Encrypted Volume and File System v1.1 Administrators Guide
Trademark Notice
Table of Contents
Upgrading from Evfs v1.0 to Evfs
Preparing Evfs for Configuration
Administering Evfs
101
129
141
145
153
171
169
Page
Software Types
List of Figures
Page
List of Tables
Page
Intended Audience
About This Document
Document Organization
Typographic Conventions
Related Information
HP Encourages Your Comments
User input
Features and Benefits
Evfs provides the following features
Evfs Introduction
LVM DLO Support
Evfs Architecture
Evfs Data Flow
Encryption Metadata EMD
Evfs Encryption Keys
Volume Encryption Keys
Using HP-UX Trusted Computing Services with Evfs
User Keys
How Evfs Uses Keys
3illustrates how Evfs uses keys to enable an Evfs volume
User Key and Passphrase Storage
Key Names and Key IDs
File Names
Alternate Storage Databases and Distributed Key Storage
Summary of Key Type and Privileged User Capabilities
User Key Privileges
Evfsvol utility configures and manages the Evfs volumes
Evfs Commands
Evfsadm
Evfspkey
Software Types
Supported Software
Product Limitations and Precautions
Evfs Introduction
Symptoms
Known Problems
Possible Device File Collision
Workaround
Feedback and Enhancement Requests
Installation
Prerequisites
System Reboot
Hardware Requirements
Operating System Requirements
Use the following procedure to install Evfs
Installing Evfs
Swinstall utility will install the Evfs components
Log on to the target system as the root user
Upgrading from Evfs v1.0 to Evfs
Verifying for Preconfiguration
Preparing Evfs for Configuration
Start the Evfs subsystem. See Starting the Evfs Subsystem
Preparation Overview
Setting the evfsuser Attribute
Configuring an Alternate Evfs Pseudo-User
Creating the User Group
Creating the Evfs Pseudo-User Account
Preparing Evfs for Configuration
Keys
Optional Configuring Alternate Key Database Directories
Private keys
Passphrases that secure user private keys
Key Storage Directory Requirements
Default pubkey, privkey and passkey Attribute Statements
Example Alternate Directory for Public Keys
Example NFS Directory for Public and Private Keys
Example Fallback Directory for Nonprivileged Users
Optional Modifying Evfs Global Parameters
Emdbackup
Datacipher
Pbe
Starting the Evfs Subsystem
Example
Evfsadm start -n numberthreads
Creating User Key Pairs
Creating Keys for Evfs Volume Owners
Guidelines for Creating User Keys
Evfspkey keygen -p-s -c cipher -u user -k keyname
Storing the recovery users Private Key
Creating Recovery Keys
Examples
Evfspkey keygen -c rsa-2048 -r -k keyname
Encrypted file
Creating Keys for authorized users
Rsa-2048 RSA 2048-bit keys
User name as the key name
User Session
Examples
# evfsadm start
# evfspkey keygen -u root -k rootkey1
Page
Configuration Overview
Configuring an Evfs Volume
Before using this procedure, you must complete the tasks
Option 1 Creating a New Evfs Volume
Configuring an Evfs Volume
Creating an LVM or VxVM Volume for Evfs
Creating Evfs Volume Device Files
Creating the EMD
Evfsadm map volumepath
Optional Adding Recovery Keys and authorized user Keys
Specifies that the key pair is a recovery key pair
Enabling the Evfs Volume
Evfsvol add -u user -k keyname evfsvolumepath where
Evfsvol enable -p-k keyname evfsvolumepath
Specifies non-interactive mode. Evfs uses the key ID from
Etc/evfs/evfstab file for this volume and have a stored
Option, you must add a key ID to the entry
Evfsvol prompts you for the passphrase for the private key
Optional Using fsck to Check the File Volume
Creating and Mounting a File System on an Evfs Volume
Creating a New File System with newfs
# newfs -F vxfs /dev/evfs/vg01/rlvol5
Mount the File System on the Evfs Volume
Creating the Mount Point
Optional Adding an Entry to /etc/fstab
Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0
Evfsvol display evfsvolumepath
Verifying the Configuration
Evfsadm stat -a Evfsvol display evfsvolumepath
Evfsadm stat -a
Remount the file system using the mount command
Optional Migrating Existing Data to an Evfs Volume
Optional Configuring the Autostart Feature
See evfstab4 for more information
Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal
Backing Up Your Configuration
Page
Preparing the File System and Data
Map the regular volume to an Evfs volume
Performing Inline Encryption
Mount the file system to the Evfs volume
Iencrypt Inline Encryption
Start inline encryption
Configuring an Evfs Volume
Verifying the Configuration
Remount the file system using the mount command
# strings /dev/vg01/lvol5 grep TOP Secret
Optional Configuring the Autostart Feature
Example
Backing Up Your Configuration
Option
Existing size is 96 MB we now extend it by 4 MB, to 100 MB
Existing size is 96 MB we now extend it by 4 MB, to 100 MB
Page
Administering Evfs
Enabling Encryption and Decryption Access to Evfs Volumes
Starting and Stopping Evfs
Starting the Evfs Subsystem
Disabling Encryption/Decryption Access to Evfs Volumes
Causes Evfs to use a stored passphrase to enable encryption
Uses the user name as the key name
Evfsvol disable -a
Evfsvol disable -p evfsvolumepath
Enter the following evfsadm stop command evfsadm stop
Stopping the Evfs Subsystem
Closing Raw Access to Evfs Volumes
Opening Raw Access to Evfs Volumes
Information for the volume
Displaying Key IDs for an Evfs Volume
Managing Evfs Keys and Users
Restoring User Keys
User
Corresponds to a recovery users key in the EMD. If you do
Changing Owner Keys for an Evfs Volume
To execute this command evfsvol prompts you for
Specifies the name of the file containing private key that
Removing Keys from an Evfs Volume
Recovering from Problems with Owner Keys
Changing the Passphrase for a Key
Evfspkey delete -u username-r -p -k keyname
Evfspkey passgen -u username -k keyname
Evfspkey passgen -r recovkeyfile where
Evfspkey passgen -f-p-s -u username -k keyname where
EMD Backup Directory
Recovering from EMD Corruption
# evfsvol destroy /dev/evfs/vg01/lvol5
Removing a Volume from the Evfs Subsystem
Exporting an Evfs Volume
Exporting and Importing Evfs Volumes
Evfspkey keygen -c cipher -u user -k keyname
Use the following evfspkey keygen command syntax
Importing an Evfs Volume
Key owners name and keyname is the key name
Is the key owners name and keyname is the key name
Administering Evfs
Managing Data on Evfs Volumes
Vxresize -F Might Cause Data Loss or Corruption
Creating a New Evfs Volume Overwrites Existing Data
Resizing Evfs Volumes and File Systems
LVM Example Increasing Volume and File System Sizes
Correct
Incorrect
LVM Example Reducing Volume and File System Sizes
VxVM Example Reducing Volume and File System Sizes
VxVM Example Increasing Volume and File System Sizes
# fsadm -F vxfs -b 65536 /test5
Backing Up and Restoring Data on Evfs Volumes
Backing Up Evfs Volumes
Backup Types with LVM or VxVM Mirrored Volumes
Backup Types with Nonmirrored Volumes
Backups Using LVM Mirrored Volumes
Map the backup volume to EVFS. For example
This creates the device files /dev/evfs/vg01/lvol5backup
Evfsvol check -r evfsvolumepath
Syntax is as follows
Dev/vg01/lvol5backup
# evfsvol display /dev/evfs/vg01/lvol6
Evfsvol check -r evfsvolumepath
Disable the Evfs backup volume. For example
Example File Utility
Creating Cleartext Backup Media LVM Mirrored Volumes
Map the backup VxVM volume to EVFS. For example
Backups Using VxVM Mirrored Volumes
# evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol
Backing Up and Restoring Data on Evfs Volumes
# vxplex -g testdg -v vol05 dis vol05-02
# evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol
Evfsvol check -r evfsvolumepath
# fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol
Backing Up Evfs Volumes
Creating Cleartext Backup Media VxVM Mirrored Volumes
Example Block Device Utility
Example File Utility
Backups Using Nonmirrored Volumes
# evfsvol raw /dev/evfs/vg01/lvol5
Evfsadm stat -a
Cp -r /opt/encrypteddata /opt/evfsbackup
Restoring Backup Media
Restoring Backup Data from an Evfs Volume to an Evfs Volume
# cp -r /opt/backupevfs /opt/encrypteddata
128
Troubleshooting Tools Overview
Troubleshooting Evfs
Displaying I/O and Encryption Statistics evfsadm stat
Displaying Evfs Volume Information
Evfsadm stat -a-s-z
Meaning of each field is as follows
Number of data blocks encrypted
ADisplays the EMD information for all enabled Evfs volumes
Size of the encrypted metadata EMD area, in kilobytes
Syntax
Verifying the EMD evfsvol check
# evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1
Verifying User Keys evfspkey lookup
Problem Scenarios
Evfspkey Cannot Generate Key Pairs
Evfspkey Cannot Store Keys
Evfsvol Cannot Retrieve Private Key
Evfsvol create Fails, Valid EMD Already Exists
See the evfstab4 man page for more information
Evfsvol disable command returns the following error
Evfsvol disable Fails, Evfs Volume Is Busy
Evfsadm map command returns the following error
Evfsadm map Fails, Invalid Device
Evfsvol check -r -aevfsvolumepathwhere
Resets the dirty bit for the specified volume
EMD Is Dirty
Collecting Data
Reporting Problems
140
Product Specifications
User Files
Evfs provides the following commands
Commands and Tools
144
This appendix contains reference information about Evfs
Evfs Quick Reference
Preparing Evfs
Configuring Evfs
# evfsadm map volumepath
Option 1 Creating New Evfs Volume
Perform inline encryption Start inline encryption
Table B-1 Starting and Stopping Evfs
Evfs Tasks and Commands
Table B-3 Managing Evfs Keys and Users
Table B-4 Troubleshooting Evfs
152
Using Evfs with Serviceguard
Evfs and Serviceguard Overview
Requirements
Restrictions
Evfs Attribute Definition File ADF
Installing Evfs
Creating an LVM Serviceguard Storage Infrastructure
Creating the Serviceguard Storage Infrastructure
Creating a VxVM Serviceguard Storage Structure
Configuration Node
Adoptive Nodes
Creating a Cluster Key Pair
Configuring Evfs on the Configuration Node
Adding the Cluster Keys to the EMD
Modifying /etc/evfs/evfstab Entries
Preparing Evfs Volumes for Adoptive Nodes
# vgchange -a n /dev/vg02
# vxdg deport evfsdg
Copying the Evfs Configuration Files and Keys
Configuring Evfs Volumes on the Adoptive Nodes
Restoring the Cluster Key Pair Files
Creating a Local Passphrase File
Deactivating the Volumes
Mapping the LVM or VxVM Volumes to Evfs
Modifying the /etc/evfs/evfstab File
Verifying Evfs
Configuring the Autostart Feature
Installing the Evfs Attribute Definition File
Configuring Serviceguard using Modular packages
Halting an Existing Package
Copying the Evfs Control and Module Scripts
Migrating a Legacy Package Configuration File
Creating a Modular Package Configuration File
Adding the Evfs package to the Configuration File
# cmmigratepkg -p pkgname -o outputfile.conf where
Adding the Evfs Volumes to the Package Configuration File
Verifying the Script
LVM and VxVM Modular package example
Creating the Package Configuration File
Configuring Serviceguard using Legacy packages
Creating a Package Control Script
Converting a Package Control Script
Installing the Evfs Control Script
Adding the Evfs Volumes to the Package Control Script
Modifying the Package Configuration File
LVM and VxVM Legacy package example
AES
Glossary
Volume
EMD
Index
Permissions, 85 /etc/rc.config.d/evfs, 62, 72
RSA
Vxresize command Renaming
