Examples | HP UX Encrypted Volume and Filesystem (EVFS) specification

Examples

This section contains preparation examples.

User Session

The following example lists the commands entered by the root user to create an encrypted volume. These commands correspond to steps 4 through 5 in this chapter. The user skips “Step

1:Configuring an Alternate EVFS Pseudo-User”,“Step 2: (Optional) Configuring Alternate Key Database Directories”, and “Step 3: (Optional) Modifying EVFS Global Parameters”, and uses the default EVFS pseudo-user and global parameters. The user must still configure the autostart feature and back up the configuration.

Step 4: Start the EVFS subsystem.

#evfsadm start

Step 5: Create a key pair for the root user. The key name will be rootkey1. evfspkey will prompt you for a passphrase.

#evfspkey keygen -u root -k rootkey1

Optional – Create a key pair for the recovery user. evfspkey will prompt you for a passphrase and save the private key in the current working directory with the file name evfs.priv. Store this key off line.

# evfspkey keygen -c rsa-2048 -r

Examples 47

Image 47

HP UX Encrypted Volume and Filesystem (EVFS) Examples, User Session, # evfsadm start, # evfspkey keygen -c rsa-2048 -r

Contents

Encrypted Volume and File System v1.1 Administrators Guide Trademark Notice Table of Contents Upgrading from Evfs v1.0 to Evfs Preparing Evfs for Configuration Administering Evfs 101 129 153 141145 171 169Page Software Types List of FiguresPage List of Tables Page Typographic Conventions About This DocumentIntended Audience Document Organization User input Related InformationHP Encourages Your Comments Evfs Introduction Features and BenefitsEvfs provides the following features LVM DLO Support Evfs Architecture Evfs Encryption Keys Evfs Data FlowEncryption Metadata EMD User Keys Volume Encryption KeysUsing HP-UX Trusted Computing Services with Evfs How Evfs Uses Keys 3illustrates how Evfs uses keys to enable an Evfs volume Alternate Storage Databases and Distributed Key Storage Key Names and Key IDsUser Key and Passphrase Storage File Names Summary of Key Type and Privileged User Capabilities User Key Privileges Evfspkey Evfs CommandsEvfsvol utility configures and manages the Evfs volumes Evfsadm Software Types Supported Software Product Limitations and Precautions Evfs Introduction Workaround Known ProblemsSymptoms Possible Device File Collision Feedback and Enhancement Requests Installation Operating System Requirements System RebootPrerequisites Hardware Requirements Log on to the target system as the root user Installing EvfsUse the following procedure to install Evfs Swinstall utility will install the Evfs components Upgrading from Evfs v1.0 to Evfs Verifying for Preconfiguration Preparing Evfs for Configuration Start the Evfs subsystem. See Starting the Evfs Subsystem Preparation Overview Creating the Evfs Pseudo-User Account Configuring an Alternate Evfs Pseudo-UserSetting the evfsuser Attribute Creating the User Group Preparing Evfs for Configuration Passphrases that secure user private keys Optional Configuring Alternate Key Database DirectoriesKeys Private keys Key Storage Directory Requirements Default pubkey, privkey and passkey Attribute Statements Example Fallback Directory for Nonprivileged Users Example Alternate Directory for Public KeysExample NFS Directory for Public and Private Keys Pbe EmdbackupOptional Modifying Evfs Global Parameters Datacipher Evfsadm start -n numberthreads Starting the Evfs SubsystemExample Evfspkey keygen -p-s -c cipher -u user -k keyname Creating Keys for Evfs Volume OwnersCreating User Key Pairs Guidelines for Creating User Keys Evfspkey keygen -c rsa-2048 -r -k keyname Creating Recovery KeysStoring the recovery users Private Key Examples User name as the key name Creating Keys for authorized usersEncrypted file Rsa-2048 RSA 2048-bit keys # evfspkey keygen -u root -k rootkey1 ExamplesUser Session # evfsadm startPage Configuration Overview Configuring an Evfs Volume Before using this procedure, you must complete the tasks Option 1 Creating a New Evfs Volume Creating Evfs Volume Device Files Configuring an Evfs VolumeCreating an LVM or VxVM Volume for Evfs Creating the EMD Evfsadm map volumepath Optional Adding Recovery Keys and authorized user Keys Evfsvol enable -p-k keyname evfsvolumepath Enabling the Evfs VolumeSpecifies that the key pair is a recovery key pair Evfsvol add -u user -k keyname evfsvolumepath where Evfsvol prompts you for the passphrase for the private key Etc/evfs/evfstab file for this volume and have a storedSpecifies non-interactive mode. Evfs uses the key ID from Option, you must add a key ID to the entry # newfs -F vxfs /dev/evfs/vg01/rlvol5 Creating and Mounting a File System on an Evfs VolumeOptional Using fsck to Check the File Volume Creating a New File System with newfs Optional Adding an Entry to /etc/fstab Mount the File System on the Evfs VolumeCreating the Mount Point Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0 Evfsadm stat -a Verifying the ConfigurationEvfsvol display evfsvolumepath Evfsadm stat -a Evfsvol display evfsvolumepath Remount the file system using the mount command Optional Migrating Existing Data to an Evfs Volume Optional Configuring the Autostart Feature See evfstab4 for more information Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal Backing Up Your Configuration Page Preparing the File System and Data Map the regular volume to an Evfs volume Start inline encryption Mount the file system to the Evfs volumePerforming Inline Encryption Iencrypt Inline Encryption Configuring an Evfs Volume Verifying the Configuration Remount the file system using the mount command # strings /dev/vg01/lvol5 grep TOP Secret Optional Configuring the Autostart Feature Example Backing Up Your Configuration Option Existing size is 96 MB we now extend it by 4 MB, to 100 MB Existing size is 96 MB we now extend it by 4 MB, to 100 MB Page Administering Evfs Starting the Evfs Subsystem Enabling Encryption and Decryption Access to Evfs VolumesStarting and Stopping Evfs Uses the user name as the key name Disabling Encryption/Decryption Access to Evfs VolumesCauses Evfs to use a stored passphrase to enable encryption Stopping the Evfs Subsystem Evfsvol disable -p evfsvolumepathEvfsvol disable -a Enter the following evfsadm stop command evfsadm stop Closing Raw Access to Evfs Volumes Opening Raw Access to Evfs Volumes Restoring User Keys Displaying Key IDs for an Evfs VolumeInformation for the volume Managing Evfs Keys and Users User Specifies the name of the file containing private key that Changing Owner Keys for an Evfs VolumeCorresponds to a recovery users key in the EMD. If you do To execute this command evfsvol prompts you for Evfspkey delete -u username-r -p -k keyname Recovering from Problems with Owner KeysRemoving Keys from an Evfs Volume Changing the Passphrase for a Key Evfspkey passgen -f-p-s -u username -k keyname where Evfspkey passgen -u username -k keynameEvfspkey passgen -r recovkeyfile where EMD Backup Directory Recovering from EMD Corruption # evfsvol destroy /dev/evfs/vg01/lvol5 Removing a Volume from the Evfs Subsystem Exporting an Evfs Volume Exporting and Importing Evfs Volumes Evfspkey keygen -c cipher -u user -k keyname Use the following evfspkey keygen command syntax Is the key owners name and keyname is the key name Importing an Evfs VolumeKey owners name and keyname is the key name Administering Evfs Managing Data on Evfs Volumes Vxresize -F Might Cause Data Loss or Corruption Creating a New Evfs Volume Overwrites Existing Data Correct Resizing Evfs Volumes and File SystemsLVM Example Increasing Volume and File System Sizes Incorrect LVM Example Reducing Volume and File System Sizes VxVM Example Reducing Volume and File System Sizes VxVM Example Increasing Volume and File System Sizes # fsadm -F vxfs -b 65536 /test5 Backing Up and Restoring Data on Evfs Volumes Backing Up Evfs Volumes Backup Types with LVM or VxVM Mirrored Volumes Backup Types with Nonmirrored Volumes This creates the device files /dev/evfs/vg01/lvol5backup Backups Using LVM Mirrored VolumesMap the backup volume to EVFS. For example Evfsvol check -r evfsvolumepath Syntax is as follows Dev/vg01/lvol5backup # evfsvol display /dev/evfs/vg01/lvol6 Evfsvol check -r evfsvolumepath Disable the Evfs backup volume. For example Example File Utility Creating Cleartext Backup Media LVM Mirrored Volumes Map the backup VxVM volume to EVFS. For example Backups Using VxVM Mirrored Volumes # evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol Backing Up and Restoring Data on Evfs Volumes # vxplex -g testdg -v vol05 dis vol05-02 # evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol Evfsvol check -r evfsvolumepath # fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol Backing Up Evfs Volumes Example File Utility Creating Cleartext Backup Media VxVM Mirrored VolumesExample Block Device Utility Backups Using Nonmirrored Volumes # evfsvol raw /dev/evfs/vg01/lvol5 Evfsadm stat -a Cp -r /opt/encrypteddata /opt/evfsbackup Restoring Backup Media Restoring Backup Data from an Evfs Volume to an Evfs Volume # cp -r /opt/backupevfs /opt/encrypteddata 128 Troubleshooting Tools Overview Troubleshooting Evfs Meaning of each field is as follows Displaying Evfs Volume InformationDisplaying I/O and Encryption Statistics evfsadm stat Evfsadm stat -a-s-z Number of data blocks encrypted ADisplays the EMD information for all enabled Evfs volumes Size of the encrypted metadata EMD area, in kilobytes Syntax Verifying the EMD evfsvol check # evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1 Verifying User Keys evfspkey lookup Evfspkey Cannot Store Keys Problem ScenariosEvfspkey Cannot Generate Key Pairs See the evfstab4 man page for more information Evfsvol Cannot Retrieve Private KeyEvfsvol create Fails, Valid EMD Already Exists Evfsadm map Fails, Invalid Device Evfsvol disable Fails, Evfs Volume Is BusyEvfsvol disable command returns the following error Evfsadm map command returns the following error EMD Is Dirty Evfsvol check -r -aevfsvolumepathwhereResets the dirty bit for the specified volume Collecting Data Reporting Problems 140 Product Specifications User Files Evfs provides the following commands Commands and Tools 144 This appendix contains reference information about Evfs Evfs Quick Reference Preparing Evfs Configuring Evfs # evfsadm map volumepath Option 1 Creating New Evfs Volume Perform inline encryption Start inline encryption Table B-1 Starting and Stopping Evfs Evfs Tasks and Commands Table B-3 Managing Evfs Keys and Users Table B-4 Troubleshooting Evfs 152 Requirements Using Evfs with ServiceguardEvfs and Serviceguard Overview Restrictions Evfs Attribute Definition File ADF Installing Evfs Configuration Node Creating the Serviceguard Storage InfrastructureCreating an LVM Serviceguard Storage Infrastructure Creating a VxVM Serviceguard Storage Structure Adoptive Nodes Modifying /etc/evfs/evfstab Entries Configuring Evfs on the Configuration NodeCreating a Cluster Key Pair Adding the Cluster Keys to the EMD # vxdg deport evfsdg Preparing Evfs Volumes for Adoptive Nodes# vgchange -a n /dev/vg02 Creating a Local Passphrase File Configuring Evfs Volumes on the Adoptive NodesCopying the Evfs Configuration Files and Keys Restoring the Cluster Key Pair Files Verifying Evfs Mapping the LVM or VxVM Volumes to EvfsDeactivating the Volumes Modifying the /etc/evfs/evfstab File Configuring the Autostart Feature Copying the Evfs Control and Module Scripts Configuring Serviceguard using Modular packagesInstalling the Evfs Attribute Definition File Halting an Existing Package # cmmigratepkg -p pkgname -o outputfile.conf where Creating a Modular Package Configuration FileMigrating a Legacy Package Configuration File Adding the Evfs package to the Configuration File LVM and VxVM Modular package example Adding the Evfs Volumes to the Package Configuration FileVerifying the Script Converting a Package Control Script Configuring Serviceguard using Legacy packagesCreating the Package Configuration File Creating a Package Control Script LVM and VxVM Legacy package example Adding the Evfs Volumes to the Package Control ScriptInstalling the Evfs Control Script Modifying the Package Configuration File AES Glossary Volume EMD Index Permissions, 85 /etc/rc.config.d/evfs, 62, 72 RSA Vxresize command Renaming