Evfs Data Flow | HP UX Encrypted Volume and Filesystem (EVFS)

EVFS Data Flow

EVFS is implemented using a pseudo-driver that operates on the EVFS volumes. An EVFS volume is stacked between the underlying volume (a LVM, VxVM, or physical volume) and an upper layer. The upper layer can be a file system or an application that reads data from and writes data directly to the EVFS volume, such as a database application.

When the upper layer file writes data, the EVFS pseudo-driver encrypts the data before writing it to the underlying volume. When the upper layer reads data, the pseudo-driver decrypts the data from the underlying volume and provides the decrypted data to the upper layer. If the upper layer caches data to the lower layer, such as a file system with buffer caching enabled, all data in the buffer cache is in cleartext (it is not encrypted). Figure 1-1shows a simplified EVFS data flow.

Figure 1-1 EVFS Data Flow

File System

DB or Direct-Access Application

(decrypts data read by upper layer )

EVFS

(encrypts data written to lower layer )

LVM

VxVM

Physical Disks

= Non-encrypted Data

= Encrypted Data

IMPORTANT: After encryption and decryption for an EVFS volume is enabled, all read operations performed on the EVFS volume output decrypted data. You must use normal HP-UX file system permissions and access control to restrict access to the data.

Encryption Metadata (EMD)

Each EVFS volume has a set of encryption attributes, or encryption metadata (EMD) associated with it. The EMD is stored as part of the EVFS volume. The data stored in the EMD includes operating parameters for the EVFS volume, such as the data encryption algorithm, and copies of the volume encryption key. The copies of the volume encryption key are encrypted ("wrapped") by user keys, as described in the following section.

EVFS Encryption Keys

EVFS uses two types of encryption keys:

•Symmetric keys to encrypt data, referred to as volume encryption keys

•Public/private key pairs to protect volume encryption keys, also referred to as user keys

EVFS also uses passphrases to protect private keys.

20 EVFS Introduction

Image 20

HP UX Encrypted Volume and Filesystem (EVFS) manual Evfs Data Flow, Encryption Metadata EMD, Evfs Encryption Keys

Contents

Encrypted Volume and File System v1.1 Administrators Guide Trademark Notice Table of Contents Preparing Evfs for Configuration Upgrading from Evfs v1.0 to Evfs Administering Evfs 101 129 153 141145 169 171Page List of Figures Software TypesPage List of Tables Page About This Document Intended AudienceDocument Organization Typographic Conventions User input Related InformationHP Encourages Your Comments Evfs Introduction Features and BenefitsEvfs provides the following features LVM DLO Support Evfs Architecture Evfs Encryption Keys Evfs Data FlowEncryption Metadata EMD User Keys Volume Encryption KeysUsing HP-UX Trusted Computing Services with Evfs 3illustrates how Evfs uses keys to enable an Evfs volume How Evfs Uses Keys Key Names and Key IDs User Key and Passphrase StorageFile Names Alternate Storage Databases and Distributed Key Storage User Key Privileges Summary of Key Type and Privileged User Capabilities Evfs Commands Evfsvol utility configures and manages the Evfs volumesEvfsadm Evfspkey Supported Software Software Types Product Limitations and Precautions Evfs Introduction Known Problems SymptomsPossible Device File Collision Workaround Feedback and Enhancement Requests Installation System Reboot PrerequisitesHardware Requirements Operating System Requirements Installing Evfs Use the following procedure to install EvfsSwinstall utility will install the Evfs components Log on to the target system as the root user Upgrading from Evfs v1.0 to Evfs Preparing Evfs for Configuration Verifying for Preconfiguration Preparation Overview Start the Evfs subsystem. See Starting the Evfs Subsystem Configuring an Alternate Evfs Pseudo-User Setting the evfsuser AttributeCreating the User Group Creating the Evfs Pseudo-User Account Preparing Evfs for Configuration Optional Configuring Alternate Key Database Directories KeysPrivate keys Passphrases that secure user private keys Default pubkey, privkey and passkey Attribute Statements Key Storage Directory Requirements Example Fallback Directory for Nonprivileged Users Example Alternate Directory for Public KeysExample NFS Directory for Public and Private Keys Emdbackup Optional Modifying Evfs Global ParametersDatacipher Pbe Evfsadm start -n numberthreads Starting the Evfs SubsystemExample Creating Keys for Evfs Volume Owners Creating User Key PairsGuidelines for Creating User Keys Evfspkey keygen -p-s -c cipher -u user -k keyname Creating Recovery Keys Storing the recovery users Private KeyExamples Evfspkey keygen -c rsa-2048 -r -k keyname Creating Keys for authorized users Encrypted fileRsa-2048 RSA 2048-bit keys User name as the key name Examples User Session# evfsadm start # evfspkey keygen -u root -k rootkey1Page Configuring an Evfs Volume Configuration Overview Option 1 Creating a New Evfs Volume Before using this procedure, you must complete the tasks Creating Evfs Volume Device Files Configuring an Evfs VolumeCreating an LVM or VxVM Volume for Evfs Evfsadm map volumepath Creating the EMD Optional Adding Recovery Keys and authorized user Keys Enabling the Evfs Volume Specifies that the key pair is a recovery key pairEvfsvol add -u user -k keyname evfsvolumepath where Evfsvol enable -p-k keyname evfsvolumepath Etc/evfs/evfstab file for this volume and have a stored Specifies non-interactive mode. Evfs uses the key ID fromOption, you must add a key ID to the entry Evfsvol prompts you for the passphrase for the private key Creating and Mounting a File System on an Evfs Volume Optional Using fsck to Check the File VolumeCreating a New File System with newfs # newfs -F vxfs /dev/evfs/vg01/rlvol5 Optional Adding an Entry to /etc/fstab Mount the File System on the Evfs VolumeCreating the Mount Point Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0 Verifying the Configuration Evfsvol display evfsvolumepathEvfsadm stat -a Evfsvol display evfsvolumepath Evfsadm stat -a Remount the file system using the mount command Optional Migrating Existing Data to an Evfs Volume Optional Configuring the Autostart Feature Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal See evfstab4 for more information Backing Up Your Configuration Page Map the regular volume to an Evfs volume Preparing the File System and Data Mount the file system to the Evfs volume Performing Inline EncryptionIencrypt Inline Encryption Start inline encryption Configuring an Evfs Volume Verifying the Configuration Remount the file system using the mount command # strings /dev/vg01/lvol5 grep TOP Secret Optional Configuring the Autostart Feature Example Backing Up Your Configuration Option Existing size is 96 MB we now extend it by 4 MB, to 100 MB Existing size is 96 MB we now extend it by 4 MB, to 100 MB Page Administering Evfs Starting the Evfs Subsystem Enabling Encryption and Decryption Access to Evfs VolumesStarting and Stopping Evfs Uses the user name as the key name Disabling Encryption/Decryption Access to Evfs VolumesCauses Evfs to use a stored passphrase to enable encryption Evfsvol disable -p evfsvolumepath Evfsvol disable -aEnter the following evfsadm stop command evfsadm stop Stopping the Evfs Subsystem Opening Raw Access to Evfs Volumes Closing Raw Access to Evfs Volumes Displaying Key IDs for an Evfs Volume Information for the volumeManaging Evfs Keys and Users Restoring User Keys User Changing Owner Keys for an Evfs Volume Corresponds to a recovery users key in the EMD. If you doTo execute this command evfsvol prompts you for Specifies the name of the file containing private key that Recovering from Problems with Owner Keys Removing Keys from an Evfs VolumeChanging the Passphrase for a Key Evfspkey delete -u username-r -p -k keyname Evfspkey passgen -f-p-s -u username -k keyname where Evfspkey passgen -u username -k keynameEvfspkey passgen -r recovkeyfile where Recovering from EMD Corruption EMD Backup Directory Removing a Volume from the Evfs Subsystem # evfsvol destroy /dev/evfs/vg01/lvol5 Exporting and Importing Evfs Volumes Exporting an Evfs Volume Use the following evfspkey keygen command syntax Evfspkey keygen -c cipher -u user -k keyname Is the key owners name and keyname is the key name Importing an Evfs VolumeKey owners name and keyname is the key name Administering Evfs Managing Data on Evfs Volumes Creating a New Evfs Volume Overwrites Existing Data Vxresize -F Might Cause Data Loss or Corruption Correct Resizing Evfs Volumes and File SystemsLVM Example Increasing Volume and File System Sizes LVM Example Reducing Volume and File System Sizes Incorrect VxVM Example Increasing Volume and File System Sizes VxVM Example Reducing Volume and File System Sizes # fsadm -F vxfs -b 65536 /test5 Backing Up and Restoring Data on Evfs Volumes Backing Up Evfs Volumes Backup Types with LVM or VxVM Mirrored Volumes Backup Types with Nonmirrored Volumes This creates the device files /dev/evfs/vg01/lvol5backup Backups Using LVM Mirrored VolumesMap the backup volume to EVFS. For example Evfsvol check -r evfsvolumepath Dev/vg01/lvol5backup Syntax is as follows # evfsvol display /dev/evfs/vg01/lvol6 Evfsvol check -r evfsvolumepath Disable the Evfs backup volume. For example Creating Cleartext Backup Media LVM Mirrored Volumes Example File Utility Backups Using VxVM Mirrored Volumes Map the backup VxVM volume to EVFS. For example # evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol Backing Up and Restoring Data on Evfs Volumes # vxplex -g testdg -v vol05 dis vol05-02 # evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol Evfsvol check -r evfsvolumepath # fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol Backing Up Evfs Volumes Example File Utility Creating Cleartext Backup Media VxVM Mirrored VolumesExample Block Device Utility Backups Using Nonmirrored Volumes # evfsvol raw /dev/evfs/vg01/lvol5 Evfsadm stat -a Cp -r /opt/encrypteddata /opt/evfsbackup Restoring Backup Media Restoring Backup Data from an Evfs Volume to an Evfs Volume # cp -r /opt/backupevfs /opt/encrypteddata 128 Troubleshooting Evfs Troubleshooting Tools Overview Displaying Evfs Volume Information Displaying I/O and Encryption Statistics evfsadm statEvfsadm stat -a-s-z Meaning of each field is as follows ADisplays the EMD information for all enabled Evfs volumes Number of data blocks encrypted Size of the encrypted metadata EMD area, in kilobytes Verifying the EMD evfsvol check Syntax Verifying User Keys evfspkey lookup # evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1 Evfspkey Cannot Store Keys Problem ScenariosEvfspkey Cannot Generate Key Pairs See the evfstab4 man page for more information Evfsvol Cannot Retrieve Private KeyEvfsvol create Fails, Valid EMD Already Exists Evfsvol disable Fails, Evfs Volume Is Busy Evfsvol disable command returns the following errorEvfsadm map command returns the following error Evfsadm map Fails, Invalid Device EMD Is Dirty Evfsvol check -r -aevfsvolumepathwhereResets the dirty bit for the specified volume Reporting Problems Collecting Data 140 Product Specifications User Files Commands and Tools Evfs provides the following commands 144 Evfs Quick Reference This appendix contains reference information about Evfs Configuring Evfs Preparing Evfs Option 1 Creating New Evfs Volume # evfsadm map volumepath Perform inline encryption Start inline encryption Evfs Tasks and Commands Table B-1 Starting and Stopping Evfs Table B-3 Managing Evfs Keys and Users Table B-4 Troubleshooting Evfs 152 Requirements Using Evfs with ServiceguardEvfs and Serviceguard Overview Restrictions Evfs Attribute Definition File ADF Installing Evfs Creating the Serviceguard Storage Infrastructure Creating an LVM Serviceguard Storage InfrastructureCreating a VxVM Serviceguard Storage Structure Configuration Node Adoptive Nodes Configuring Evfs on the Configuration Node Creating a Cluster Key PairAdding the Cluster Keys to the EMD Modifying /etc/evfs/evfstab Entries # vxdg deport evfsdg Preparing Evfs Volumes for Adoptive Nodes# vgchange -a n /dev/vg02 Configuring Evfs Volumes on the Adoptive Nodes Copying the Evfs Configuration Files and KeysRestoring the Cluster Key Pair Files Creating a Local Passphrase File Mapping the LVM or VxVM Volumes to Evfs Deactivating the VolumesModifying the /etc/evfs/evfstab File Verifying Evfs Configuring the Autostart Feature Configuring Serviceguard using Modular packages Installing the Evfs Attribute Definition FileHalting an Existing Package Copying the Evfs Control and Module Scripts Creating a Modular Package Configuration File Migrating a Legacy Package Configuration FileAdding the Evfs package to the Configuration File # cmmigratepkg -p pkgname -o outputfile.conf where LVM and VxVM Modular package example Adding the Evfs Volumes to the Package Configuration FileVerifying the Script Configuring Serviceguard using Legacy packages Creating the Package Configuration FileCreating a Package Control Script Converting a Package Control Script Adding the Evfs Volumes to the Package Control Script Installing the Evfs Control ScriptModifying the Package Configuration File LVM and VxVM Legacy package example Glossary AES Volume Index EMD Permissions, 85 /etc/rc.config.d/evfs, 62, 72 RSA Vxresize command Renaming