HP UX Encrypted Volume and Filesystem (EVFS) instruction

-p	Causes EVFS to use a stored passphrase to enable encryption and
	decryption for the named EVFS volume. The /etc/evfs/evfstab
	file must contain an entry for this volume with a key ID field.
-kkeyname	Specifies the key name. If you do not specify -kkeyname, evfspkey
	uses the user name as the key name.
	Valid value: An ASCII string, 1 to 255 characters long.

evfs_volume_path Specifies the absolute pathname for the EVFS volume device file, such as /dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/c2t0d1.

Disabling Encryption/Decryption Access to EVFS Volumes

The evfsvol disable command disables encryption and decryption access to EVFS volumes. The evfsvol disable command fails if a file system is mounted on the EVFS volume or if the EVFS volume device file is opened by any process.

Use the following procedure to disable encryption and decryption access to a volume:

1.For data consistency, stop all applications accessing the data. You can use the fuser -cucommand to determine the processes accessing files, and the fuser -ckucommand to terminate the processes. See fuser(1M) for more information.

If the data is used by system processes, you might need to terminate the processes by changing the system runlevel to single-user level with the shutdown utility. See the shutdown(1M) manpage for more information.

2.If you have a file system mounted on the EVFS volume, use the umount command to unmount the file system. See umount(1M) for more information.

Starting and Stopping EVFS 81

Image 81

HP UX Encrypted Volume and Filesystem (EVFS) manual Disabling Encryption/Decryption Access to Evfs Volumes

Contents

Encrypted Volume and File System v1.1 Administrators Guide Trademark Notice Table of Contents Upgrading from Evfs v1.0 to Evfs Preparing Evfs for Configuration Administering Evfs 101 129 141 145153 171 169Page Software Types List of FiguresPage List of Tables Page Intended Audience About This DocumentDocument Organization Typographic Conventions Related Information HP Encourages Your CommentsUser input Features and Benefits Evfs provides the following featuresEvfs Introduction LVM DLO Support Evfs Architecture Evfs Data Flow Encryption Metadata EMDEvfs Encryption Keys Volume Encryption Keys Using HP-UX Trusted Computing Services with EvfsUser Keys How Evfs Uses Keys 3illustrates how Evfs uses keys to enable an Evfs volume User Key and Passphrase Storage Key Names and Key IDsFile Names Alternate Storage Databases and Distributed Key Storage Summary of Key Type and Privileged User Capabilities User Key Privileges Evfsvol utility configures and manages the Evfs volumes Evfs CommandsEvfsadm Evfspkey Software Types Supported Software Product Limitations and Precautions Evfs Introduction Symptoms Known ProblemsPossible Device File Collision Workaround Feedback and Enhancement Requests Installation Prerequisites System RebootHardware Requirements Operating System Requirements Use the following procedure to install Evfs Installing EvfsSwinstall utility will install the Evfs components Log on to the target system as the root user Upgrading from Evfs v1.0 to Evfs Verifying for Preconfiguration Preparing Evfs for Configuration Start the Evfs subsystem. See Starting the Evfs Subsystem Preparation Overview Setting the evfsuser Attribute Configuring an Alternate Evfs Pseudo-UserCreating the User Group Creating the Evfs Pseudo-User Account Preparing Evfs for Configuration Keys Optional Configuring Alternate Key Database DirectoriesPrivate keys Passphrases that secure user private keys Key Storage Directory Requirements Default pubkey, privkey and passkey Attribute Statements Example Alternate Directory for Public Keys Example NFS Directory for Public and Private KeysExample Fallback Directory for Nonprivileged Users Optional Modifying Evfs Global Parameters EmdbackupDatacipher Pbe Starting the Evfs Subsystem ExampleEvfsadm start -n numberthreads Creating User Key Pairs Creating Keys for Evfs Volume OwnersGuidelines for Creating User Keys Evfspkey keygen -p-s -c cipher -u user -k keyname Storing the recovery users Private Key Creating Recovery KeysExamples Evfspkey keygen -c rsa-2048 -r -k keyname Encrypted file Creating Keys for authorized usersRsa-2048 RSA 2048-bit keys User name as the key name User Session Examples# evfsadm start # evfspkey keygen -u root -k rootkey1Page Configuration Overview Configuring an Evfs Volume Before using this procedure, you must complete the tasks Option 1 Creating a New Evfs Volume Configuring an Evfs Volume Creating an LVM or VxVM Volume for EvfsCreating Evfs Volume Device Files Creating the EMD Evfsadm map volumepath Optional Adding Recovery Keys and authorized user Keys Specifies that the key pair is a recovery key pair Enabling the Evfs VolumeEvfsvol add -u user -k keyname evfsvolumepath where Evfsvol enable -p-k keyname evfsvolumepath Specifies non-interactive mode. Evfs uses the key ID from Etc/evfs/evfstab file for this volume and have a storedOption, you must add a key ID to the entry Evfsvol prompts you for the passphrase for the private key Optional Using fsck to Check the File Volume Creating and Mounting a File System on an Evfs VolumeCreating a New File System with newfs # newfs -F vxfs /dev/evfs/vg01/rlvol5 Mount the File System on the Evfs Volume Creating the Mount PointOptional Adding an Entry to /etc/fstab Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0 Evfsvol display evfsvolumepath Verifying the ConfigurationEvfsadm stat -a Evfsvol display evfsvolumepath Evfsadm stat -a Remount the file system using the mount command Optional Migrating Existing Data to an Evfs Volume Optional Configuring the Autostart Feature See evfstab4 for more information Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal Backing Up Your Configuration Page Preparing the File System and Data Map the regular volume to an Evfs volume Performing Inline Encryption Mount the file system to the Evfs volumeIencrypt Inline Encryption Start inline encryption Configuring an Evfs Volume Verifying the Configuration Remount the file system using the mount command # strings /dev/vg01/lvol5 grep TOP Secret Optional Configuring the Autostart Feature Example Backing Up Your Configuration Option Existing size is 96 MB we now extend it by 4 MB, to 100 MB Existing size is 96 MB we now extend it by 4 MB, to 100 MB Page Administering Evfs Enabling Encryption and Decryption Access to Evfs Volumes Starting and Stopping EvfsStarting the Evfs Subsystem Disabling Encryption/Decryption Access to Evfs Volumes Causes Evfs to use a stored passphrase to enable encryptionUses the user name as the key name Evfsvol disable -a Evfsvol disable -p evfsvolumepathEnter the following evfsadm stop command evfsadm stop Stopping the Evfs Subsystem Closing Raw Access to Evfs Volumes Opening Raw Access to Evfs Volumes Information for the volume Displaying Key IDs for an Evfs VolumeManaging Evfs Keys and Users Restoring User Keys User Corresponds to a recovery users key in the EMD. If you do Changing Owner Keys for an Evfs VolumeTo execute this command evfsvol prompts you for Specifies the name of the file containing private key that Removing Keys from an Evfs Volume Recovering from Problems with Owner KeysChanging the Passphrase for a Key Evfspkey delete -u username-r -p -k keyname Evfspkey passgen -u username -k keyname Evfspkey passgen -r recovkeyfile whereEvfspkey passgen -f-p-s -u username -k keyname where EMD Backup Directory Recovering from EMD Corruption # evfsvol destroy /dev/evfs/vg01/lvol5 Removing a Volume from the Evfs Subsystem Exporting an Evfs Volume Exporting and Importing Evfs Volumes Evfspkey keygen -c cipher -u user -k keyname Use the following evfspkey keygen command syntax Importing an Evfs Volume Key owners name and keyname is the key nameIs the key owners name and keyname is the key name Administering Evfs Managing Data on Evfs Volumes Vxresize -F Might Cause Data Loss or Corruption Creating a New Evfs Volume Overwrites Existing Data Resizing Evfs Volumes and File Systems LVM Example Increasing Volume and File System SizesCorrect Incorrect LVM Example Reducing Volume and File System Sizes VxVM Example Reducing Volume and File System Sizes VxVM Example Increasing Volume and File System Sizes # fsadm -F vxfs -b 65536 /test5 Backing Up and Restoring Data on Evfs Volumes Backing Up Evfs Volumes Backup Types with LVM or VxVM Mirrored Volumes Backup Types with Nonmirrored Volumes Backups Using LVM Mirrored Volumes Map the backup volume to EVFS. For exampleThis creates the device files /dev/evfs/vg01/lvol5backup Evfsvol check -r evfsvolumepath Syntax is as follows Dev/vg01/lvol5backup # evfsvol display /dev/evfs/vg01/lvol6 Evfsvol check -r evfsvolumepath Disable the Evfs backup volume. For example Example File Utility Creating Cleartext Backup Media LVM Mirrored Volumes Map the backup VxVM volume to EVFS. For example Backups Using VxVM Mirrored Volumes # evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol Backing Up and Restoring Data on Evfs Volumes # vxplex -g testdg -v vol05 dis vol05-02 # evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol Evfsvol check -r evfsvolumepath # fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol Backing Up Evfs Volumes Creating Cleartext Backup Media VxVM Mirrored Volumes Example Block Device UtilityExample File Utility Backups Using Nonmirrored Volumes # evfsvol raw /dev/evfs/vg01/lvol5 Evfsadm stat -a Cp -r /opt/encrypteddata /opt/evfsbackup Restoring Backup Media Restoring Backup Data from an Evfs Volume to an Evfs Volume # cp -r /opt/backupevfs /opt/encrypteddata 128 Troubleshooting Tools Overview Troubleshooting Evfs Displaying I/O and Encryption Statistics evfsadm stat Displaying Evfs Volume InformationEvfsadm stat -a-s-z Meaning of each field is as follows Number of data blocks encrypted ADisplays the EMD information for all enabled Evfs volumes Size of the encrypted metadata EMD area, in kilobytes Syntax Verifying the EMD evfsvol check # evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1 Verifying User Keys evfspkey lookup Problem Scenarios Evfspkey Cannot Generate Key PairsEvfspkey Cannot Store Keys Evfsvol Cannot Retrieve Private Key Evfsvol create Fails, Valid EMD Already ExistsSee the evfstab4 man page for more information Evfsvol disable command returns the following error Evfsvol disable Fails, Evfs Volume Is BusyEvfsadm map command returns the following error Evfsadm map Fails, Invalid Device Evfsvol check -r -aevfsvolumepathwhere Resets the dirty bit for the specified volumeEMD Is Dirty Collecting Data Reporting Problems 140 Product Specifications User Files Evfs provides the following commands Commands and Tools 144 This appendix contains reference information about Evfs Evfs Quick Reference Preparing Evfs Configuring Evfs # evfsadm map volumepath Option 1 Creating New Evfs Volume Perform inline encryption Start inline encryption Table B-1 Starting and Stopping Evfs Evfs Tasks and Commands Table B-3 Managing Evfs Keys and Users Table B-4 Troubleshooting Evfs 152 Using Evfs with Serviceguard Evfs and Serviceguard OverviewRequirements Restrictions Evfs Attribute Definition File ADF Installing Evfs Creating an LVM Serviceguard Storage Infrastructure Creating the Serviceguard Storage InfrastructureCreating a VxVM Serviceguard Storage Structure Configuration Node Adoptive Nodes Creating a Cluster Key Pair Configuring Evfs on the Configuration NodeAdding the Cluster Keys to the EMD Modifying /etc/evfs/evfstab Entries Preparing Evfs Volumes for Adoptive Nodes # vgchange -a n /dev/vg02# vxdg deport evfsdg Copying the Evfs Configuration Files and Keys Configuring Evfs Volumes on the Adoptive NodesRestoring the Cluster Key Pair Files Creating a Local Passphrase File Deactivating the Volumes Mapping the LVM or VxVM Volumes to EvfsModifying the /etc/evfs/evfstab File Verifying Evfs Configuring the Autostart Feature Installing the Evfs Attribute Definition File Configuring Serviceguard using Modular packagesHalting an Existing Package Copying the Evfs Control and Module Scripts Migrating a Legacy Package Configuration File Creating a Modular Package Configuration FileAdding the Evfs package to the Configuration File # cmmigratepkg -p pkgname -o outputfile.conf where Adding the Evfs Volumes to the Package Configuration File Verifying the ScriptLVM and VxVM Modular package example Creating the Package Configuration File Configuring Serviceguard using Legacy packagesCreating a Package Control Script Converting a Package Control Script Installing the Evfs Control Script Adding the Evfs Volumes to the Package Control ScriptModifying the Package Configuration File LVM and VxVM Legacy package example AES Glossary Volume EMD Index Permissions, 85 /etc/rc.config.d/evfs, 62, 72 RSA Vxresize command Renaming