Encrypted Volume and File System v1.1 Administrators Guide
Trademark Notice
Table of Contents
Preparing Evfs for Configuration
Upgrading from Evfs v1.0 to Evfs
Administering Evfs
101
129
141
145
153
169
171
Page
List of Figures
Software Types
Page
List of Tables
Page
About This Document
Intended Audience
Document Organization
Typographic Conventions
Related Information
HP Encourages Your Comments
User input
Features and Benefits
Evfs provides the following features
Evfs Introduction
LVM DLO Support
Evfs Architecture
Evfs Data Flow
Encryption Metadata EMD
Evfs Encryption Keys
Volume Encryption Keys
Using HP-UX Trusted Computing Services with Evfs
User Keys
3illustrates how Evfs uses keys to enable an Evfs volume
How Evfs Uses Keys
Key Names and Key IDs
User Key and Passphrase Storage
File Names
Alternate Storage Databases and Distributed Key Storage
User Key Privileges
Summary of Key Type and Privileged User Capabilities
Evfs Commands
Evfsvol utility configures and manages the Evfs volumes
Evfsadm
Evfspkey
Supported Software
Software Types
Product Limitations and Precautions
Evfs Introduction
Known Problems
Symptoms
Possible Device File Collision
Workaround
Feedback and Enhancement Requests
Installation
System Reboot
Prerequisites
Hardware Requirements
Operating System Requirements
Installing Evfs
Use the following procedure to install Evfs
Swinstall utility will install the Evfs components
Log on to the target system as the root user
Upgrading from Evfs v1.0 to Evfs
Preparing Evfs for Configuration
Verifying for Preconfiguration
Preparation Overview
Start the Evfs subsystem. See Starting the Evfs Subsystem
Configuring an Alternate Evfs Pseudo-User
Setting the evfsuser Attribute
Creating the User Group
Creating the Evfs Pseudo-User Account
Preparing Evfs for Configuration
Optional Configuring Alternate Key Database Directories
Keys
Private keys
Passphrases that secure user private keys
Default pubkey, privkey and passkey Attribute Statements
Key Storage Directory Requirements
Example Alternate Directory for Public Keys
Example NFS Directory for Public and Private Keys
Example Fallback Directory for Nonprivileged Users
Emdbackup
Optional Modifying Evfs Global Parameters
Datacipher
Pbe
Starting the Evfs Subsystem
Example
Evfsadm start -n numberthreads
Creating Keys for Evfs Volume Owners
Creating User Key Pairs
Guidelines for Creating User Keys
Evfspkey keygen -p-s -c cipher -u user -k keyname
Creating Recovery Keys
Storing the recovery users Private Key
Examples
Evfspkey keygen -c rsa-2048 -r -k keyname
Creating Keys for authorized users
Encrypted file
Rsa-2048 RSA 2048-bit keys
User name as the key name
Examples
User Session
# evfsadm start
# evfspkey keygen -u root -k rootkey1
Page
Configuring an Evfs Volume
Configuration Overview
Option 1 Creating a New Evfs Volume
Before using this procedure, you must complete the tasks
Configuring an Evfs Volume
Creating an LVM or VxVM Volume for Evfs
Creating Evfs Volume Device Files
Evfsadm map volumepath
Creating the EMD
Optional Adding Recovery Keys and authorized user Keys
Enabling the Evfs Volume
Specifies that the key pair is a recovery key pair
Evfsvol add -u user -k keyname evfsvolumepath where
Evfsvol enable -p-k keyname evfsvolumepath
Etc/evfs/evfstab file for this volume and have a stored
Specifies non-interactive mode. Evfs uses the key ID from
Option, you must add a key ID to the entry
Evfsvol prompts you for the passphrase for the private key
Creating and Mounting a File System on an Evfs Volume
Optional Using fsck to Check the File Volume
Creating a New File System with newfs
# newfs -F vxfs /dev/evfs/vg01/rlvol5
Mount the File System on the Evfs Volume
Creating the Mount Point
Optional Adding an Entry to /etc/fstab
Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0
Verifying the Configuration
Evfsvol display evfsvolumepath
Evfsadm stat -a Evfsvol display evfsvolumepath
Evfsadm stat -a
Remount the file system using the mount command
Optional Migrating Existing Data to an Evfs Volume
Optional Configuring the Autostart Feature
Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal
See evfstab4 for more information
Backing Up Your Configuration
Page
Map the regular volume to an Evfs volume
Preparing the File System and Data
Mount the file system to the Evfs volume
Performing Inline Encryption
Iencrypt Inline Encryption
Start inline encryption
Configuring an Evfs Volume
Verifying the Configuration
Remount the file system using the mount command
# strings /dev/vg01/lvol5 grep TOP Secret
Optional Configuring the Autostart Feature
Example
Backing Up Your Configuration
Option
Existing size is 96 MB we now extend it by 4 MB, to 100 MB
Existing size is 96 MB we now extend it by 4 MB, to 100 MB
Page
Administering Evfs
Enabling Encryption and Decryption Access to Evfs Volumes
Starting and Stopping Evfs
Starting the Evfs Subsystem
Disabling Encryption/Decryption Access to Evfs Volumes
Causes Evfs to use a stored passphrase to enable encryption
Uses the user name as the key name
Evfsvol disable -p evfsvolumepath
Evfsvol disable -a
Enter the following evfsadm stop command evfsadm stop
Stopping the Evfs Subsystem
Opening Raw Access to Evfs Volumes
Closing Raw Access to Evfs Volumes
Displaying Key IDs for an Evfs Volume
Information for the volume
Managing Evfs Keys and Users
Restoring User Keys
User
Changing Owner Keys for an Evfs Volume
Corresponds to a recovery users key in the EMD. If you do
To execute this command evfsvol prompts you for
Specifies the name of the file containing private key that
Recovering from Problems with Owner Keys
Removing Keys from an Evfs Volume
Changing the Passphrase for a Key
Evfspkey delete -u username-r -p -k keyname
Evfspkey passgen -u username -k keyname
Evfspkey passgen -r recovkeyfile where
Evfspkey passgen -f-p-s -u username -k keyname where
Recovering from EMD Corruption
EMD Backup Directory
Removing a Volume from the Evfs Subsystem
# evfsvol destroy /dev/evfs/vg01/lvol5
Exporting and Importing Evfs Volumes
Exporting an Evfs Volume
Use the following evfspkey keygen command syntax
Evfspkey keygen -c cipher -u user -k keyname
Importing an Evfs Volume
Key owners name and keyname is the key name
Is the key owners name and keyname is the key name
Administering Evfs
Managing Data on Evfs Volumes
Creating a New Evfs Volume Overwrites Existing Data
Vxresize -F Might Cause Data Loss or Corruption
Resizing Evfs Volumes and File Systems
LVM Example Increasing Volume and File System Sizes
Correct
LVM Example Reducing Volume and File System Sizes
Incorrect
VxVM Example Increasing Volume and File System Sizes
VxVM Example Reducing Volume and File System Sizes
# fsadm -F vxfs -b 65536 /test5
Backing Up and Restoring Data on Evfs Volumes
Backing Up Evfs Volumes
Backup Types with LVM or VxVM Mirrored Volumes
Backup Types with Nonmirrored Volumes
Backups Using LVM Mirrored Volumes
Map the backup volume to EVFS. For example
This creates the device files /dev/evfs/vg01/lvol5backup
Evfsvol check -r evfsvolumepath
Dev/vg01/lvol5backup
Syntax is as follows
# evfsvol display /dev/evfs/vg01/lvol6
Evfsvol check -r evfsvolumepath
Disable the Evfs backup volume. For example
Creating Cleartext Backup Media LVM Mirrored Volumes
Example File Utility
Backups Using VxVM Mirrored Volumes
Map the backup VxVM volume to EVFS. For example
# evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol
Backing Up and Restoring Data on Evfs Volumes
# vxplex -g testdg -v vol05 dis vol05-02
# evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol
Evfsvol check -r evfsvolumepath
# fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol
Backing Up Evfs Volumes
Creating Cleartext Backup Media VxVM Mirrored Volumes
Example Block Device Utility
Example File Utility
Backups Using Nonmirrored Volumes
# evfsvol raw /dev/evfs/vg01/lvol5
Evfsadm stat -a
Cp -r /opt/encrypteddata /opt/evfsbackup
Restoring Backup Media
Restoring Backup Data from an Evfs Volume to an Evfs Volume
# cp -r /opt/backupevfs /opt/encrypteddata
128
Troubleshooting Evfs
Troubleshooting Tools Overview
Displaying Evfs Volume Information
Displaying I/O and Encryption Statistics evfsadm stat
Evfsadm stat -a-s-z
Meaning of each field is as follows
ADisplays the EMD information for all enabled Evfs volumes
Number of data blocks encrypted
Size of the encrypted metadata EMD area, in kilobytes
Verifying the EMD evfsvol check
Syntax
Verifying User Keys evfspkey lookup
# evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1
Problem Scenarios
Evfspkey Cannot Generate Key Pairs
Evfspkey Cannot Store Keys
Evfsvol Cannot Retrieve Private Key
Evfsvol create Fails, Valid EMD Already Exists
See the evfstab4 man page for more information
Evfsvol disable Fails, Evfs Volume Is Busy
Evfsvol disable command returns the following error
Evfsadm map command returns the following error
Evfsadm map Fails, Invalid Device
Evfsvol check -r -aevfsvolumepathwhere
Resets the dirty bit for the specified volume
EMD Is Dirty
Reporting Problems
Collecting Data
140
Product Specifications
User Files
Commands and Tools
Evfs provides the following commands
144
Evfs Quick Reference
This appendix contains reference information about Evfs
Configuring Evfs
Preparing Evfs
Option 1 Creating New Evfs Volume
# evfsadm map volumepath
Perform inline encryption Start inline encryption
Evfs Tasks and Commands
Table B-1 Starting and Stopping Evfs
Table B-3 Managing Evfs Keys and Users
Table B-4 Troubleshooting Evfs
152
Using Evfs with Serviceguard
Evfs and Serviceguard Overview
Requirements
Restrictions
Evfs Attribute Definition File ADF
Installing Evfs
Creating the Serviceguard Storage Infrastructure
Creating an LVM Serviceguard Storage Infrastructure
Creating a VxVM Serviceguard Storage Structure
Configuration Node
Adoptive Nodes
Configuring Evfs on the Configuration Node
Creating a Cluster Key Pair
Adding the Cluster Keys to the EMD
Modifying /etc/evfs/evfstab Entries
Preparing Evfs Volumes for Adoptive Nodes
# vgchange -a n /dev/vg02
# vxdg deport evfsdg
Configuring Evfs Volumes on the Adoptive Nodes
Copying the Evfs Configuration Files and Keys
Restoring the Cluster Key Pair Files
Creating a Local Passphrase File
Mapping the LVM or VxVM Volumes to Evfs
Deactivating the Volumes
Modifying the /etc/evfs/evfstab File
Verifying Evfs
Configuring the Autostart Feature
Configuring Serviceguard using Modular packages
Installing the Evfs Attribute Definition File
Halting an Existing Package
Copying the Evfs Control and Module Scripts
Creating a Modular Package Configuration File
Migrating a Legacy Package Configuration File
Adding the Evfs package to the Configuration File
# cmmigratepkg -p pkgname -o outputfile.conf where
Adding the Evfs Volumes to the Package Configuration File
Verifying the Script
LVM and VxVM Modular package example
Configuring Serviceguard using Legacy packages
Creating the Package Configuration File
Creating a Package Control Script
Converting a Package Control Script
Adding the Evfs Volumes to the Package Control Script
Installing the Evfs Control Script
Modifying the Package Configuration File
LVM and VxVM Legacy package example
Glossary
AES
Volume
Index
EMD
Permissions, 85 /etc/rc.config.d/evfs, 62, 72
RSA
Vxresize command Renaming
