HP UX Encrypted Volume and Filesystem (EVFS) manual Product Limitations and Precautions

Product Limitations and Precautions

The EVFS product has the following limitations:

•EVFS operates with LVM, VxVM and physical volumes only. Each EVFS volume is mapped to an underlying LVM, VxVM or physical volume.

•You enable EVFS encryption and decryption for an EVFS volume as a single unit. When you enable EVFS encryption and decryption for a volume, EVFS encrypts and decrypts the data blocks as the blocks are accessed, and all read operations through the EVFS volume receive decrypted data as output, and users can access individual files in cleartext. You must use normal HP-UX file system permissions and access control to restrict access to the data.

•You cannot encrypt the following objects:

—Files or disk areas used during system boot. This includes the following objects:

◦the root file system (/)

◦the HP-UX kernel directory (/stand)

◦the /usr directory

EVFS cannot decrypt the kernel or other data before the system boots.

CAUTION: Encrypting the boot disk can cause the boot disk to become unusable and prevent you from booting the system.

—Dump devices.

—Swap space (swap devices or file swap space).

CAUTION: Encrypting swap space can cause the system to panic.

•EVFS does not automatically convert existing volume data to encrypted data. To encrypt existing volume data, use the inline encryption feature. For more information, see “Step 4: (Optional) Migrating Existing Data to an EVFS Volume” (page 61).

CAUTION: If you improperly configure EVFS on a volume that already contains data, the existing data will be unusable.

IMPORTANT: To use inline encryption, 3 MB of spare disk space are required at the end of the volume, and the minimum volume size must be 4 MB.

•To mount a file system on an EVFS volume, EVFS must be enabled and transferring data to and from the file system in cleartext (unencrypted). Therefore, any executable that uses file system utilities to read or write data can operate only on cleartext data.

Network file sharing utilities, such as NFS, CIFS, FTP, or rcp, will transmit files in cleartext, even if the original files reside on an EVFS volume.

•If you want to use a backup utility that performs incremental backups or that backs up individual files, EVFS must be enabled. The backup utility receives the data in cleartext, even if the original files reside on an EVFS volume. If the target backup device is another EVFS volume, the target EVFS volume re-encrypts the data.

If the target backup device is a tape device or other non-EVFS device:

—You must back up the volume as a volume device (as a single unit), not as a file system or group of files, to create encrypted backup media. You can create encrypted backup media using block device utilities, such as dd.

—You cannot create encrypted backup media using file-based utilities.

•If you use Ignite-UX to create boot or installation media, Ignite-UX will include system files from the /var, /opt, and /usr directories in the media in addition to the kernel file.