HP UX Encrypted Volume and Filesystem (EVFS) instruction

Step 1: Preparing the File System and Data

a.Verify the file systems or volumes you want to secure with EVFS are suitable for encryption. You cannot use EVFS with the following objects:

•Files or disk areas used during system boot. This includes the following objects:

—the root disk (/)

—the boot disk

—the HP-UX kernel directory (/stand)

—the /usr directory"

EVFS cannot decrypt the kernel or other data before the system boots.

CAUTION: Encrypting the boot disk makes the boot disk unusable and prevents you from booting the system.

•Swap space (swap devices or file swap space).

CAUTION: Encrypting swap space can cause the system to panic.

• Dump devices.

b.For data consistency, stop all applications accessing the data. You can use the fuser -cucommand to determine the processes accessing files, and the fuser -ckucommand to terminate the processes. See fuser(1M) for more information.

If the data is used by system processes, you might need to terminate the processes by changing the system runlevel to single-user level with the shutdown utility. See shutdown(1M) for more information.

c.Back up the data on the volume. This ensures data recovery is possible if an unexpected event occurs before completion of the operation.

d.Unmount the file system:

# umount file_system

e.Extend the volume if there is no spare disk space at the end of the volume. 3 MB of spare disk space are required at the end of the volume. Extend the volume by using the lvextend command on an LVM volume, or the vxassist command on a VXVM volume. If you do not know if there is spare disk space at the end of the volume, you can check if there is still space available for you to extend the volume by using the vgdisplay command on a LVM volume group, or the vxdg command on a VXVM disk group that the volume belongs to.

f.Map the regular volume to an EVFS volume:

# evfsadm map volume_name

66 Configuring an EVFS Volume

Image 66

HP UX Encrypted Volume and Filesystem (EVFS) Preparing the File System and Data, Map the regular volume to an Evfs volume

Contents

Encrypted Volume and File System v1.1 Administrators Guide Trademark Notice Table of Contents Preparing Evfs for Configuration Upgrading from Evfs v1.0 to Evfs Administering Evfs 101 129 141 145153 169 171Page List of Figures Software TypesPage List of Tables Page Document Organization About This DocumentIntended Audience Typographic Conventions Related Information HP Encourages Your CommentsUser input Features and Benefits Evfs provides the following featuresEvfs Introduction LVM DLO Support Evfs Architecture Evfs Data Flow Encryption Metadata EMDEvfs Encryption Keys Volume Encryption Keys Using HP-UX Trusted Computing Services with EvfsUser Keys 3illustrates how Evfs uses keys to enable an Evfs volume How Evfs Uses Keys File Names Key Names and Key IDsUser Key and Passphrase Storage Alternate Storage Databases and Distributed Key Storage User Key Privileges Summary of Key Type and Privileged User Capabilities Evfsadm Evfs CommandsEvfsvol utility configures and manages the Evfs volumes Evfspkey Supported Software Software Types Product Limitations and Precautions Evfs Introduction Possible Device File Collision Known ProblemsSymptoms Workaround Feedback and Enhancement Requests Installation Hardware Requirements System RebootPrerequisites Operating System Requirements Swinstall utility will install the Evfs components Installing EvfsUse the following procedure to install Evfs Log on to the target system as the root user Upgrading from Evfs v1.0 to Evfs Preparing Evfs for Configuration Verifying for Preconfiguration Preparation Overview Start the Evfs subsystem. See Starting the Evfs Subsystem Creating the User Group Configuring an Alternate Evfs Pseudo-UserSetting the evfsuser Attribute Creating the Evfs Pseudo-User Account Preparing Evfs for Configuration Private keys Optional Configuring Alternate Key Database DirectoriesKeys Passphrases that secure user private keys Default pubkey, privkey and passkey Attribute Statements Key Storage Directory Requirements Example Alternate Directory for Public Keys Example NFS Directory for Public and Private KeysExample Fallback Directory for Nonprivileged Users Datacipher EmdbackupOptional Modifying Evfs Global Parameters Pbe Starting the Evfs Subsystem ExampleEvfsadm start -n numberthreads Guidelines for Creating User Keys Creating Keys for Evfs Volume OwnersCreating User Key Pairs Evfspkey keygen -p-s -c cipher -u user -k keyname Examples Creating Recovery KeysStoring the recovery users Private Key Evfspkey keygen -c rsa-2048 -r -k keyname Rsa-2048 RSA 2048-bit keys Creating Keys for authorized usersEncrypted file User name as the key name # evfsadm start ExamplesUser Session # evfspkey keygen -u root -k rootkey1Page Configuring an Evfs Volume Configuration Overview Option 1 Creating a New Evfs Volume Before using this procedure, you must complete the tasks Configuring an Evfs Volume Creating an LVM or VxVM Volume for EvfsCreating Evfs Volume Device Files Evfsadm map volumepath Creating the EMD Optional Adding Recovery Keys and authorized user Keys Evfsvol add -u user -k keyname evfsvolumepath where Enabling the Evfs VolumeSpecifies that the key pair is a recovery key pair Evfsvol enable -p-k keyname evfsvolumepath Option, you must add a key ID to the entry Etc/evfs/evfstab file for this volume and have a storedSpecifies non-interactive mode. Evfs uses the key ID from Evfsvol prompts you for the passphrase for the private key Creating a New File System with newfs Creating and Mounting a File System on an Evfs VolumeOptional Using fsck to Check the File Volume # newfs -F vxfs /dev/evfs/vg01/rlvol5 Mount the File System on the Evfs Volume Creating the Mount PointOptional Adding an Entry to /etc/fstab Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0 Evfsadm stat -a Evfsvol display evfsvolumepath Verifying the ConfigurationEvfsvol display evfsvolumepath Evfsadm stat -a Remount the file system using the mount command Optional Migrating Existing Data to an Evfs Volume Optional Configuring the Autostart Feature Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal See evfstab4 for more information Backing Up Your Configuration Page Map the regular volume to an Evfs volume Preparing the File System and Data Iencrypt Inline Encryption Mount the file system to the Evfs volumePerforming Inline Encryption Start inline encryption Configuring an Evfs Volume Verifying the Configuration Remount the file system using the mount command # strings /dev/vg01/lvol5 grep TOP Secret Optional Configuring the Autostart Feature Example Backing Up Your Configuration Option Existing size is 96 MB we now extend it by 4 MB, to 100 MB Existing size is 96 MB we now extend it by 4 MB, to 100 MB Page Administering Evfs Enabling Encryption and Decryption Access to Evfs Volumes Starting and Stopping EvfsStarting the Evfs Subsystem Disabling Encryption/Decryption Access to Evfs Volumes Causes Evfs to use a stored passphrase to enable encryptionUses the user name as the key name Enter the following evfsadm stop command evfsadm stop Evfsvol disable -p evfsvolumepathEvfsvol disable -a Stopping the Evfs Subsystem Opening Raw Access to Evfs Volumes Closing Raw Access to Evfs Volumes Managing Evfs Keys and Users Displaying Key IDs for an Evfs VolumeInformation for the volume Restoring User Keys User To execute this command evfsvol prompts you for Changing Owner Keys for an Evfs VolumeCorresponds to a recovery users key in the EMD. If you do Specifies the name of the file containing private key that Changing the Passphrase for a Key Recovering from Problems with Owner KeysRemoving Keys from an Evfs Volume Evfspkey delete -u username-r -p -k keyname Evfspkey passgen -u username -k keyname Evfspkey passgen -r recovkeyfile whereEvfspkey passgen -f-p-s -u username -k keyname where Recovering from EMD Corruption EMD Backup Directory Removing a Volume from the Evfs Subsystem # evfsvol destroy /dev/evfs/vg01/lvol5 Exporting and Importing Evfs Volumes Exporting an Evfs Volume Use the following evfspkey keygen command syntax Evfspkey keygen -c cipher -u user -k keyname Importing an Evfs Volume Key owners name and keyname is the key nameIs the key owners name and keyname is the key name Administering Evfs Managing Data on Evfs Volumes Creating a New Evfs Volume Overwrites Existing Data Vxresize -F Might Cause Data Loss or Corruption Resizing Evfs Volumes and File Systems LVM Example Increasing Volume and File System SizesCorrect LVM Example Reducing Volume and File System Sizes Incorrect VxVM Example Increasing Volume and File System Sizes VxVM Example Reducing Volume and File System Sizes # fsadm -F vxfs -b 65536 /test5 Backing Up and Restoring Data on Evfs Volumes Backing Up Evfs Volumes Backup Types with LVM or VxVM Mirrored Volumes Backup Types with Nonmirrored Volumes Backups Using LVM Mirrored Volumes Map the backup volume to EVFS. For exampleThis creates the device files /dev/evfs/vg01/lvol5backup Evfsvol check -r evfsvolumepath Dev/vg01/lvol5backup Syntax is as follows # evfsvol display /dev/evfs/vg01/lvol6 Evfsvol check -r evfsvolumepath Disable the Evfs backup volume. For example Creating Cleartext Backup Media LVM Mirrored Volumes Example File Utility Backups Using VxVM Mirrored Volumes Map the backup VxVM volume to EVFS. For example # evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol Backing Up and Restoring Data on Evfs Volumes # vxplex -g testdg -v vol05 dis vol05-02 # evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol Evfsvol check -r evfsvolumepath # fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol Backing Up Evfs Volumes Creating Cleartext Backup Media VxVM Mirrored Volumes Example Block Device UtilityExample File Utility Backups Using Nonmirrored Volumes # evfsvol raw /dev/evfs/vg01/lvol5 Evfsadm stat -a Cp -r /opt/encrypteddata /opt/evfsbackup Restoring Backup Media Restoring Backup Data from an Evfs Volume to an Evfs Volume # cp -r /opt/backupevfs /opt/encrypteddata 128 Troubleshooting Evfs Troubleshooting Tools Overview Evfsadm stat -a-s-z Displaying Evfs Volume InformationDisplaying I/O and Encryption Statistics evfsadm stat Meaning of each field is as follows ADisplays the EMD information for all enabled Evfs volumes Number of data blocks encrypted Size of the encrypted metadata EMD area, in kilobytes Verifying the EMD evfsvol check Syntax Verifying User Keys evfspkey lookup # evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1 Problem Scenarios Evfspkey Cannot Generate Key PairsEvfspkey Cannot Store Keys Evfsvol Cannot Retrieve Private Key Evfsvol create Fails, Valid EMD Already ExistsSee the evfstab4 man page for more information Evfsadm map command returns the following error Evfsvol disable Fails, Evfs Volume Is BusyEvfsvol disable command returns the following error Evfsadm map Fails, Invalid Device Evfsvol check -r -aevfsvolumepathwhere Resets the dirty bit for the specified volumeEMD Is Dirty Reporting Problems Collecting Data 140 Product Specifications User Files Commands and Tools Evfs provides the following commands 144 Evfs Quick Reference This appendix contains reference information about Evfs Configuring Evfs Preparing Evfs Option 1 Creating New Evfs Volume # evfsadm map volumepath Perform inline encryption Start inline encryption Evfs Tasks and Commands Table B-1 Starting and Stopping Evfs Table B-3 Managing Evfs Keys and Users Table B-4 Troubleshooting Evfs 152 Using Evfs with Serviceguard Evfs and Serviceguard OverviewRequirements Restrictions Evfs Attribute Definition File ADF Installing Evfs Creating a VxVM Serviceguard Storage Structure Creating the Serviceguard Storage InfrastructureCreating an LVM Serviceguard Storage Infrastructure Configuration Node Adoptive Nodes Adding the Cluster Keys to the EMD Configuring Evfs on the Configuration NodeCreating a Cluster Key Pair Modifying /etc/evfs/evfstab Entries Preparing Evfs Volumes for Adoptive Nodes # vgchange -a n /dev/vg02# vxdg deport evfsdg Restoring the Cluster Key Pair Files Configuring Evfs Volumes on the Adoptive NodesCopying the Evfs Configuration Files and Keys Creating a Local Passphrase File Modifying the /etc/evfs/evfstab File Mapping the LVM or VxVM Volumes to EvfsDeactivating the Volumes Verifying Evfs Configuring the Autostart Feature Halting an Existing Package Configuring Serviceguard using Modular packagesInstalling the Evfs Attribute Definition File Copying the Evfs Control and Module Scripts Adding the Evfs package to the Configuration File Creating a Modular Package Configuration FileMigrating a Legacy Package Configuration File # cmmigratepkg -p pkgname -o outputfile.conf where Adding the Evfs Volumes to the Package Configuration File Verifying the ScriptLVM and VxVM Modular package example Creating a Package Control Script Configuring Serviceguard using Legacy packagesCreating the Package Configuration File Converting a Package Control Script Modifying the Package Configuration File Adding the Evfs Volumes to the Package Control ScriptInstalling the Evfs Control Script LVM and VxVM Legacy package example Glossary AES Volume Index EMD Permissions, 85 /etc/rc.config.d/evfs, 62, 72 RSA Vxresize command Renaming