File System Sizes VxVM Example Reducing Volume and File System Sizes # fsadm -F vxfs -b 65536 /test5 Backing Up and Restoring Data on Evfs Volumes Backing Up Evfs Volumes Backup Types with LVM or VxVM Mirrored Volumes Backup Types with Nonmirrored Volumes Map the backup volume to EVFS. For example Backups Using LVM Mirrored VolumesThis creates the device files /dev/evfs/vg01/lvol5backup Evfsvol check -r evfsvolumepath Dev/vg01/lvol5backup Syntax is as follows # evfsvol display /dev/evfs/vg01/lvol6 Evfsvol check -r evfsvolumepath Disable the Evfs backup volume. For example Creating Cleartext Backup Media LVM Mirrored Volumes Example File Utility Backups Using VxVM Mirrored Volumes Map the backup VxVM volume to EVFS. For example # evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol Backing Up and Restoring Data on Evfs Volumes # vxplex -g testdg -v vol05 dis vol05-02 # evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol Evfsvol check -r evfsvolumepath # fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol Backing Up Evfs Volumes Example Block Device Utility Creating Cleartext Backup Media VxVM Mirrored VolumesExample File Utility Backups Using Nonmirrored Volumes # evfsvol raw /dev/evfs/vg01/lvol5 Evfsadm stat -a Cp -r /opt/encrypteddata /opt/evfsbackup Restoring Backup Media Restoring Backup Data from an Evfs Volume to an Evfs Volume # cp -r /opt/backupevfs /opt/encrypteddata 128 Troubleshooting Evfs Troubleshooting Tools Overview Displaying Evfs Volume Information Displaying I/O and Encryption Statistics evfsadm statEvfsadm stat -a-s-z Meaning of each field is as follows ADisplays the EMD information for all enabled Evfs volumes Number of data blocks encrypted Size of the encrypted metadata EMD area, in kilobytes Verifying the EMD evfsvol check Syntax Verifying User Keys evfspkey lookup # evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1 Evfspkey Cannot Generate Key Pairs Problem ScenariosEvfspkey Cannot Store Keys Evfsvol create Fails, Valid EMD Already Exists Evfsvol Cannot Retrieve Private KeySee the evfstab4 man page for more information Evfsvol disable Fails, Evfs Volume Is Busy Evfsvol disable command returns the following errorEvfsadm map command returns the following error Evfsadm map Fails, Invalid Device Resets the dirty bit for the specified volume Evfsvol check -r -aevfsvolumepathwhereEMD Is Dirty Reporting Problems Collecting Data 140 Product Specifications User Files Commands and Tools Evfs provides the following commands 144 Evfs Quick Reference This appendix contains reference information about Evfs Configuring Evfs Preparing Evfs Option 1 Creating New Evfs Volume # evfsadm map volumepath Perform inline encryption Start inline encryption Evfs Tasks and Commands Table B-1 Starting and Stopping Evfs Table B-3 Managing Evfs Keys and Users Table B-4 Troubleshooting Evfs 152 Evfs and Serviceguard Overview Using Evfs with ServiceguardRequirements Restrictions Evfs Attribute Definition File ADF Installing Evfs Creating the Serviceguard Storage Infrastructure Creating an LVM Serviceguard Storage InfrastructureCreating a VxVM Serviceguard Storage Structure Configuration Node Adoptive Nodes Configuring Evfs on the Configuration Node Creating a Cluster Key PairAdding the Cluster Keys to the EMD Modifying /etc/evfs/evfstab Entries # vgchange -a n /dev/vg02 Preparing Evfs Volumes for Adoptive Nodes# vxdg deport evfsdg Configuring Evfs Volumes on the Adoptive Nodes Copying the Evfs Configuration Files and KeysRestoring the Cluster Key Pair Files Creating a Local Passphrase File Mapping the LVM or VxVM Volumes to Evfs Deactivating the VolumesModifying the /etc/evfs/evfstab File Verifying Evfs Configuring the Autostart Feature Configuring Serviceguard using Modular packages Installing the Evfs Attribute Definition FileHalting an Existing Package Copying the Evfs Control and Module Scripts Creating a Modular Package Configuration File Migrating a Legacy Package Configuration FileAdding the Evfs package to the Configuration File # cmmigratepkg -p pkgname -o outputfile.conf where Verifying the Script Adding the Evfs Volumes to the Package Configuration FileLVM and VxVM Modular package example Configuring Serviceguard using Legacy packages Creating the Package Configuration FileCreating a Package Control Script Converting a Package Control Script Adding the Evfs Volumes to the Package Control Script Installing the Evfs Control ScriptModifying the Package Configuration File LVM and VxVM Legacy package example Glossary AES Volume Index EMD Permissions, 85 /etc/rc.config.d/evfs, 62, 72 RSA Vxresize command Renaming