HP UX Encrypted Volume and Filesystem (EVFS) manual

-p	Specifies non-interactive mode. EVFS uses the key ID from the
	/etc/evfs/evfstab file and uses a stored passphrase. To use this
	option, you must add a key ID to the entry in the
	/etc/evfs/evfstab file for this volume and have a stored
	passphrase for the private key. If you do not specify this option,
	evfsvol prompts you for the passphrase for the private key.
-kkeyname	Specifies the name of the key pair to use. This must be the owner key
	or the key of an authorized user for this EVFS volume. If you do not
	specify -kkeyname, evfsvol uses your user name as the key name.

evfs_volume_path Specifies the absolute pathname for the EVFS volume device file, such as /dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/rdsk/c2t0d1.

To enable the EVFS volume, the evfsvol utility:

•Retrieves the passphrase for the owner or authorized user's private key by prompting the user for the passphrase or by using system data to decrypt the stored passphrase.

•Uses the passphrase to decrypt the owner or authorized user's private key.

•Uses the private key to decrypt the volume encryption key in the appropriate key record. EVFS can now use the volume encryption key to encrypt and decrypt the volume data.

Example

The root user enters the following command to enable the EVFS volume:

#evfsvol enable -k rootkey1 /dev/evfs/vg01/lvol5 Enter user passphrase:

(Enter the passphrase for the key rootkey1.)

Encrypted volume "/dev/evfs/vg01/lvol5" has been successfully enabled.

Option 1: Creating a New EVFS Volume 55

Image 55

HP UX Encrypted Volume and Filesystem (EVFS) manual Specifies non-interactive mode. Evfs uses the key ID from

Contents

Encrypted Volume and File System v1.1 Administrators Guide Trademark Notice Table of Contents Upgrading from Evfs v1.0 to Evfs Preparing Evfs for Configuration Administering Evfs 101 129 145 141153 171 169Page Software Types List of FiguresPage List of Tables Page Typographic Conventions About This DocumentIntended Audience Document Organization HP Encourages Your Comments Related InformationUser input Evfs provides the following features Features and BenefitsEvfs Introduction LVM DLO Support Evfs Architecture Encryption Metadata EMD Evfs Data FlowEvfs Encryption Keys Using HP-UX Trusted Computing Services with Evfs Volume Encryption KeysUser Keys How Evfs Uses Keys 3illustrates how Evfs uses keys to enable an Evfs volume Alternate Storage Databases and Distributed Key Storage Key Names and Key IDsUser Key and Passphrase Storage File Names Summary of Key Type and Privileged User Capabilities User Key Privileges Evfspkey Evfs CommandsEvfsvol utility configures and manages the Evfs volumes Evfsadm Software Types Supported Software Product Limitations and Precautions Evfs Introduction Workaround Known ProblemsSymptoms Possible Device File Collision Feedback and Enhancement Requests Installation Operating System Requirements System RebootPrerequisites Hardware Requirements Log on to the target system as the root user Installing EvfsUse the following procedure to install Evfs Swinstall utility will install the Evfs components Upgrading from Evfs v1.0 to Evfs Verifying for Preconfiguration Preparing Evfs for Configuration Start the Evfs subsystem. See Starting the Evfs Subsystem Preparation Overview Creating the Evfs Pseudo-User Account Configuring an Alternate Evfs Pseudo-UserSetting the evfsuser Attribute Creating the User Group Preparing Evfs for Configuration Passphrases that secure user private keys Optional Configuring Alternate Key Database DirectoriesKeys Private keys Key Storage Directory Requirements Default pubkey, privkey and passkey Attribute Statements Example NFS Directory for Public and Private Keys Example Alternate Directory for Public KeysExample Fallback Directory for Nonprivileged Users Pbe EmdbackupOptional Modifying Evfs Global Parameters Datacipher Example Starting the Evfs SubsystemEvfsadm start -n numberthreads Evfspkey keygen -p-s -c cipher -u user -k keyname Creating Keys for Evfs Volume OwnersCreating User Key Pairs Guidelines for Creating User Keys Evfspkey keygen -c rsa-2048 -r -k keyname Creating Recovery KeysStoring the recovery users Private Key Examples User name as the key name Creating Keys for authorized usersEncrypted file Rsa-2048 RSA 2048-bit keys # evfspkey keygen -u root -k rootkey1 ExamplesUser Session # evfsadm startPage Configuration Overview Configuring an Evfs Volume Before using this procedure, you must complete the tasks Option 1 Creating a New Evfs Volume Creating an LVM or VxVM Volume for Evfs Configuring an Evfs VolumeCreating Evfs Volume Device Files Creating the EMD Evfsadm map volumepath Optional Adding Recovery Keys and authorized user Keys Evfsvol enable -p-k keyname evfsvolumepath Enabling the Evfs VolumeSpecifies that the key pair is a recovery key pair Evfsvol add -u user -k keyname evfsvolumepath where Evfsvol prompts you for the passphrase for the private key Etc/evfs/evfstab file for this volume and have a storedSpecifies non-interactive mode. Evfs uses the key ID from Option, you must add a key ID to the entry # newfs -F vxfs /dev/evfs/vg01/rlvol5 Creating and Mounting a File System on an Evfs VolumeOptional Using fsck to Check the File Volume Creating a New File System with newfs Creating the Mount Point Mount the File System on the Evfs VolumeOptional Adding an Entry to /etc/fstab Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0 Evfsadm stat -a Verifying the ConfigurationEvfsvol display evfsvolumepath Evfsadm stat -a Evfsvol display evfsvolumepath Remount the file system using the mount command Optional Migrating Existing Data to an Evfs Volume Optional Configuring the Autostart Feature See evfstab4 for more information Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal Backing Up Your Configuration Page Preparing the File System and Data Map the regular volume to an Evfs volume Start inline encryption Mount the file system to the Evfs volumePerforming Inline Encryption Iencrypt Inline Encryption Configuring an Evfs Volume Verifying the Configuration Remount the file system using the mount command # strings /dev/vg01/lvol5 grep TOP Secret Optional Configuring the Autostart Feature Example Backing Up Your Configuration Option Existing size is 96 MB we now extend it by 4 MB, to 100 MB Existing size is 96 MB we now extend it by 4 MB, to 100 MB Page Administering Evfs Starting and Stopping Evfs Enabling Encryption and Decryption Access to Evfs VolumesStarting the Evfs Subsystem Causes Evfs to use a stored passphrase to enable encryption Disabling Encryption/Decryption Access to Evfs VolumesUses the user name as the key name Stopping the Evfs Subsystem Evfsvol disable -p evfsvolumepathEvfsvol disable -a Enter the following evfsadm stop command evfsadm stop Closing Raw Access to Evfs Volumes Opening Raw Access to Evfs Volumes Restoring User Keys Displaying Key IDs for an Evfs VolumeInformation for the volume Managing Evfs Keys and Users User Specifies the name of the file containing private key that Changing Owner Keys for an Evfs VolumeCorresponds to a recovery users key in the EMD. If you do To execute this command evfsvol prompts you for Evfspkey delete -u username-r -p -k keyname Recovering from Problems with Owner KeysRemoving Keys from an Evfs Volume Changing the Passphrase for a Key Evfspkey passgen -r recovkeyfile where Evfspkey passgen -u username -k keynameEvfspkey passgen -f-p-s -u username -k keyname where EMD Backup Directory Recovering from EMD Corruption # evfsvol destroy /dev/evfs/vg01/lvol5 Removing a Volume from the Evfs Subsystem Exporting an Evfs Volume Exporting and Importing Evfs Volumes Evfspkey keygen -c cipher -u user -k keyname Use the following evfspkey keygen command syntax Key owners name and keyname is the key name Importing an Evfs VolumeIs the key owners name and keyname is the key name Administering Evfs Managing Data on Evfs Volumes Vxresize -F Might Cause Data Loss or Corruption Creating a New Evfs Volume Overwrites Existing Data LVM Example Increasing Volume and File System Sizes Resizing Evfs Volumes and File SystemsCorrect Incorrect LVM Example Reducing Volume and File System Sizes VxVM Example Reducing Volume and File System Sizes VxVM Example Increasing Volume and File System Sizes # fsadm -F vxfs -b 65536 /test5 Backing Up and Restoring Data on Evfs Volumes Backing Up Evfs Volumes Backup Types with LVM or VxVM Mirrored Volumes Backup Types with Nonmirrored Volumes Map the backup volume to EVFS. For example Backups Using LVM Mirrored VolumesThis creates the device files /dev/evfs/vg01/lvol5backup Evfsvol check -r evfsvolumepath Syntax is as follows Dev/vg01/lvol5backup # evfsvol display /dev/evfs/vg01/lvol6 Evfsvol check -r evfsvolumepath Disable the Evfs backup volume. For example Example File Utility Creating Cleartext Backup Media LVM Mirrored Volumes Map the backup VxVM volume to EVFS. For example Backups Using VxVM Mirrored Volumes # evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol Backing Up and Restoring Data on Evfs Volumes # vxplex -g testdg -v vol05 dis vol05-02 # evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol Evfsvol check -r evfsvolumepath # fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol Backing Up Evfs Volumes Example Block Device Utility Creating Cleartext Backup Media VxVM Mirrored VolumesExample File Utility Backups Using Nonmirrored Volumes # evfsvol raw /dev/evfs/vg01/lvol5 Evfsadm stat -a Cp -r /opt/encrypteddata /opt/evfsbackup Restoring Backup Media Restoring Backup Data from an Evfs Volume to an Evfs Volume # cp -r /opt/backupevfs /opt/encrypteddata 128 Troubleshooting Tools Overview Troubleshooting Evfs Meaning of each field is as follows Displaying Evfs Volume InformationDisplaying I/O and Encryption Statistics evfsadm stat Evfsadm stat -a-s-z Number of data blocks encrypted ADisplays the EMD information for all enabled Evfs volumes Size of the encrypted metadata EMD area, in kilobytes Syntax Verifying the EMD evfsvol check # evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1 Verifying User Keys evfspkey lookup Evfspkey Cannot Generate Key Pairs Problem ScenariosEvfspkey Cannot Store Keys Evfsvol create Fails, Valid EMD Already Exists Evfsvol Cannot Retrieve Private KeySee the evfstab4 man page for more information Evfsadm map Fails, Invalid Device Evfsvol disable Fails, Evfs Volume Is BusyEvfsvol disable command returns the following error Evfsadm map command returns the following error Resets the dirty bit for the specified volume Evfsvol check -r -aevfsvolumepathwhereEMD Is Dirty Collecting Data Reporting Problems 140 Product Specifications User Files Evfs provides the following commands Commands and Tools 144 This appendix contains reference information about Evfs Evfs Quick Reference Preparing Evfs Configuring Evfs # evfsadm map volumepath Option 1 Creating New Evfs Volume Perform inline encryption Start inline encryption Table B-1 Starting and Stopping Evfs Evfs Tasks and Commands Table B-3 Managing Evfs Keys and Users Table B-4 Troubleshooting Evfs 152 Evfs and Serviceguard Overview Using Evfs with ServiceguardRequirements Restrictions Evfs Attribute Definition File ADF Installing Evfs Configuration Node Creating the Serviceguard Storage InfrastructureCreating an LVM Serviceguard Storage Infrastructure Creating a VxVM Serviceguard Storage Structure Adoptive Nodes Modifying /etc/evfs/evfstab Entries Configuring Evfs on the Configuration NodeCreating a Cluster Key Pair Adding the Cluster Keys to the EMD # vgchange -a n /dev/vg02 Preparing Evfs Volumes for Adoptive Nodes# vxdg deport evfsdg Creating a Local Passphrase File Configuring Evfs Volumes on the Adoptive NodesCopying the Evfs Configuration Files and Keys Restoring the Cluster Key Pair Files Verifying Evfs Mapping the LVM or VxVM Volumes to EvfsDeactivating the Volumes Modifying the /etc/evfs/evfstab File Configuring the Autostart Feature Copying the Evfs Control and Module Scripts Configuring Serviceguard using Modular packagesInstalling the Evfs Attribute Definition File Halting an Existing Package # cmmigratepkg -p pkgname -o outputfile.conf where Creating a Modular Package Configuration FileMigrating a Legacy Package Configuration File Adding the Evfs package to the Configuration File Verifying the Script Adding the Evfs Volumes to the Package Configuration FileLVM and VxVM Modular package example Converting a Package Control Script Configuring Serviceguard using Legacy packagesCreating the Package Configuration File Creating a Package Control Script LVM and VxVM Legacy package example Adding the Evfs Volumes to the Package Control ScriptInstalling the Evfs Control Script Modifying the Package Configuration File AES Glossary Volume EMD Index Permissions, 85 /etc/rc.config.d/evfs, 62, 72 RSA Vxresize command Renaming