HP UX Encrypted Volume and Filesystem (EVFS) guide

4 Configuring an EVFS Volume

This chapter describes how to configure an EVFS Volume after preparing EVFS for configuration. This chapter addresses the following topics:

•“Configuration Overview” (page 49)

•“Option 1: Creating a New EVFS Volume” (page 50)

•“Option 2: Converting a Volume with Existing Data to an EVFS Volume (Inline Encryption)” (page 65)

•“Examples” (page 75)

Configuration Overview

There are two procedures to configure an EVFS Volume:

•Option 1: Creating a new EVFS volume

This procedure creates a new EVFS volume. Use this option to create an EVFS volume on an unused LVM, VxVM or physical volume. After you have created the EVFS volume, you can migrate existing data to the new EVFS volume.

CAUTION: You cannot create an LVM or VxVM volume above an EVFS volume.

You can create an EVFS volume on an existing LVM, VxVM, or physical volume, but any existing data on the volume is rendered unusable.

•Option 2: Converting a volume with existing data into an EVFS volume (Inline Encryption)

This procedure converts a volume with existing data into an EVFS volume using the inline encryption feature.

IMPORTANT: To use inline encryption, 3 MB of spare disk space are required at the end of the volume, and the minimum volume size must be 4 MB. If the entire volume is used, extend the volume using lvextend for LVM, or vxassist for VXVM.

NOTE: The inline encryption process takes approximately 1.2 minute per GB on 4-CPU rx4640. Actual performance times vary depending on usage and configuration.

Configuration Overview

49

Image 49

HP UX Encrypted Volume and Filesystem (EVFS) manual Configuring an Evfs Volume, Configuration Overview

Contents

Encrypted Volume and File System v1.1 Administrators Guide Trademark Notice Table of Contents Upgrading from Evfs v1.0 to Evfs Preparing Evfs for Configuration Administering Evfs 101 129 145 141153 171 169Page Software Types List of FiguresPage List of Tables Page Intended Audience About This DocumentDocument Organization Typographic Conventions HP Encourages Your Comments Related InformationUser input Evfs provides the following features Features and BenefitsEvfs Introduction LVM DLO Support Evfs Architecture Encryption Metadata EMD Evfs Data FlowEvfs Encryption Keys Using HP-UX Trusted Computing Services with Evfs Volume Encryption KeysUser Keys How Evfs Uses Keys 3illustrates how Evfs uses keys to enable an Evfs volume User Key and Passphrase Storage Key Names and Key IDsFile Names Alternate Storage Databases and Distributed Key Storage Summary of Key Type and Privileged User Capabilities User Key Privileges Evfsvol utility configures and manages the Evfs volumes Evfs CommandsEvfsadm Evfspkey Software Types Supported Software Product Limitations and Precautions Evfs Introduction Symptoms Known ProblemsPossible Device File Collision Workaround Feedback and Enhancement Requests Installation Prerequisites System RebootHardware Requirements Operating System Requirements Use the following procedure to install Evfs Installing EvfsSwinstall utility will install the Evfs components Log on to the target system as the root user Upgrading from Evfs v1.0 to Evfs Verifying for Preconfiguration Preparing Evfs for Configuration Start the Evfs subsystem. See Starting the Evfs Subsystem Preparation Overview Setting the evfsuser Attribute Configuring an Alternate Evfs Pseudo-UserCreating the User Group Creating the Evfs Pseudo-User Account Preparing Evfs for Configuration Keys Optional Configuring Alternate Key Database DirectoriesPrivate keys Passphrases that secure user private keys Key Storage Directory Requirements Default pubkey, privkey and passkey Attribute Statements Example NFS Directory for Public and Private Keys Example Alternate Directory for Public KeysExample Fallback Directory for Nonprivileged Users Optional Modifying Evfs Global Parameters EmdbackupDatacipher Pbe Example Starting the Evfs SubsystemEvfsadm start -n numberthreads Creating User Key Pairs Creating Keys for Evfs Volume OwnersGuidelines for Creating User Keys Evfspkey keygen -p-s -c cipher -u user -k keyname Storing the recovery users Private Key Creating Recovery KeysExamples Evfspkey keygen -c rsa-2048 -r -k keyname Encrypted file Creating Keys for authorized usersRsa-2048 RSA 2048-bit keys User name as the key name User Session Examples# evfsadm start # evfspkey keygen -u root -k rootkey1Page Configuration Overview Configuring an Evfs Volume Before using this procedure, you must complete the tasks Option 1 Creating a New Evfs Volume Creating an LVM or VxVM Volume for Evfs Configuring an Evfs VolumeCreating Evfs Volume Device Files Creating the EMD Evfsadm map volumepath Optional Adding Recovery Keys and authorized user Keys Specifies that the key pair is a recovery key pair Enabling the Evfs VolumeEvfsvol add -u user -k keyname evfsvolumepath where Evfsvol enable -p-k keyname evfsvolumepath Specifies non-interactive mode. Evfs uses the key ID from Etc/evfs/evfstab file for this volume and have a storedOption, you must add a key ID to the entry Evfsvol prompts you for the passphrase for the private key Optional Using fsck to Check the File Volume Creating and Mounting a File System on an Evfs VolumeCreating a New File System with newfs # newfs -F vxfs /dev/evfs/vg01/rlvol5 Creating the Mount Point Mount the File System on the Evfs VolumeOptional Adding an Entry to /etc/fstab Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0 Evfsvol display evfsvolumepath Verifying the ConfigurationEvfsadm stat -a Evfsvol display evfsvolumepath Evfsadm stat -a Remount the file system using the mount command Optional Migrating Existing Data to an Evfs Volume Optional Configuring the Autostart Feature See evfstab4 for more information Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal Backing Up Your Configuration Page Preparing the File System and Data Map the regular volume to an Evfs volume Performing Inline Encryption Mount the file system to the Evfs volumeIencrypt Inline Encryption Start inline encryption Configuring an Evfs Volume Verifying the Configuration Remount the file system using the mount command # strings /dev/vg01/lvol5 grep TOP Secret Optional Configuring the Autostart Feature Example Backing Up Your Configuration Option Existing size is 96 MB we now extend it by 4 MB, to 100 MB Existing size is 96 MB we now extend it by 4 MB, to 100 MB Page Administering Evfs Starting and Stopping Evfs Enabling Encryption and Decryption Access to Evfs VolumesStarting the Evfs Subsystem Causes Evfs to use a stored passphrase to enable encryption Disabling Encryption/Decryption Access to Evfs VolumesUses the user name as the key name Evfsvol disable -a Evfsvol disable -p evfsvolumepathEnter the following evfsadm stop command evfsadm stop Stopping the Evfs Subsystem Closing Raw Access to Evfs Volumes Opening Raw Access to Evfs Volumes Information for the volume Displaying Key IDs for an Evfs VolumeManaging Evfs Keys and Users Restoring User Keys User Corresponds to a recovery users key in the EMD. If you do Changing Owner Keys for an Evfs VolumeTo execute this command evfsvol prompts you for Specifies the name of the file containing private key that Removing Keys from an Evfs Volume Recovering from Problems with Owner KeysChanging the Passphrase for a Key Evfspkey delete -u username-r -p -k keyname Evfspkey passgen -r recovkeyfile where Evfspkey passgen -u username -k keynameEvfspkey passgen -f-p-s -u username -k keyname where EMD Backup Directory Recovering from EMD Corruption # evfsvol destroy /dev/evfs/vg01/lvol5 Removing a Volume from the Evfs Subsystem Exporting an Evfs Volume Exporting and Importing Evfs Volumes Evfspkey keygen -c cipher -u user -k keyname Use the following evfspkey keygen command syntax Key owners name and keyname is the key name Importing an Evfs VolumeIs the key owners name and keyname is the key name Administering Evfs Managing Data on Evfs Volumes Vxresize -F Might Cause Data Loss or Corruption Creating a New Evfs Volume Overwrites Existing Data LVM Example Increasing Volume and File System Sizes Resizing Evfs Volumes and File SystemsCorrect Incorrect LVM Example Reducing Volume and File System Sizes VxVM Example Reducing Volume and File System Sizes VxVM Example Increasing Volume and File System Sizes # fsadm -F vxfs -b 65536 /test5 Backing Up and Restoring Data on Evfs Volumes Backing Up Evfs Volumes Backup Types with LVM or VxVM Mirrored Volumes Backup Types with Nonmirrored Volumes Map the backup volume to EVFS. For example Backups Using LVM Mirrored VolumesThis creates the device files /dev/evfs/vg01/lvol5backup Evfsvol check -r evfsvolumepath Syntax is as follows Dev/vg01/lvol5backup # evfsvol display /dev/evfs/vg01/lvol6 Evfsvol check -r evfsvolumepath Disable the Evfs backup volume. For example Example File Utility Creating Cleartext Backup Media LVM Mirrored Volumes Map the backup VxVM volume to EVFS. For example Backups Using VxVM Mirrored Volumes # evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol Backing Up and Restoring Data on Evfs Volumes # vxplex -g testdg -v vol05 dis vol05-02 # evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol Evfsvol check -r evfsvolumepath # fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol Backing Up Evfs Volumes Example Block Device Utility Creating Cleartext Backup Media VxVM Mirrored VolumesExample File Utility Backups Using Nonmirrored Volumes # evfsvol raw /dev/evfs/vg01/lvol5 Evfsadm stat -a Cp -r /opt/encrypteddata /opt/evfsbackup Restoring Backup Media Restoring Backup Data from an Evfs Volume to an Evfs Volume # cp -r /opt/backupevfs /opt/encrypteddata 128 Troubleshooting Tools Overview Troubleshooting Evfs Displaying I/O and Encryption Statistics evfsadm stat Displaying Evfs Volume InformationEvfsadm stat -a-s-z Meaning of each field is as follows Number of data blocks encrypted ADisplays the EMD information for all enabled Evfs volumes Size of the encrypted metadata EMD area, in kilobytes Syntax Verifying the EMD evfsvol check # evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1 Verifying User Keys evfspkey lookup Evfspkey Cannot Generate Key Pairs Problem ScenariosEvfspkey Cannot Store Keys Evfsvol create Fails, Valid EMD Already Exists Evfsvol Cannot Retrieve Private KeySee the evfstab4 man page for more information Evfsvol disable command returns the following error Evfsvol disable Fails, Evfs Volume Is BusyEvfsadm map command returns the following error Evfsadm map Fails, Invalid Device Resets the dirty bit for the specified volume Evfsvol check -r -aevfsvolumepathwhereEMD Is Dirty Collecting Data Reporting Problems 140 Product Specifications User Files Evfs provides the following commands Commands and Tools 144 This appendix contains reference information about Evfs Evfs Quick Reference Preparing Evfs Configuring Evfs # evfsadm map volumepath Option 1 Creating New Evfs Volume Perform inline encryption Start inline encryption Table B-1 Starting and Stopping Evfs Evfs Tasks and Commands Table B-3 Managing Evfs Keys and Users Table B-4 Troubleshooting Evfs 152 Evfs and Serviceguard Overview Using Evfs with ServiceguardRequirements Restrictions Evfs Attribute Definition File ADF Installing Evfs Creating an LVM Serviceguard Storage Infrastructure Creating the Serviceguard Storage InfrastructureCreating a VxVM Serviceguard Storage Structure Configuration Node Adoptive Nodes Creating a Cluster Key Pair Configuring Evfs on the Configuration NodeAdding the Cluster Keys to the EMD Modifying /etc/evfs/evfstab Entries # vgchange -a n /dev/vg02 Preparing Evfs Volumes for Adoptive Nodes# vxdg deport evfsdg Copying the Evfs Configuration Files and Keys Configuring Evfs Volumes on the Adoptive NodesRestoring the Cluster Key Pair Files Creating a Local Passphrase File Deactivating the Volumes Mapping the LVM or VxVM Volumes to EvfsModifying the /etc/evfs/evfstab File Verifying Evfs Configuring the Autostart Feature Installing the Evfs Attribute Definition File Configuring Serviceguard using Modular packagesHalting an Existing Package Copying the Evfs Control and Module Scripts Migrating a Legacy Package Configuration File Creating a Modular Package Configuration FileAdding the Evfs package to the Configuration File # cmmigratepkg -p pkgname -o outputfile.conf where Verifying the Script Adding the Evfs Volumes to the Package Configuration FileLVM and VxVM Modular package example Creating the Package Configuration File Configuring Serviceguard using Legacy packagesCreating a Package Control Script Converting a Package Control Script Installing the Evfs Control Script Adding the Evfs Volumes to the Package Control ScriptModifying the Package Configuration File LVM and VxVM Legacy package example AES Glossary Volume EMD Index Permissions, 85 /etc/rc.config.d/evfs, 62, 72 RSA Vxresize command Renaming