User | HP UX Encrypted Volume and Filesystem (EVFS) manual

1.Verify the directory structure for the key database, and re-create it if necessary. By default, EVFS stores the user key database in subdirectories below the /etc/evfs/pkey directory, with a subdirectory for each user. The administrator can configure alternate database directory or directories using the pkey attribute in the /etc/evfs/evfs.conf file.

HP recommends that the primary directory is writable only by superusers. For example, the /etc/evfs/pkey directory is installed with the following permissions, owner, and group:

drwxr-xr-x

4 bin

bin

96 Mar 16 17:26 pkey

If you configure a fallback directory to allow users without superuser privileges to create keys, the fallback directory must allow the appropriate users to read, write, and execute the contents.

2.Create the appropriate directory for each user, such as /etc/evfs/pkey/root. Each directory must have the following permissions, owner, and group:

drwxr-xr-x

2 user

sys

96 Mar 16 17:27 user

3.Create a directory to store the recovery keys. If you are using the default name for the EVFS pseudo-user account and the default key storage directory, create the /etc/evfs/pkey/evfs directory (or a subdirectory under the key storage directory using the EVFS pseudo-user name) with the following permissions, owner, and group:

drwxr-xr-x

2 bin

bin

96 Mar 16 17:27 evfs

Managing EVFS Keys and Users 85

Image 85

HP UX Encrypted Volume and Filesystem (EVFS) manual User

Contents

Encrypted Volume and File System v1.1 Administrators Guide Trademark Notice Table of Contents Upgrading from Evfs v1.0 to Evfs Preparing Evfs for Configuration Administering Evfs 101 129 145 141153 171 169Page Software Types List of FiguresPage List of Tables Page Intended Audience About This DocumentDocument Organization Typographic Conventions HP Encourages Your Comments Related InformationUser input Evfs provides the following features Features and BenefitsEvfs Introduction LVM DLO Support Evfs Architecture Encryption Metadata EMD Evfs Data FlowEvfs Encryption Keys Using HP-UX Trusted Computing Services with Evfs Volume Encryption KeysUser Keys How Evfs Uses Keys 3illustrates how Evfs uses keys to enable an Evfs volume User Key and Passphrase Storage Key Names and Key IDsFile Names Alternate Storage Databases and Distributed Key Storage Summary of Key Type and Privileged User Capabilities User Key Privileges Evfsvol utility configures and manages the Evfs volumes Evfs CommandsEvfsadm Evfspkey Software Types Supported Software Product Limitations and Precautions Evfs Introduction Symptoms Known ProblemsPossible Device File Collision Workaround Feedback and Enhancement Requests Installation Prerequisites System RebootHardware Requirements Operating System Requirements Use the following procedure to install Evfs Installing EvfsSwinstall utility will install the Evfs components Log on to the target system as the root user Upgrading from Evfs v1.0 to Evfs Verifying for Preconfiguration Preparing Evfs for Configuration Start the Evfs subsystem. See Starting the Evfs Subsystem Preparation Overview Setting the evfsuser Attribute Configuring an Alternate Evfs Pseudo-UserCreating the User Group Creating the Evfs Pseudo-User Account Preparing Evfs for Configuration Keys Optional Configuring Alternate Key Database DirectoriesPrivate keys Passphrases that secure user private keys Key Storage Directory Requirements Default pubkey, privkey and passkey Attribute Statements Example NFS Directory for Public and Private Keys Example Alternate Directory for Public KeysExample Fallback Directory for Nonprivileged Users Optional Modifying Evfs Global Parameters EmdbackupDatacipher Pbe Example Starting the Evfs SubsystemEvfsadm start -n numberthreads Creating User Key Pairs Creating Keys for Evfs Volume OwnersGuidelines for Creating User Keys Evfspkey keygen -p-s -c cipher -u user -k keyname Storing the recovery users Private Key Creating Recovery KeysExamples Evfspkey keygen -c rsa-2048 -r -k keyname Encrypted file Creating Keys for authorized usersRsa-2048 RSA 2048-bit keys User name as the key name User Session Examples# evfsadm start # evfspkey keygen -u root -k rootkey1Page Configuration Overview Configuring an Evfs Volume Before using this procedure, you must complete the tasks Option 1 Creating a New Evfs Volume Creating an LVM or VxVM Volume for Evfs Configuring an Evfs VolumeCreating Evfs Volume Device Files Creating the EMD Evfsadm map volumepath Optional Adding Recovery Keys and authorized user Keys Specifies that the key pair is a recovery key pair Enabling the Evfs VolumeEvfsvol add -u user -k keyname evfsvolumepath where Evfsvol enable -p-k keyname evfsvolumepath Specifies non-interactive mode. Evfs uses the key ID from Etc/evfs/evfstab file for this volume and have a storedOption, you must add a key ID to the entry Evfsvol prompts you for the passphrase for the private key Optional Using fsck to Check the File Volume Creating and Mounting a File System on an Evfs VolumeCreating a New File System with newfs # newfs -F vxfs /dev/evfs/vg01/rlvol5 Creating the Mount Point Mount the File System on the Evfs VolumeOptional Adding an Entry to /etc/fstab Dev/evfs/vg01/lvol5 /opt/encrypteddata vxfs defaults 0 Evfsvol display evfsvolumepath Verifying the ConfigurationEvfsadm stat -a Evfsvol display evfsvolumepath Evfsadm stat -a Remount the file system using the mount command Optional Migrating Existing Data to an Evfs Volume Optional Configuring the Autostart Feature See evfstab4 for more information Dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey bootlocal Backing Up Your Configuration Page Preparing the File System and Data Map the regular volume to an Evfs volume Performing Inline Encryption Mount the file system to the Evfs volumeIencrypt Inline Encryption Start inline encryption Configuring an Evfs Volume Verifying the Configuration Remount the file system using the mount command # strings /dev/vg01/lvol5 grep TOP Secret Optional Configuring the Autostart Feature Example Backing Up Your Configuration Option Existing size is 96 MB we now extend it by 4 MB, to 100 MB Existing size is 96 MB we now extend it by 4 MB, to 100 MB Page Administering Evfs Starting and Stopping Evfs Enabling Encryption and Decryption Access to Evfs VolumesStarting the Evfs Subsystem Causes Evfs to use a stored passphrase to enable encryption Disabling Encryption/Decryption Access to Evfs VolumesUses the user name as the key name Evfsvol disable -a Evfsvol disable -p evfsvolumepathEnter the following evfsadm stop command evfsadm stop Stopping the Evfs Subsystem Closing Raw Access to Evfs Volumes Opening Raw Access to Evfs Volumes Information for the volume Displaying Key IDs for an Evfs VolumeManaging Evfs Keys and Users Restoring User Keys User Corresponds to a recovery users key in the EMD. If you do Changing Owner Keys for an Evfs VolumeTo execute this command evfsvol prompts you for Specifies the name of the file containing private key that Removing Keys from an Evfs Volume Recovering from Problems with Owner KeysChanging the Passphrase for a Key Evfspkey delete -u username-r -p -k keyname Evfspkey passgen -r recovkeyfile where Evfspkey passgen -u username -k keynameEvfspkey passgen -f-p-s -u username -k keyname where EMD Backup Directory Recovering from EMD Corruption # evfsvol destroy /dev/evfs/vg01/lvol5 Removing a Volume from the Evfs Subsystem Exporting an Evfs Volume Exporting and Importing Evfs Volumes Evfspkey keygen -c cipher -u user -k keyname Use the following evfspkey keygen command syntax Key owners name and keyname is the key name Importing an Evfs VolumeIs the key owners name and keyname is the key name Administering Evfs Managing Data on Evfs Volumes Vxresize -F Might Cause Data Loss or Corruption Creating a New Evfs Volume Overwrites Existing Data LVM Example Increasing Volume and File System Sizes Resizing Evfs Volumes and File SystemsCorrect Incorrect LVM Example Reducing Volume and File System Sizes VxVM Example Reducing Volume and File System Sizes VxVM Example Increasing Volume and File System Sizes # fsadm -F vxfs -b 65536 /test5 Backing Up and Restoring Data on Evfs Volumes Backing Up Evfs Volumes Backup Types with LVM or VxVM Mirrored Volumes Backup Types with Nonmirrored Volumes Map the backup volume to EVFS. For example Backups Using LVM Mirrored VolumesThis creates the device files /dev/evfs/vg01/lvol5backup Evfsvol check -r evfsvolumepath Syntax is as follows Dev/vg01/lvol5backup # evfsvol display /dev/evfs/vg01/lvol6 Evfsvol check -r evfsvolumepath Disable the Evfs backup volume. For example Example File Utility Creating Cleartext Backup Media LVM Mirrored Volumes Map the backup VxVM volume to EVFS. For example Backups Using VxVM Mirrored Volumes # evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol Backing Up and Restoring Data on Evfs Volumes # vxplex -g testdg -v vol05 dis vol05-02 # evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol Evfsvol check -r evfsvolumepath # fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol Backing Up Evfs Volumes Example Block Device Utility Creating Cleartext Backup Media VxVM Mirrored VolumesExample File Utility Backups Using Nonmirrored Volumes # evfsvol raw /dev/evfs/vg01/lvol5 Evfsadm stat -a Cp -r /opt/encrypteddata /opt/evfsbackup Restoring Backup Media Restoring Backup Data from an Evfs Volume to an Evfs Volume # cp -r /opt/backupevfs /opt/encrypteddata 128 Troubleshooting Tools Overview Troubleshooting Evfs Displaying I/O and Encryption Statistics evfsadm stat Displaying Evfs Volume InformationEvfsadm stat -a-s-z Meaning of each field is as follows Number of data blocks encrypted ADisplays the EMD information for all enabled Evfs volumes Size of the encrypted metadata EMD area, in kilobytes Syntax Verifying the EMD evfsvol check # evfspkey lookup -u root -k rootkey1 Key ID root.rootkey1 Verifying User Keys evfspkey lookup Evfspkey Cannot Generate Key Pairs Problem ScenariosEvfspkey Cannot Store Keys Evfsvol create Fails, Valid EMD Already Exists Evfsvol Cannot Retrieve Private KeySee the evfstab4 man page for more information Evfsvol disable command returns the following error Evfsvol disable Fails, Evfs Volume Is BusyEvfsadm map command returns the following error Evfsadm map Fails, Invalid Device Resets the dirty bit for the specified volume Evfsvol check -r -aevfsvolumepathwhereEMD Is Dirty Collecting Data Reporting Problems 140 Product Specifications User Files Evfs provides the following commands Commands and Tools 144 This appendix contains reference information about Evfs Evfs Quick Reference Preparing Evfs Configuring Evfs # evfsadm map volumepath Option 1 Creating New Evfs Volume Perform inline encryption Start inline encryption Table B-1 Starting and Stopping Evfs Evfs Tasks and Commands Table B-3 Managing Evfs Keys and Users Table B-4 Troubleshooting Evfs 152 Evfs and Serviceguard Overview Using Evfs with ServiceguardRequirements Restrictions Evfs Attribute Definition File ADF Installing Evfs Creating an LVM Serviceguard Storage Infrastructure Creating the Serviceguard Storage InfrastructureCreating a VxVM Serviceguard Storage Structure Configuration Node Adoptive Nodes Creating a Cluster Key Pair Configuring Evfs on the Configuration NodeAdding the Cluster Keys to the EMD Modifying /etc/evfs/evfstab Entries # vgchange -a n /dev/vg02 Preparing Evfs Volumes for Adoptive Nodes# vxdg deport evfsdg Copying the Evfs Configuration Files and Keys Configuring Evfs Volumes on the Adoptive NodesRestoring the Cluster Key Pair Files Creating a Local Passphrase File Deactivating the Volumes Mapping the LVM or VxVM Volumes to EvfsModifying the /etc/evfs/evfstab File Verifying Evfs Configuring the Autostart Feature Installing the Evfs Attribute Definition File Configuring Serviceguard using Modular packagesHalting an Existing Package Copying the Evfs Control and Module Scripts Migrating a Legacy Package Configuration File Creating a Modular Package Configuration FileAdding the Evfs package to the Configuration File # cmmigratepkg -p pkgname -o outputfile.conf where Verifying the Script Adding the Evfs Volumes to the Package Configuration FileLVM and VxVM Modular package example Creating the Package Configuration File Configuring Serviceguard using Legacy packagesCreating a Package Control Script Converting a Package Control Script Installing the Evfs Control Script Adding the Evfs Volumes to the Package Control ScriptModifying the Package Configuration File LVM and VxVM Legacy package example AES Glossary Volume EMD Index Permissions, 85 /etc/rc.config.d/evfs, 62, 72 RSA Vxresize command Renaming