Manuals / HP / Computer Equipment / Software

HP UX Encrypted Volume and Filesystem (EVFS) Managing Evfs Keys and Users, Restoring User Keys

Models: UX Encrypted Volume and Filesystem (EVFS)

1 174

Download 174 pages 22.98 Kb

Page 84

Managing EVFS Keys and Users

This section describes the following procedures for managing EVFS keys and users:

•“Displaying Key IDs for an EVFS Volume” (page 84)

•“Restoring User Keys” (page 84)

•“Changing Owner Keys for an EVFS Volume” (page 86)

•“Recovering from Problems with Owner Keys” (page 87)

•“Removing Keys from an EVFS Volume” (page 87)

•“Removing User Keys or Stored Passphrase from the EVFS Key Database” (page 87)

•“Changing the Passphrase for a Key” (page 87)

•“Creating or Changing a Stored Passphrase for an Existing Key” (page 88)

Displaying Key IDs for an EVFS Volume

Use the following evfsvol display command to display EMD information for EVFS volumes, including the owner key ID, recovery key IDs, and authorized user key IDs. The evfsvol display command also displays operating parameters for the EVFS volume, including the volume encryption algorithm and the underlying LVM, VxVM, or physical volume device file name.

Syntax

evfsvol display [-aevfs_volume_path]

where:
-a	Displays the EMD information for all configured EVFS volumes.
-evfs_volume_path	Specifies the absolute pathname for the EVFS volume device file,
	such as /dev/evfs/vg01/lvol5,
	/dev/evfs/vx/dsk/rootdg/vol05, or
	/dev/evfs/dsk/c2t0d1. The evfsvol utility displays the EMD
	information for the volume.

Example

The output for the evfsvol display evfs_volume_path is similar to the following:

#evfsvol display /dev/evfs/vg01/lvol5

EVFS Volume Name:	/dev/evfs/vg01/lvol5
Mapped Volume Name:	/dev/vg01/lvol5
EVFS Volume State:	enabled
EMD Size (Kbytes):	520
Max User Envelopes:	1024
Data Encryption Cipher:	aes-128-cbc
Digest:	sha1
Owner Key ID:	root.rootkey1
Recovery Agent Key IDs:	evfs.evfs
Total Recovery Agent Keys:	1
User Key IDs:	root.admink
Total User Keys:	1

The Owner Key ID, Recovery Agent Key IDs, and User Key IDs fields show the key IDs configured for the volume.

Restoring User Keys

Use the following procedure to restore user key files from backup media:

84 Administering EVFS

Image 84

HP UX Encrypted Volume and Filesystem (EVFS) Managing Evfs Keys and Users, Displaying Key IDs for an Evfs Volume, Syntax

Contents

Encrypted Volume and File System v1.1 Administrators Guide Trademark Notice Table of Contents Preparing Evfs for Configuration Upgrading from Evfs v1.0 to EvfsAdministering Evfs 101 129 141 145153 169 171Page List of Figures Software TypesPage List of Tables Page About This Document Intended AudienceDocument Organization Typographic ConventionsRelated Information HP Encourages Your CommentsUser input Features and Benefits Evfs provides the following featuresEvfs Introduction LVM DLO Support Evfs Architecture Evfs Data Flow Encryption Metadata EMDEvfs Encryption Keys Volume Encryption Keys Using HP-UX Trusted Computing Services with EvfsUser Keys 3illustrates how Evfs uses keys to enable an Evfs volume How Evfs Uses KeysKey Names and Key IDs User Key and Passphrase StorageFile Names Alternate Storage Databases and Distributed Key StorageUser Key Privileges Summary of Key Type and Privileged User CapabilitiesEvfs Commands Evfsvol utility configures and manages the Evfs volumesEvfsadm EvfspkeySupported Software Software TypesProduct Limitations and Precautions Evfs Introduction Known Problems SymptomsPossible Device File Collision WorkaroundFeedback and Enhancement Requests Installation System Reboot PrerequisitesHardware Requirements Operating System RequirementsInstalling Evfs Use the following procedure to install EvfsSwinstall utility will install the Evfs components Log on to the target system as the root userUpgrading from Evfs v1.0 to Evfs Preparing Evfs for Configuration Verifying for PreconfigurationPreparation Overview Start the Evfs subsystem. See Starting the Evfs SubsystemConfiguring an Alternate Evfs Pseudo-User Setting the evfsuser AttributeCreating the User Group Creating the Evfs Pseudo-User AccountPreparing Evfs for Configuration Optional Configuring Alternate Key Database Directories KeysPrivate keys Passphrases that secure user private keysDefault pubkey, privkey and passkey Attribute Statements Key Storage Directory RequirementsExample Alternate Directory for Public Keys Example NFS Directory for Public and Private KeysExample Fallback Directory for Nonprivileged Users Emdbackup Optional Modifying Evfs Global ParametersDatacipher PbeStarting the Evfs Subsystem ExampleEvfsadm start -n numberthreads Creating Keys for Evfs Volume Owners Creating User Key PairsGuidelines for Creating User Keys Evfspkey keygen -p-s -c cipher -u user -k keynameCreating Recovery Keys Storing the recovery users Private KeyExamples Evfspkey keygen -c rsa-2048 -r -k keynameCreating Keys for authorized users Encrypted fileRsa-2048 RSA 2048-bit keys User name as the key nameExamples User Session# evfsadm start # evfspkey keygen -u root -k rootkey1Page Configuring an Evfs Volume Configuration OverviewOption 1 Creating a New Evfs Volume Before using this procedure, you must complete the tasksConfiguring an Evfs Volume Creating an LVM or VxVM Volume for EvfsCreating Evfs Volume Device Files Evfsadm map volumepath Creating the EMDOptional Adding Recovery Keys and authorized user Keys Enabling the Evfs Volume Specifies that the key pair is a recovery key pairEvfsvol add -u user -k keyname evfsvolumepath where Evfsvol enable -p-k keyname evfsvolumepathEtc/evfs/evfstab file for this volume and have a stored Specifies non-interactive mode. Evfs uses the key ID fromOption, you must add a key ID to the entry Evfsvol prompts you for the passphrase for the private keyCreating and Mounting a File System on an Evfs Volume Optional Using fsck to Check the File VolumeCreating a New File System with newfs # newfs -F vxfs /dev/evfs/vg01/rlvol5Mount the File System on the Evfs Volume Creating the Mount PointOptional Adding an Entry to /etc/fstab Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0 Verifying the Configuration Evfsvol display evfsvolumepathEvfsadm stat -a Evfsvol display evfsvolumepath Evfsadm stat -aRemount the file system using the mount command Optional Migrating Existing Data to an Evfs Volume Optional Configuring the Autostart Feature Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal See evfstab4 for more informationBacking Up Your Configuration Page Map the regular volume to an Evfs volume Preparing the File System and DataMount the file system to the Evfs volume Performing Inline EncryptionIencrypt Inline Encryption Start inline encryptionConfiguring an Evfs Volume Verifying the Configuration Remount the file system using the mount command # strings /dev/vg01/lvol5 grep TOP Secret Optional Configuring the Autostart Feature Example Backing Up Your Configuration Option Existing size is 96 MB we now extend it by 4 MB, to 100 MB Existing size is 96 MB we now extend it by 4 MB, to 100 MB Page Administering Evfs Enabling Encryption and Decryption Access to Evfs Volumes Starting and Stopping EvfsStarting the Evfs Subsystem Disabling Encryption/Decryption Access to Evfs Volumes Causes Evfs to use a stored passphrase to enable encryptionUses the user name as the key name Evfsvol disable -p evfsvolumepath Evfsvol disable -aEnter the following evfsadm stop command evfsadm stop Stopping the Evfs SubsystemOpening Raw Access to Evfs Volumes Closing Raw Access to Evfs VolumesDisplaying Key IDs for an Evfs Volume Information for the volumeManaging Evfs Keys and Users Restoring User KeysUser Changing Owner Keys for an Evfs Volume Corresponds to a recovery users key in the EMD. If you doTo execute this command evfsvol prompts you for Specifies the name of the file containing private key thatRecovering from Problems with Owner Keys Removing Keys from an Evfs VolumeChanging the Passphrase for a Key Evfspkey delete -u username-r -p -k keynameEvfspkey passgen -u username -k keyname Evfspkey passgen -r recovkeyfile whereEvfspkey passgen -f-p-s -u username -k keyname where Recovering from EMD Corruption EMD Backup DirectoryRemoving a Volume from the Evfs Subsystem # evfsvol destroy /dev/evfs/vg01/lvol5Exporting and Importing Evfs Volumes Exporting an Evfs VolumeUse the following evfspkey keygen command syntax Evfspkey keygen -c cipher -u user -k keynameImporting an Evfs Volume Key owners name and keyname is the key nameIs the key owners name and keyname is the key name Administering Evfs Managing Data on Evfs Volumes Creating a New Evfs Volume Overwrites Existing Data Vxresize -F Might Cause Data Loss or CorruptionResizing Evfs Volumes and File Systems LVM Example Increasing Volume and File System SizesCorrect LVM Example Reducing Volume and File System Sizes IncorrectVxVM Example Increasing Volume and File System Sizes VxVM Example Reducing Volume and File System Sizes# fsadm -F vxfs -b 65536 /test5 Backing Up and Restoring Data on Evfs Volumes Backing Up Evfs Volumes Backup Types with LVM or VxVM Mirrored Volumes Backup Types with Nonmirrored Volumes Backups Using LVM Mirrored Volumes Map the backup volume to EVFS. For exampleThis creates the device files /dev/evfs/vg01/lvol5backup Evfsvol check -r evfsvolumepath Dev/vg01/lvol5backup Syntax is as follows# evfsvol display /dev/evfs/vg01/lvol6 Evfsvol check -r evfsvolumepath Disable the Evfs backup volume. For example Creating Cleartext Backup Media LVM Mirrored Volumes Example File UtilityBackups Using VxVM Mirrored Volumes Map the backup VxVM volume to EVFS. For example# evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol Backing Up and Restoring Data on Evfs Volumes # vxplex -g testdg -v vol05 dis vol05-02 # evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol Evfsvol check -r evfsvolumepath # fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol Backing Up Evfs Volumes Creating Cleartext Backup Media VxVM Mirrored Volumes Example Block Device UtilityExample File Utility Backups Using Nonmirrored Volumes # evfsvol raw /dev/evfs/vg01/lvol5 Evfsadm stat -a Cp -r /opt/encrypteddata /opt/evfsbackup Restoring Backup Media Restoring Backup Data from an Evfs Volume to an Evfs Volume # cp -r /opt/backupevfs /opt/encrypteddata 128 Troubleshooting Evfs Troubleshooting Tools OverviewDisplaying Evfs Volume Information Displaying I/O and Encryption Statistics evfsadm statEvfsadm stat -a-s-z Meaning of each field is as followsADisplays the EMD information for all enabled Evfs volumes Number of data blocks encryptedSize of the encrypted metadata EMD area, in kilobytes Verifying the EMD evfsvol check SyntaxVerifying User Keys evfspkey lookup # evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1Problem Scenarios Evfspkey Cannot Generate Key PairsEvfspkey Cannot Store Keys Evfsvol Cannot Retrieve Private Key Evfsvol create Fails, Valid EMD Already ExistsSee the evfstab4 man page for more information Evfsvol disable Fails, Evfs Volume Is Busy Evfsvol disable command returns the following errorEvfsadm map command returns the following error Evfsadm map Fails, Invalid DeviceEvfsvol check -r -aevfsvolumepathwhere Resets the dirty bit for the specified volumeEMD Is Dirty Reporting Problems Collecting Data140 Product Specifications User Files Commands and Tools Evfs provides the following commands144 Evfs Quick Reference This appendix contains reference information about EvfsConfiguring Evfs Preparing EvfsOption 1 Creating New Evfs Volume # evfsadm map volumepathPerform inline encryption Start inline encryption Evfs Tasks and Commands Table B-1 Starting and Stopping EvfsTable B-3 Managing Evfs Keys and Users Table B-4 Troubleshooting Evfs 152 Using Evfs with Serviceguard Evfs and Serviceguard OverviewRequirements Restrictions Evfs Attribute Definition File ADF Installing Evfs Creating the Serviceguard Storage Infrastructure Creating an LVM Serviceguard Storage InfrastructureCreating a VxVM Serviceguard Storage Structure Configuration NodeAdoptive Nodes Configuring Evfs on the Configuration Node Creating a Cluster Key PairAdding the Cluster Keys to the EMD Modifying /etc/evfs/evfstab EntriesPreparing Evfs Volumes for Adoptive Nodes # vgchange -a n /dev/vg02# vxdg deport evfsdg Configuring Evfs Volumes on the Adoptive Nodes Copying the Evfs Configuration Files and KeysRestoring the Cluster Key Pair Files Creating a Local Passphrase FileMapping the LVM or VxVM Volumes to Evfs Deactivating the VolumesModifying the /etc/evfs/evfstab File Verifying EvfsConfiguring the Autostart Feature Configuring Serviceguard using Modular packages Installing the Evfs Attribute Definition FileHalting an Existing Package Copying the Evfs Control and Module ScriptsCreating a Modular Package Configuration File Migrating a Legacy Package Configuration FileAdding the Evfs package to the Configuration File # cmmigratepkg -p pkgname -o outputfile.conf whereAdding the Evfs Volumes to the Package Configuration File Verifying the ScriptLVM and VxVM Modular package example Configuring Serviceguard using Legacy packages Creating the Package Configuration FileCreating a Package Control Script Converting a Package Control ScriptAdding the Evfs Volumes to the Package Control Script Installing the Evfs Control ScriptModifying the Package Configuration File LVM and VxVM Legacy package exampleGlossary AESVolume Index EMDPermissions, 85 /etc/rc.config.d/evfs, 62, 72 RSA Vxresize command Renaming