1. No category

Creating encrypted backup media on a second EVS volume using a

Encrypted Volume and File System v2.2
Administrator Guide
HP-UX 11i v3
Abstract
This document describes how to install, configure, and troubleshoot the Encrypted Volume and File System (EVFS) product. This
document is intended for system and network administrators responsible for installing, configuring, and managing EVFS.
Administrators are expected to have knowledge of operating system concepts, commands, and configuration. Knowledge of
HP-UX system administration, including disk and file system administration is helpful.
HP Part Number: 777846-001
Published: April 2014
© Copyright 2009, 2014 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products
and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Acknowledgments
UNIX is a registered trademark of The Open Group. Oracle is a registered trademark of Oracle and/or its affiliates.
Revision history
Part Number
Publication Date
777846-001
April 2014
5900-3314
October 2013
5900-2116
November 2011
Style guide compliance
5992-4727
August 2009
Divided into three parts, including EFS information
5992-4122
May 2008
Revised for EVS only
Contents
HP secure development lifecycle....................................................................11
I Encrypted Volume and File System (EVFS).....................................................12
1 Overview.............................................................................................14
EVFS architecture...............................................................................................................14
Features and benefits..........................................................................................................15
Supported software............................................................................................................17
Product limitations and precautions......................................................................................18
2 EVFS data and keys..............................................................................21
EVFS data flow..................................................................................................................21
Encryption metadata (EMD).................................................................................................21
EVFS encryption keys..........................................................................................................22
Volume and file encryption keys......................................................................................22
User keys.....................................................................................................................22
Passphrases.............................................................................................................22
Stored passphrases..............................................................................................22
Using HP-UX Trusted Computing Services with EVFS...........................................................23
How EVFS uses keys......................................................................................................23
Key names and key IDs.......................................................................................................23
User key and passphrase storage.........................................................................................23
File names....................................................................................................................24
Alternate storage databases and distributed key storage....................................................24
3 EVFS installation...................................................................................25
Prerequisites......................................................................................................................25
Installing EVFS...................................................................................................................25
Upgrading to EVFS v2.1......................................................................................................26
Uninstalling EVFS...............................................................................................................27
4 Preparing EVFS for configuration............................................................28
Verifying for preconfiguration..............................................................................................28
Preparation overview..........................................................................................................28
Step 1: Configuring an alternate EVFS pseudo-user.................................................................29
Step 1a: Setting the evfs_user attribute.............................................................................29
Example..................................................................................................................29
Step 1b: Creating the user group....................................................................................29
Example..................................................................................................................29
Step 1c: Creating the EVFS pseudo-user account...............................................................29
Example..................................................................................................................29
Step 2: (Optional) Configuring alternate key database directories............................................30
Syntax for pub_key, priv_key, and pass_key attribute statements..........................................30
Key storage directory requirements..................................................................................31
Default pub_key, priv_key and pass_key attribute statements...............................................31
Example: Alternate directory for public keys......................................................................32
Example: NFS directory for public and private keys...........................................................32
Step 3: (Optional) Modifying EVFS global parameters............................................................32
Step 4: Configuring FIPS compliant EVFS..............................................................................33
Step 4a: Configure HP-UX KCM to enable FIPS mode........................................................33
Step 4b: Restrict HP-UX EVFS using FIPS qualified cipher suites............................................33
Step 5: Starting the EVFS subsystem.....................................................................................33
Example......................................................................................................................34
Step 6: (Optional) Configuring the autostart feature................................................................34
Contents
3
II Encrypted Volume System (EVS)..................................................................36
5 EVS keys and user privileges..................................................................40
User privileges and permissions...........................................................................................40
EVS volume owner keys......................................................................................................40
Recovery keys....................................................................................................................40
Authorized user keys...........................................................................................................40
Summary of key type and privileged user capabilities.............................................................40
Creating keys....................................................................................................................41
Guidelines for creating user keys.....................................................................................41
Creating keys for EVS volume owners..............................................................................42
Example..................................................................................................................42
Creating recovery keys...................................................................................................43
Storing the recovery user's private key.........................................................................43
Examples................................................................................................................43
Creating keys for authorized users...................................................................................43
Examples................................................................................................................44
6 Configuring an EVS volume...................................................................45
Configuration overview.......................................................................................................45
Option 1: Creating a new EVS volume..................................................................................45
Step 1: Configuring an EVS volume.................................................................................45
Step 1a: Creating an LVM or VxVM volume for EVFS....................................................46
Examples............................................................................................................46
Step 1b: Creating EVS volume device files...................................................................46
Examples............................................................................................................47
Step 1c: Creating the EMD........................................................................................47
Example.............................................................................................................48
Step 1d: (Optional) Adding recovery keys and authorized user keys................................48
Step 1e: Enabling the EVS volume..............................................................................49
Example.............................................................................................................50
Step 2: Creating and mounting a file system on an EVS volume...........................................50
Step 2a: Creating a new file system with newfs............................................................50
Example.............................................................................................................50
Step 2b: (Optional) Using fsck to check the file volume..................................................51
Example.............................................................................................................51
Step 2c: Creating the mount point..............................................................................51
Example.............................................................................................................51
Step 2d: Mount the file system on the EVS volume.........................................................51
Example.............................................................................................................51
Step 2e: (Optional) Adding an entry to /etc/fstab........................................................52
Example.............................................................................................................52
Step 3: Verifying the configuration...................................................................................52
evfsadm stat -a.........................................................................................................52
evfsvol display evfs_volume_path................................................................................52
Verifying data encryption..........................................................................................53
Example.............................................................................................................54
Step 4: (Optional) Migrating existing data to an EVS volume..............................................54
Example..................................................................................................................54
Step 5: Backing up your configuration.............................................................................55
Option 2: Converting a volume with existing data to an EVS volume (inline encryption)..............55
Step 1: Preparing the file system and data........................................................................55
Step 2: Performing inline encryption................................................................................56
iencrypt: Inline encryption..........................................................................................56
Suspending an ongoing inline encryption...............................................................57
Re-starting a suspended inline encryption................................................................57
4
Contents
Step 3: Verifying the configuration...................................................................................57
evfsadm stat -a.........................................................................................................57
evfsvol display evfs_volume_path................................................................................58
Verifying data encryption..........................................................................................58
Example.............................................................................................................59
Step 4: Backing up your configuration.............................................................................59
Examples..........................................................................................................................59
Option 1......................................................................................................................60
Korn shell script for creating an EVS volume and file system...........................................61
Option 2......................................................................................................................61
7 Administering EVS................................................................................63
Starting and stopping EVFS.................................................................................................63
Enabling encryption and decryption access to EVS volumes................................................64
Disabling encryption and decryption access to EVS volumes...............................................64
Stopping the EVFS subsystem..........................................................................................65
Opening raw access to EVS volumes...............................................................................65
Closing raw access to EVS volumes.................................................................................66
Managing EVFS keys and users...........................................................................................66
Displaying key IDs for an EVS volume..............................................................................66
Syntax....................................................................................................................67
Example..................................................................................................................67
Restoring user keys........................................................................................................67
Changing owner keys for an EVS volume.........................................................................68
Recovering from problems with owner keys.......................................................................69
Removing keys from an EVS volume.................................................................................69
Removing user keys or stored passphrase from the EVFS key database..................................69
Changing the passphrase for a key.................................................................................70
Creating or changing a stored passphrase for an existing key.............................................70
Recovering from EMD corruption..........................................................................................71
EMD backup directory...................................................................................................71
Removing a volume from the EVFS subsystem.........................................................................72
Exporting and importing EVS volumes..................................................................................72
Exporting an EVS volume...............................................................................................73
Importing an EVS volume...............................................................................................75
Resizing EVS volumes and file systems..................................................................................76
LVM Example: Increasing volume and file system sizes.......................................................76
Correct....................................................................................................................76
Incorrect..................................................................................................................77
8 Backing up and restoring data on EVS volumes........................................78
Backing up EVS volumes.....................................................................................................78
Backups using LVM mirrored volumes...............................................................................80
Creating encrypted backup media on a Non-EVFS device (LVM mirrored volumes) ...........81
Example.............................................................................................................82
Creating encrypted backup media on a second EVS volume using a block device utility
(LVM mirrored volumes).............................................................................................82
Example.............................................................................................................84
Creating encrypted backup media on a second EVS volume using a file utility (LVM mirrored
volumes)..................................................................................................................84
Example.............................................................................................................85
Creating cleartext backup media (LVM mirrored volumes)..............................................86
Example: Block device utility.................................................................................86
Example: File utility..............................................................................................86
Backups using VxVM mirrored volumes............................................................................87
Creating encrypted backup media on a non-EVFS device (VxVM mirrored volumes)..........87
Contents
5
Example.............................................................................................................88
Creating encrypted backup media on a second EVS volume using a block device utility
(VxVM mirrored volumes)..........................................................................................89
Example.............................................................................................................90
Creating encrypted backup media on a second EVS volume using a file utility (VxVM
mirrored volumes).....................................................................................................91
Example.............................................................................................................92
Creating cleartext backup media (VxVM mirrored volumes)............................................93
Example: Block device utility......................................................................................93
Example: File utility...................................................................................................93
Backups using nonmirrored volumes.................................................................................94
Creating encrypted backup media to a non-EVFS device (nonmirrored volumes)................94
Example.............................................................................................................95
Creating encrypted backup media on a second EVS volume using a block device utility
(nonmirrored volumes)...............................................................................................95
Example.............................................................................................................96
Creating encrypted backup media on a second EVS volume using a file utility (nonmirrored
volumes)..................................................................................................................96
Example.............................................................................................................97
Creating cleartext backup media to a non-EVFS device (nonmirrored volumes)..................97
Restoring backup media.....................................................................................................97
Restoring encrypted backup media from a non-EVFS device to an EVS volume.......................97
Example..................................................................................................................98
Restoring backup data from an EVS volume to an EVS volume.............................................98
Example..................................................................................................................99
III Encrypted File System (EFS).....................................................................100
9 Determining user roles.........................................................................103
The system administrator role.............................................................................................103
The user role...................................................................................................................103
The key manager role.......................................................................................................103
Enabling the key manager............................................................................................104
10 Creating an EFS volume and file system...............................................105
Creating an LVM or VxVM volume.....................................................................................105
Mapping the volume to EVFS.............................................................................................105
Creating a file system.......................................................................................................106
Performing operations on an EFS file system.........................................................................106
11 Using EFS.........................................................................................108
Using a secure session......................................................................................................108
Logging into a secure session........................................................................................108
Exiting from a secure session........................................................................................109
Displaying secure session information............................................................................109
Creating an encrypted file.................................................................................................109
Reading from or writing to an encrypted file........................................................................109
Changing the file permissions............................................................................................110
Changing the file owner/group.........................................................................................110
File encryption attributes...................................................................................................110
Enabling a directory or a file system for encryption..........................................................110
Enabling encryption at the FS level............................................................................111
Enabling encryption at the directory level..................................................................111
Enabling encryption at the FS and directory level........................................................112
Disabling a directory or FS for encryption.......................................................................112
Disabling encryption at the FS level...........................................................................112
Disabling encryption at the directory level..................................................................113
6
Contents
Listing file encryption attributes......................................................................................113
Sharing encrypted files via groups and group keys...............................................................113
File conversion operations.................................................................................................114
Converting a cleartext file to an encrypted file.................................................................114
Converting an encrypted file to a cleartext file.................................................................115
Changing the file encryption key (rekey).........................................................................116
Cipher precedence......................................................................................................117
Using the evfsxfr command...............................................................................................117
Examples...................................................................................................................117
EFS backup and restore....................................................................................................118
The EVFS wrapper commands...........................................................................................120
The cp command........................................................................................................120
The chown and chgrp commands..................................................................................122
The mv command........................................................................................................123
The usermod and groupmod commands.........................................................................125
The userdel and groupdel commands.............................................................................126
Using the evfsrun command..............................................................................................127
The EFS recovery key........................................................................................................128
12 Managing keys.................................................................................131
Types of keys...................................................................................................................131
Key manager key.............................................................................................................131
Managing a user key.......................................................................................................132
Creating a user key ....................................................................................................132
Changing the passphrase.............................................................................................134
Displaying user key information.....................................................................................136
Exporting a user key....................................................................................................136
Importing a user key....................................................................................................137
Deleting a user key......................................................................................................138
Managing a group key.....................................................................................................138
Creating a group key...................................................................................................139
Displaying group key information..................................................................................140
Exporting group key information...................................................................................140
Importing group key information....................................................................................141
Deleting a group key...................................................................................................141
Key manager operations...................................................................................................142
Granting a member access to a group key.....................................................................142
Removing a member from a group key...........................................................................143
Check or synchronize users and groups..........................................................................144
Key file location...............................................................................................................144
13 Support and other resources...................................................................146
Contacting HP......................................................................................................................146
New and changed information in this edition...........................................................................146
Related information...............................................................................................................147
Typographic conventions.......................................................................................................147
A Troubleshooting EVFS.............................................................................149
Troubleshooting tools overview...............................................................................................149
Displaying EVFS volume information........................................................................................149
Displaying I/O and encryption statistics (evfsadm stat)..........................................................149
Syntax.......................................................................................................................150
Examples...................................................................................................................150
Displaying EVFS volume keys and operating parameters (evfsvol display)................................151
Syntax.......................................................................................................................151
Example....................................................................................................................151
Contents
7
Verifying the EMD (evfsvol check)............................................................................................152
Syntax............................................................................................................................152
Example.........................................................................................................................152
Verifying user keys (evfspkey lookup).......................................................................................152
Syntax............................................................................................................................152
Example.........................................................................................................................152
Problem scenarios.................................................................................................................153
evfspkey cannot generate key pairs....................................................................................153
Symptom....................................................................................................................153
Description.................................................................................................................153
Solution.....................................................................................................................153
evfspkey cannot store keys.................................................................................................153
Symptom....................................................................................................................153
Description.................................................................................................................153
Solution.....................................................................................................................153
evfsvol cannot retrieve private key......................................................................................154
Symptom....................................................................................................................154
Description.................................................................................................................154
Solution.....................................................................................................................154
evfsvol create fails, EVFS device file not found in evfstab file..................................................154
Symptom....................................................................................................................154
Description.................................................................................................................154
Solution.....................................................................................................................154
evfsvol create fails, valid EMD already exists.......................................................................154
Symptom....................................................................................................................154
Description.................................................................................................................154
Solution.....................................................................................................................155
evfsvol disable fails, EVFS volume is busy............................................................................155
Symptom....................................................................................................................155
Description.................................................................................................................155
Solution.....................................................................................................................155
evfsadm map fails, invalid device.......................................................................................155
Symptom....................................................................................................................155
Description.................................................................................................................155
Solution.....................................................................................................................155
EMD Is dirty....................................................................................................................155
Symptom....................................................................................................................155
Description.................................................................................................................156
Solution.....................................................................................................................156
evfsvol enable fails, EMD backup not found.........................................................................156
Symptom....................................................................................................................156
Description.................................................................................................................156
Solution.....................................................................................................................156
EVFS is not starting on system boot.....................................................................................156
Error on evfsadm stat output..............................................................................................156
Error on mounting file system.............................................................................................157
evfsvol cannot create an EVFS volume.................................................................................157
Reporting problems...............................................................................................................157
Collecting data................................................................................................................157
B Product specifications..............................................................................159
User files.............................................................................................................................159
Commands and tools............................................................................................................159
EVFS commands...................................................................................................................160
8
Contents
C EVFS quick reference..............................................................................161
Preparing EVFS....................................................................................................................161
Configuring EVS...................................................................................................................161
Option 1: Creating a new EVS volume................................................................................162
Option 2: Converting an existing volume into an EVS volume (inline encryption)......................163
EFS quick start......................................................................................................................164
EVFS tasks and commands.....................................................................................................165
D Using EVFS with HP Serviceguard.............................................................168
EVFS and HP Serviceguard overview.......................................................................................168
Requirements...................................................................................................................168
Restrictions......................................................................................................................169
Configuration overview..........................................................................................................169
Step 1: Installing EVFS...........................................................................................................169
Step 2: Creating the HP Serviceguard storage infrastructure.......................................................169
Creating an LVM HP Serviceguard storage infrastructure.......................................................170
Configuration node.....................................................................................................170
Adoptive nodes...........................................................................................................170
Creating a VxVM HP Serviceguard storage structure.............................................................170
Configuration node.....................................................................................................170
Adoptive nodes...........................................................................................................170
Step 3 (EVS only): Configuring EVS on the configuration node...................................................171
Step 3a: Creating a cluster key pair...................................................................................171
Step 3b: Adding the cluster keys to the EMD.......................................................................171
Step 3c: Modifying /etc/evfs/evfstab entries.......................................................................171
Step 3d: Preparing EVFS volumes for adoptive nodes...........................................................172
Step 3 (EFS only): Configuring EFS on the configuration node.....................................................172
Step 4 (EVS only): Configuring EVS Volumes on the adoptive nodes............................................173
Step 4a: Copying the EVFS configuration files and keys........................................................173
Step 4b: Restoring the cluster key pair files..........................................................................173
Step 4c: Creating a local passphrase file............................................................................173
Step 4d: Activating the LVM volume group or VxVM group on the adoptive node.....................173
LVM..........................................................................................................................173
VxVM........................................................................................................................174
Step 4e: Mapping the LVM or VxVM volumes to EVFS..........................................................174
Step 4f: Modifying the /etc/evfs/evfstab file.......................................................................174
Step 4g: Verifying EVFS....................................................................................................174
Step 4h: Deactivating the volumes......................................................................................174
Step 4i: Configuring the autostart feature............................................................................175
Step 4 (EFS only): Configuring EFS volumes on the adoptive nodes.............................................175
Step 4a: Copying the EVFS configuration files and keys........................................................175
Step 4b: Activating the LVM volume group or VxVM group on the adoptive node.....................175
LVM..........................................................................................................................175
VxVM........................................................................................................................175
Step 4c: Mapping the LVM or VxVM volumes to EVFS..........................................................176
Step 4d: Deactivating the volumes.....................................................................................176
Step 4e: Configuring the autostart feature...........................................................................176
Step 5: Configuring HP Serviceguard using modular packages...................................................176
Step 5a: Halting an existing package.................................................................................177
Step 5b: Installing the EVFS attribute definition file ..............................................................177
Step 5c: Copying the EVFS control and module scripts .........................................................177
Step 5d: Creating a modular package configuration file.......................................................177
Step 5e: Migrating a legacy package configuration file .......................................................178
Step 5f: Adding the EVFS package to the configuration file ..................................................178
Step 5g: Adding the EVFS volumes to the package configuration file......................................179
Contents
9
LVM and VxVM modular package example....................................................................179
Step 5h: Verifying the script...............................................................................................180
Step 6: Configuring HP Serviceguard using legacy packages.....................................................180
Step 6a: Halting an existing package.................................................................................180
Step 6b: Creating the package configuration file.................................................................180
Step 6c: Creating a package control script..........................................................................181
Step 6d: Converting a package control script......................................................................181
Converting a package control script...............................................................................181
Modifying the package configuration file.......................................................................181
Step 6e: Adding the EVFS volumes to the package control script............................................181
Step 6f: Installing the EVFS control script.............................................................................182
Step 6g: Verifying the script..............................................................................................182
Glossary..................................................................................................183
Index.......................................................................................................185
10
Contents
HP secure development lifecycle
Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides
the ability to authenticate HP-UX software. Software delivered through this release has been digitally
signed using HP's private key. You can now verify the authenticity of the software before installing
the products, delivered through this release.
To verify the software signatures in signed depot, the following products must be installed on your
system:
•
B.11.31.1303 or later version of SD (Software Distributor)
•
A.01.01.07 or later version of HP-UX Whitelisting (WhiteListInf)
To verify the signatures, run: /usr/sbin/swsign -v -s <depot_path>
For more information, see Software Distributor documentation at: http://www.hp.com/go/sd-docs.
NOTE: Ignite-UX software delivered with HP-UX 11i v3 March 2014 release or later supports
verification of the software signatures in signed depot or media, during cold installation. For more
information, see Ignite-UX documentation at: http://www.hp.com/go/ignite-ux-docs.
11
Part I Encrypted Volume and File System (EVFS)
Part I includes the following topics:
•
“Overview” (page 14)
•
“EVFS data and keys” (page 21)
•
“EVFS installation” (page 25)
•
“Preparing EVFS for configuration” (page 28)
Contents
1 Overview................................................................................................14
EVFS architecture....................................................................................................................14
Features and benefits..............................................................................................................15
Supported software.................................................................................................................17
Product limitations and precautions...........................................................................................18
2 EVFS data and keys..................................................................................21
EVFS data flow.......................................................................................................................21
Encryption metadata (EMD).....................................................................................................21
EVFS encryption keys..............................................................................................................22
Volume and file encryption keys...........................................................................................22
User keys..........................................................................................................................22
Passphrases..................................................................................................................22
Stored passphrases...................................................................................................22
Using HP-UX Trusted Computing Services with EVFS................................................................23
How EVFS uses keys...........................................................................................................23
Key names and key IDs...........................................................................................................23
User key and passphrase storage..............................................................................................23
File names........................................................................................................................24
Alternate storage databases and distributed key storage.........................................................24
3 EVFS installation.......................................................................................25
Prerequisites...........................................................................................................................25
Installing EVFS........................................................................................................................25
Upgrading to EVFS v2.1..........................................................................................................26
Uninstalling EVFS....................................................................................................................27
4 Preparing EVFS for configuration................................................................28
Verifying for preconfiguration...................................................................................................28
Preparation overview..............................................................................................................28
Step 1: Configuring an alternate EVFS pseudo-user......................................................................29
Step 1a: Setting the evfs_user attribute..................................................................................29
Example......................................................................................................................29
Step 1b: Creating the user group.........................................................................................29
Example......................................................................................................................29
Step 1c: Creating the EVFS pseudo-user account....................................................................29
Example......................................................................................................................29
Step 2: (Optional) Configuring alternate key database directories.................................................30
Syntax for pub_key, priv_key, and pass_key attribute statements...............................................30
Key storage directory requirements.......................................................................................31
Default pub_key, priv_key and pass_key attribute statements....................................................31
Example: Alternate directory for public keys..........................................................................32
Example: NFS directory for public and private keys................................................................32
Step 3: (Optional) Modifying EVFS global parameters.................................................................32
Step 4: Configuring FIPS compliant EVFS...................................................................................33
Step 4a: Configure HP-UX KCM to enable FIPS mode.............................................................33
Step 4b: Restrict HP-UX EVFS using FIPS qualified cipher suites.................................................33
Step 5: Starting the EVFS subsystem..........................................................................................33
Example...........................................................................................................................34
Step 6: (Optional) Configuring the autostart feature....................................................................34
Contents
13
1 Overview
HP-UX Encrypted Volume and File System (EVFS) is an application-transparent technology providing
protection of data at rest.
With EVFS, critical files and data at rest (on disk) are stored in encrypted form on disk. EVFS
safeguards against compromised use of and unauthorized access to data due to physical theft of
storage devices. The data encryption is based on a secret-key cryptosystem and runs as an integrated
kernel service transparent to the user. On IA, EVFS is integrated with HP-UX KCM (Kernel Crypto
Module). On IA, HP-UX EVFS is FIPS-compliant when used with HPUX-KCM 2.1. For more information
about configuring EVFS for FIPS compliance, see “Step 4: Configuring FIPS compliant EVFS”
(page 33).
With HP-UX EVFS, disks and volumes can be configured to be used in one of two modes:
volume-level encryption (EVS) or file-level encryption (EFS).
NOTE:
•
EVS is supported with HP-UX 11i v2 update 2 and later.
•
EFS is supported with HP-UX 11i v3 and later.
•
You can use a volume or a disk for either EFS or EVS, but not both.
This chapter discusses the following topics:
•
“EVFS architecture” (page 14)
•
“Features and benefits” (page 15)
•
“Supported software” (page 17)
•
“Product limitations and precautions” (page 18)
EVFS architecture
Figure 1 shows the EVFS architecture. It illustrates how the encryption is done for the data that is
stored in volume (EVS) and files (EFS).
14
Overview
Figure 1 EVFS architecture
Features and benefits
EVFS protects data by encrypting data volumes to protect data at rest – data on disks. You can
also use EVFS to create encrypted backup media. EVFS prevents anyone who gains unauthorized
physical access to storage media from reading or using the data.
EVFS creates EVFS volumes, which are pseudo-devices (or virtual devices) layered on Logical
Volume Manager (LVM), Veritas Volume Manager (VxVM), or physical volume devices. You can
use the newfs command to create a file system on an EVFS volume just as you would create a
file system on an LVM, VxVM, or physical volume. The EVFS subsystem encrypts data written to
an EVFS volume and decrypts data read from an EVFS volume as needed.
EVFS provides the following features:
•
Data protection that is file-system independent
When configured in volume mode (EVS), EVFS supports all disk file system types that can be
mounted on a LVM, VxVM, or physical volume, including High Performance File System (HFS)
and Veritas File System (VxFS, also referred to as Journaled File System, or JFS). EFS mode
only supports HFS and VxFS.
•
Application transparency
EVFS volumes are implemented as pseudo-devices below the HP-UX file system. No changes
to applications are necessary. When configured in volume mode (EVS), EVFS is compatible
with network file sharing utilities, such as Network File System (NFS) and Common Internet
File System (CIFS), and with network file access utilities, such as File Transfer Protocol (FTP)
and remote copy (rcp).
Features and benefits
15
•
High-performance bulk data encryption using symmetric keys
EVFS encrypts volume data using a symmetric encryption key, referred to as the volume
encryption key. EVFS supports the following symmetric key algorithms for encrypting volume
data:
◦
128-bit key AES CBC (Advanced Encryption Standard Cipher Block Chaining) mode
◦
192-bit key AES CBC mode
◦
256-bit key AES CBC mode
◦
128-bit key Advanced Encryption Standard Cipher FeedBack (AES CFB) mode
◦
192-bit key AES CFB mode
◦
256-bit key AES CFB mode
EVFS encrypts file data using a unique symmetric encryption key, referred to as the file
encryption key. EVFS supports the following symmetric key algorithms for encrypting file data:
◦
128–bit key Advanced Encryption Standard Cipher FeedBack (AES CFB) mode
◦
192-bit key AES CFB mode
◦
256-bit key AES CFB mode
EVFS supports the following symmetric key algorithms only on IA:
•
◦
128-bit key Advanced Encryption Standard Cipher Block Chaining (AES CBC) mode
◦
192-bit key AES CBC mode
◦
256-bit key AES CBC mode
Public/private keys to protect the symmetric keys.
EVFS uses public/private encryption key to protect volume and file encryption keys. EVFS
supports the following public/private key encryption algorithms:
•
◦
1024-bit key Rivest-Shamir-Adelman (RSA)
◦
1536-bit key RSA
◦
2048-bit key RSA
Passphrase storage and retrieval for automatic start (autostart).
EVFS encrypts private keys with passphrases. In normal operation, EVFS prompts the user for
the passphrase to decrypt and retrieve the private key. To enable EVFS operation during
system startup without human intervention, EVFS provides a mechanism to store a user's
passphrase in a file, encrypted with system-specific data. At system startup, EVFS can
automatically retrieve stored passphrases and use the passphrases to execute EVFS commands.
CAUTION:
16
Overview
Stored passphrases provide convenience, but they are security risks.
•
EFS Secure Session
In order to use EFS, a user needs to be in an EFS secure session (see evfsauth(1)) This session
contains all the necessary credential for a user to access and operate on encrypted files.
Secure session credentials are inherited by its child processes.
•
Key Management
EVFS provides its own local key management system. It supports encryption keys for both EVS
and EFS. The concept of key manager is introduced in EVFS 2.0.
Supported software
Software used with EVFS can be categorized into three types:
Type 1
Applications without kernel components. EVFS volumes configured in EVS mode support
Type 1 software. EVFS volumes configured in EFS mode support Type 1 software if the
data is accessed using the evfsxfr command or in a secure session. Examples of
Type 1 software include FTP, rcp, CIFS Server, and Oracle® Database 10g. (This list
is not exhaustive and is included only to provide examples of Type 1 software.)
Type 2
Software with kernel modules that access the file system (Virtual File System, VFS, or
HFS or VxFS). EVFS volumes configured in EVS mode support Type 2 software. EVFS
volumes configured in EFS mode do not support Type 2 software, unless specifically
stated. The NFS server daemon is an example of Type 2 software. Therefore, the NFS
client and server cannot be used with EFS volumes.
Type 3
Software with kernel components that directly access physical volumes and implement
file system or volume management functionality. EVFS does not supprt Type 3 software.
Examples of Type 3 software include Oracle Automatic Storage Management (ASM),
and file systems other than HFS and VxFS, such as Veritas Cluster File System (CFS)
and Clearcase Multiversion File System (MVFS). (This is not an exhaustive list and is
included only to provide examples of Type 3 software.)
Figure 2 illustrates the data paths for the software types described in the preceding list.
Supported software
17
Figure 2 Software types
Type 1:
User applications
System Calls
Kernel
Type 2: Kernel daemons that
interface with VFS
Virtual File System (VFS)
File Systems (HFS, VxFS)
Type 3: Kernel
Modules that
interface with
physical disks and
implement file
system or volume
management
functions
EVFS
Pseudo-Driver
Logical Volume Managers
(LVM, VxVM)
Physical Disk
Product limitations and precautions
The EVFS product has the following limitations:
•
EVFS operates with LVM, VxVM and physical volumes only. Each EVFS volume is mapped to
an underlying LVM, VxVM or physical volume.
•
You can use an alternate link to specify an LVM or VxVM volume or an alternate device path
to specify a whole disk for the evfsadm map command. However, when creating EVFS
volumes, do not:
◦
Create multiple EVFS volumes that reference the same LVM or VxVM volume
◦
Create multiple EVFS volumes that reference the same physical disk when using whole
disk access
◦
Specify different multipaths to the same physical disk when using whole disk access
◦
Specify persistent and legacy device files that point to the same physical disk
CAUTION: If you create multiple EVFS volumes that reference the same LVM or VxVM volume
or the same whole disk device, data corruption can occur.
•
18
Overview
You enable EVFS encryption and decryption for an EVFS volume as a single unit. When you
enable EVFS encryption and decryption for a volume, EVFS encrypts and decrypts the data
blocks as the blocks are accessed, and all read operations through the EVFS volume receive
decrypted data as output, and users can access individual files in cleartext. You must use
normal HP-UX file system permissions and access control to restrict access to the data.
•
You cannot encrypt the following objects:
◦
Files or disk areas used during system boot. This includes the following objects:
–
the root file system (/)
–
the HP-UX kernel directory (/stand)
–
the /usr directory
EVFS cannot decrypt the kernel or other data before the system boots.
CAUTION: Encrypting the boot disk can cause the boot disk to become unusable and
prevent you from booting the system.
◦
Dump devices.
◦
Swap space (swap devices or file swap space).
CAUTION:
•
Encrypting swap space can cause the system to panic.
EVFS does not automatically convert existing volume data to encrypted data. To encrypt
existing volume data, use the inline encryption feature in this release of EVFS.
CAUTION: If you improperly configure EVFS on a volume that already contains data, the
existing data will be unusable.
IMPORTANT: To use inline encryption, 3 MB of spare disk space are required at the end of
the volume, and the minimum volume size must be 4 MB. If the entire volume is used, extend
the volume using lvextend for LVM, or vxassist for VxVM.
•
To mount a file system on an EVFS volume configured in EVS mode, the EVFS volume must be
enabled and the data transfer to and from the file system must be in cleartext (unencrypted)
format. Therefore, any executable that uses file system utilities to read or write data can operate
only on cleartext data.
Network file sharing utilities, such as NFS, CIFS, FTP, or rcp will transmit files in cleartext,
even if the original files reside on an EVFS volume.
•
For EVFS volumes configured in EVS mode, to use a backup utility that performs incremental
backups or that backs up individual files, you must enable the EVFS volume. The backup utility
will read the data in cleartext, even if the original files reside on an EVFS volume. If the target
backup device is another EVFS volume, the target EVFS volume will re-encrypt the data.
If the target backup device is a tape device or other non-EVFS device:
◦
You must back up the volume as a volume device (as a single unit), not as a file system
or group of files, to create encrypted backup media. You can create encrypted backup
media using block device utilities, such as dd.
◦
You cannot create encrypted backup media using file-based utilities with EVFS volumes
configured for EVS.
•
EVFS is not supported by SAM or SMH.
•
The evfsadm trace command is intended for use by support personnel only. HP does not
support this feature on customer environments.
•
During inline encryption, the volume is not accessible until the entire operation is completed.
Product limitations and precautions
19
20
•
The Multi Volume File System feature of Veritas, which is not supported by EVFS.
•
EVFS is currently available in English only.
•
Secure Sessions limit: 16K secure sessions per system.
•
Volume limit: 1023 encrypted volumes per system.
•
ServiceGuard version A.11.18 or later using modular packages supports EVFS volumes without
a file system.
•
On a EFS volume, the file size is limited to a maximum file size minus the size of the EMD
(4k).
•
Writing to a EVFS device that is not mapped by EVFS (for example, when EVFS is not running),
can cause data corruption.
•
The maximum user name, group name, or key name length supported by EVFS is 100.
•
The user IDs and group IDs must be unique for user keys and group keys to work properly (for
example, users cannot share the same user ID and groups cannot share the same group ID).
Overview
2 EVFS data and keys
EVFS data flow
EVFS is implemented using a pseudo-driver that operates on the EVFS volumes. An EVFS volume
is stacked between the underlying volume (a LVM, VxVM, or physical volume) and an upper layer.
The upper layer can be a file system or an application that reads data from and writes data directly
to the EVFS volume, such as a database application.
When the upper layer file writes data, the EVFS pseudo-driver encrypts the data before writing it
to the underlying volume. When the upper layer reads data, the pseudo-driver decrypts the data
from the underlying volume and provides the decrypted data to the upper layer. If the upper layer
caches data to the lower layer, such as a file system with buffer caching enabled, all data in the
buffer cache is in cleartext (it is not encrypted). Figure 3 shows a simplified EVFS data flow.
Figure 3 EVFS data flow
DB or Direct-Access
Application
File System
(decrypts data read by upper layer )
EVFS
(encrypts data written to lower layer )
LVM
VxVM
Physical Disks
= Non-encrypted Data
= Encrypted Data
IMPORTANT: Once encryption and decryption are enabled on an EVFS volume configured in
EVS mode, all read operations performed on the EVS volume gets decrypted data.
For accessing encrypted files created on an EVFS volume configured in EFS mode, EVFS performs
key based verification in addition to the file system access verification.
Encryption metadata (EMD)
When a volume is configured in EVS mode, each EVS volume has a set of encryption attributes,
or encryption metadata (EMD) associated with it. The EMD is stored as part of the EVS volume.
The data stored in the EMD includes operating parameters for the EVFS volume, such as the data
encryption algorithm, and copies of the volume encryption key. The copies of the volume encryption
key are encrypted ("wrapped") by user keys, as described in the following section.
When a volume is configured in EFS mode, each encrypted file has its own EMD. Contrary to the
EVS volume, there is no volume EMD associated with the EFS volume.
EVFS data flow
21
EVFS encryption keys
EVFS uses two types of encryption keys:
•
Symmetric keys to encrypt data, referred to as volume encryption keys for EVS, and referred
as file encryption keys for EFS.
•
Public/private key pairs to protect volume or file encryption keys, also referred to as user keys
EVFS also uses passphrases to protect private keys.
Volume and file encryption keys
EVFS uses symmetric keys to encrypt data, referred to as volume or file encryption keys. In symmetric
key cryptography, the same key (bit string) is used to encrypt and decrypt the data. In EVS mode,
EVFS stores the volume encryption keys in the EMD area of a volume, as part of key records. In
EFS mode, EVFS stores the file encryption keys in the EMD area of a file. Each key record contains
the volume or file encryption key, encrypted with a user's public key. Because the encryption key
is encrypted with a public key, this data is also referred to as a “digital envelope.” The digital
envelope must be “opened,” or decrypted with the user's private key to retrieve the encryption
key. Figure 4 illustrates how EVFS uses and stores volume encryption keys.
Figure 4 Encryption metadata (EMD) and volume encryption keys
EVFS Volume
Encryption Metadata (EMD)
Key
Records
Volume Encryption Key
User 1’s Public Key Encrypts the
Volume Encryption Key
User 1’s Private Key Decrypts
the Volume Encryption Key
Encrypted Data
Volume Encryption
Key Encrypts/Decrypts
the Data
TCS EVFS Key Protects the User Private Key
“my_passphrase” Authorizes TCS Access to the
Volume Encryption Key
Stored Passphrase:
“my_passphrase”
System-specific data
encrypts “my_passphrase”
User keys
EVFS uses public/private encryption key pairs with passphrases to securely store file and volume
encryption keys. Each public/private key pair is owned by a user, and the key pairs are also
referred to as user keys.
Public/private key cryptography systems use pairs of related but different keys. The public and
private key pairs are mathematically related so that data encrypted with the public key requires
the private key to decrypt it. In public/private key systems, the public key does not have to be kept
secret.
Passphrases
For added protection, EVFS encrypts each private key with a passphrase before storing it. You
can specify the passphrase or have EVFS generate a passphrase for you.
Stored passphrases
You can store a passphrase in a file. EVFS encrypts the passphrase with system-specific information
before storing it. For EVS mode, stored passphrases enable EVS to retrieve a user's private key
without prompting for the passphrase. If you want to enable EVS volumes at system startup without
manual intervention, you must use stored passphrases. For EFS mode, the stored passphrase allows
the system administrator to start applications on behalf of other users. If applications require the
22
EVFS data and keys
passphrase from other users, the passphrase will be automatically read from the file (see “Using
the evfsrun command” (page 127)). However, when entering a secure session (see “Using a secure
session” (page 108)), a user will be always prompted for the passphrase regardless if it has been
stored in a file (in other words, the stored passphrase will be ignored).
CAUTION: A stored passphrase enables you to use the EVFS autostart feature, but it is a security
risk. In EFS mode, it is possible for root to access the encrypted files of users that have a stored
passphrase.
Using HP-UX Trusted Computing Services with EVFS
On systems with HP-UX Trusted Computing Services (TCS), you can use TCS to secure EVFS private
keys. For more information, see the HP-UX TCS product documentation.
How EVFS uses keys
EVFS uses symmetric volume or file encryption keys to encrypt the volume or file data. EVFS also
uses public/private keys to encrypt the symmetric encryption keys, and it uses passphrases to
encrypt private keys, as follows:
•
The symmetric encryption key is stored in key records, or digital envelopes, in the EMD area
of the EVFS volume or file. Each key record contains the volume or file encryption key, encrypted
by a user's public key.
•
User's public keys are stored in a local database, unencrypted.
•
User's private keys are stored in a local database. Each private key is encrypted with a
passphrase.
•
As an option, a passphrase can be stored in a file, encrypted with system-specific data. A
stored passphrase is a security risk. However, it enables you to execute some EVFS commands
without entering a passphrase and to use the EVFS autostart feature.
When accessing encrypted data stored on an EVS or EFS volume, the following steps are performed:
1. The passphrase is used to decrypt the user's private keys.
2. The decrypted private key is used to decrypt the file or volume symmetric encryption key stored
in the EMD area.
3. The data stored on the volume or file is encrypted/decrypted using this unwrapped symmetric
key.
Key names and key IDs
Each public/private key pair has an owner and a key name. A user can have multiple public/private
key pairs. The default key name (the name EVFS uses if you do not specify a key name) is the
owner's user account name. For EFS mode, a user must have a key pair with the default key name.
Public/private key pairs are also identified by a key ID formed by concatenating the owner's user
account name and the key name, separated by a period (.). For example, the user bob owns the
key pair named bobkey1. The key ID for this key pair is bob.bobkey1. For EFS mode, bob must
have a key pair with a key ID bob.bob.
For EVFS, the user login name and key name are limited to 100 characters.
User key and passphrase storage
By default, EVFS stores keys in a local database under the directory /etc/evfs/pkey. EVFS
creates a users subdirectory for all the users keys, then it creates a subdirectory under users
for each user who owns EVFS user keys. The subdirectory name is the user account name.
Key names and key IDs
23
File names
When using the default key storage directory, EVFS uses the following directory and file names
to store user keys:
Public Key
/etc/evfs/pkey/users/user_name/key_name.pub, where
user_name is the key owner's name and key_name is the key name.
Private Key
/etc/evfs/pkey/users/user_name/key_name.priv, where
user_name is the key owner's name and key_name is the key name.
Stored Passphrase
/etc/evfs/pkey/users/user_name/key_name.pass.nnn,
where user_name is the key owner's name, key_name is the key
name, and nnn is a number based on system-specific data.
Alternate storage databases and distributed key storage
You can configure EVFS to use different file directories for the user key database that contains the
public keys, private keys, and stored passphrases. The directories can be local directories or remote
directories that are NFS-mounted. You can also configure EVFS to use different database directories
according to the data type (key type or stored passphrase).
24
EVFS data and keys
3 EVFS installation
This chapter describes how to install EVFS, including prerequisites, installation steps, and
post-installation verification procedures. This chapter addresses the following topics:
•
“Prerequisites” (page 25)
•
“Installing EVFS” (page 25)
Prerequisites
The following are the minimum requirements to install and use EVFS.
Hardware requirements
•
HP 9000 computers
•
HP Integrity servers
Disk space requirements
The system must have at least 12 MB of disk space available.
Operating system requirements
The operating system must be HP-UX 11i Version 3.
Dependencies
EVFS v2.1 has the following dependencies:
•
Process management cumulative patch: PHKL_38650
•
Process-Specific Data cumulative patch: PHKL_38800
•
The fs_spec cumulative patch: PHKL_38936
•
The fs_util cumulative patch: PHKL_38937
•
Veritas File System 5.0 (VxFS 5.0)
•
HP-UX KCM (Kernel Crypto Module)
NOTE:
KCM is required only for IA.
System reboot
You do not need to reboot if there is no previous version of EVFS installed.
Installing EVFS
Use
1.
2.
3.
the following procedure to install EVFS:
Review the “Prerequisites” (page 25).
Log on to the target system as the root user.
Download EVFS from the HP Software Depot at http://www.software.hp.com.
Save the EVFS depot as a local file on the target system, for example:
/tmp/<EVFS-depotname>.depot
4.
Use the following command to verify the depot file on the target system:
swlist -d @ /tmp/<EVFS-depotname>.depot
Prerequisites
25
If the EVFS depot file is correctly stored on the system, you will see the following message
after executing the command:
# swlist -d @ /tmp/EVFS.depot
# Initializing...
# Contacting target "my_host"...
#
# Target: my_host:/tmp/EVFS.depot
#
#
# Bundle(s):
#
EVFS
A.02.01.00
HP-UX Encrypted Volume and File System (EVFS)
5.
Install EVFS using an interactive swinstall session or the following swinstall command:
# swinstall -x autoreboot=true -s /tmp/<EVFS-depotname>.depot EVFS
The swinstall utility will install the EVFS components.
6.
Verify the installation using the swverify EVFS command . If EVFS is installed correctly on
the system, the swverify command will include the following text in the data it reports:
* Verification succeeded
NOTE: Encrypted Volume and File System (EVFS) is installed as a kernel-space component and
a user-space component. You do not need to reboot if there is no previous version of EVFS installed.
Upgrading to EVFS v2.1
Use
1.
2.
3.
the following procedure to upgrade from a previous version of EVFS:
Review the “Prerequisites” (page 25).
Log on to the target system as the root user.
Download EVFS from the HP Software Depot at http://www.software.hp.com.
Save the EVFS depot as a local file on the target system, for example:
/tmp/EVFS-depotname.depot
4.
5.
On IA, export all user keys. For more information on exporting a user key, see “Exporting a
user key” (page 136).
Stop the EVFS subsystem using the following command:
#evfsadm stop
6.
Use the following command to verify the depot file on the target system:
swlist -d @ /tmp/EVFS-depotname.depot
If the EVFS depot file is correctly stored on the system, the following message appears after
executing the command:
swlist -d @ /tmp/EVFS.depot
# Initializing...
# Contacting target "my_host"...
#
# Target: my_host:/tmp/EVFS.depot
#
#
# Bundle(s):
#
EVFS
A.02.01.00
HP-UX Encrypted Volume and File System (EVFS)
7.
Install EVFS using an interactive swinstall session or the following swinstall command:
# swinstall -x autoreboot=true -s /tmp/EVFS-depotname.depot EVFS
The swinstall utility will install the EVFS components.
NOTE: When upgrading from EVFS v2.0 to EVFS v2.1, if the system does not automatically
reboot, manually reboot to load the dynamic evfs module.
26
EVFS installation
8.
Verify the installation using the following swverifycommand:
#swverify EVFS
If EVFS is installed correctly on the system, the swverify command includes the following
text in the data it reports:
* Verification succeeded
9.
On IA, delete the user keys. For more information on deleting a user key, see “Deleting a user
key” (page 138).
10. Check the value of emd_digest in the EVFS configuration file /etc/evfs/evfs.conf. If
the value is SHA1, replace this with SHA2.
11. Start the EVFS subsystem. For more information on starting the EVFS subsystem, see “Step 5:
Starting the EVFS subsystem” (page 33).
12. On IA, import all user keys. For more information on importing a user key, see “Importing a
user key” (page 137).
Uninstalling EVFS
CAUTION: Do not swremove EVFS if there is still encrypted data on the system. Otherwise data
will be lost once EVFS is removed.
To uninstall EVFS, follow these steps:
1. Stop all commands and applications accessing the encrypted data.
2. Backup all data, especially the /etc/evfs directory and all encrypted volumes and files.
3. Convert all encrypted data to cleartext. For EVS, copy the encrypted volume to a non-encrypted
volume. For EFS, copy the encrypted files to a non-encrypted file system.
4. Ensure that the /dev/evfs devices are not being used or referenced (for example, by
crontab and startup scripts).
5. Ensure that there is no EVFS filesystem in the /etc/fstab file.
6. Save all keys in case any backup encrypted data needs to be retrieved.
7. Stop EVFS subsystem and uninstall EVFS.
Uninstalling EVFS
27
4 Preparing EVFS for configuration
This chapter describes how to prepare the EVFS product for configuration.
•
“Verifying for preconfiguration” (page 28)
•
“Preparation overview” (page 28)
•
“Step 1: Configuring an alternate EVFS pseudo-user” (page 29)
•
“Step 2: (Optional) Configuring alternate key database directories” (page 30)
•
“Step 3: (Optional) Modifying EVFS global parameters” (page 32)
•
“Step 4: Configuring FIPS compliant EVFS” (page 33)
•
“Step 5: Starting the EVFS subsystem” (page 33)
•
“Step 6: (Optional) Configuring the autostart feature” (page 34)
Verifying for preconfiguration
Before configuring EVFS, verify the following items:
•
Verify that EVFS supports the applications that you want to use with EVFS. See “Supported
software” (page 17) for more information.
•
Verify that EVFS supports the directories you want to encrypt with EVFS. See “Product limitations
and precautions” (page 18) for more information.
•
EVFS does not automatically convert existing volume data to encrypted data. To encrypt
existing volume data in EVS mode, use the inline encryption feature in this release of EVFS.
CAUTION: If you improperly configure EVFS on a volume that already contains data, the
existing data will be unusable.
IMPORTANT: To use inline encryption, 3 MB of spare disk space are required at the end of
the volume, and the minimum volume size must be 4 MB. If the entire volume is used, extend
the volume using lvextend for LVM, or vxassist for VXVM.
•
To create encrypted backup media to a tape or other non-EVFS device, you must back up the
EVS volume as a volume device (as a single unit), not as a file system or group of files. You
can create encrypted backup media using block device utilities such as dd. Verify that the
size of the LVM, VxVM or physical volumes you are going to encrypt are appropriate for the
backup media you are using and for the time it will take to back up a whole volume.
Preparation overview
Use the following procedure to prepare EVFS for configuration:
1. Configure an alternate EVFS pseudo-user account. You can skip this step if you can use evfs
as the user name and group name for the EVFS pseudo-user. See “Step 1: Configuring an
alternate EVFS pseudo-user” (page 29).
2. (Optional) Configure alternate directories for the key database. See “Step 2: (Optional)
Configuring alternate key database directories” (page 30).
3. (Optional) Modify EVFS global parameters. See “Step 3: (Optional) Modifying EVFS global
parameters” (page 32).
4. Configuring FIPS compliant EVFS. See “Step 4: Configuring FIPS compliant EVFS” (page 33).
5. Start the EVFS subsystem. See “Step 5: Starting the EVFS subsystem” (page 33).
28
Preparing EVFS for configuration
Step 1: Configuring an alternate EVFS pseudo-user
EVFS uses the pseudo-user evfs to own and control internal resources. When you install EVFS for
the first time, the installation script attempts to add the user account evfs and the group evfs for
the EVFS pseudo-user. If the evfs user account or evfs group already exists on the system when
you initially install EVFS, you must configure a different user account and group for the EVFS
pseudo-user.
TIP: Skip this step if you can use the name evfs as the user and group name for the EVFS
pseudo-user.
If you cannot use evfs as the user and group name for the EVFS pseudo-user, use the following
procedure to configure alternative names:
a. Set the evfs_user attribute in the /etc/evfs/evfs.conf file to an alternate user name.
b. Create an alternate user group for the EVFS pseudo-user.
c. Create the alternative user account for the EVFS pseudo-user.
Step 1a: Setting the evfs_user attribute
Set the evfs_user attribute in the /etc/evfs/evfs.conf file to an alternative user name for
the EVFS pseudo-user.
Example
The following entry in the /etc/evfs/evfs.conf file sets the name of the EVFS pseudo-user to
my_evfs_user:
evfs_user = my_evfs_user
Step 1b: Creating the user group
Create a user group reserved for the EVFS pseudo-user.
Example
The following groupadd command creates the user account my_evfs_group:
# groupadd my_evfs_group
Step 1c: Creating the EVFS pseudo-user account
Create the alternate EVFS pseudo-user account with the following characteristics:
•
Name: This must match the value of the evfs_user attribute in the /etc/evfs/evfs.conf
file.
•
Password: Do not specify a password, and do not enable the password. The entry in /etc/
passwd will contain an asterisk in the password field.
•
User ID (UID): A unique ID greater than 100 so it does not conflict with UIDs reserved for
HP-UX system components. Do not use the superuser UID (0).
•
Group ID: Any. HP recommends that you create a new group reserved the EVFS pseudo-user.
•
Gecos ID (comment field): Add a comment indicating that this account is used by EVFS.
•
Initial Working Directory: Any directory, such as /tmp or /home/evfs.
•
Shell: Non-interactive shell, such as /usr/bin/false or no shell.
Example
The following useradd command creates the user account my_evfs_user. The account name
my_evfs_user matches the value for the evfs_user account in the file /etc/evfs/evfs.conf.
Step 1: Configuring an alternate EVFS pseudo-user
29
# useradd -g my_evfs_group -c "EVFS pseudo-user" \
-d /tmp -s /usr/bin/false my_evfs_user
Step 2: (Optional) Configuring alternate key database directories
EVFS stores user key data (public keys, private keys, and stored passphrases) in a key database.
By default, EVFS stores this database in subdirectories and files under the /etc/evfs/pkey
directory. EVFS then automatically creates a users subdirectory. You can modify the pub_key,
priv_key, and pass_key attribute statements in the /etc/evfs/evfs.conf file to configure
EVFS to store the key database in alternate directories.
TIP: Configuring alternate key database directories is optional, and you can skip this step in
most topologies.
You can use alternate database directories as follows:
•
Store public keys, private keys, and passphrase files in different directories according to data
type (key type or stored passphrase). For example, you can configure EVFS to store public
keys in a public directory because exposing public keys is not a security vulnerability.
•
Store public and private keys in distributed file directories. For example, you can configure
EVFS to store public and private keys in an NFS directory so that administrators can access
and use the same keys on multiple systems. This topology is useful when using EVFS with
Serviceguard.
NOTE: It is not efficient to store passphrase files in distributed directories. EVFS encrypts
passphrases with system-specific data, so you must generate a passphrase file on each system
where you want to use the file.
•
EVFS always create new keys in the first directory. The fallback directory is kept for old keys
only. If you have old keys from previous releases in different directories, you must configure
those directories into priv_key, pub_key, pass_key, so that EVFS can successfully locate
them.
Syntax for pub_key, priv_key, and pass_key attribute statements
To configure EVFS to use alternate directories for the user keys and stored passphrases, you modify
the pub_key, priv_key, and pass_key attribute statements in the /etc/evfs/evfs.conf
file. The syntax for these attribute statements is as follows:
pub_key = library[pkeydir:key_directory,onfail:action]...
priv_key = library[pkeydir:key_directory,onfail:action]...
pass_key = library[pkeydir:key_directory,onfail:action]...
Each attribute statement must be on one input line, without line breaks or line continuation characters.
A statement can contain multiple library[specifications...] terms, separated by spaces.
A library[specifications] term cannot contain spaces.
The parameters have the following meanings:
pub_key
Indicates that the attribute statement specifies EVFS behavior for user public
keys.
30
priv_key
Indicates that the attribute statement specifies EVFS behavior for user private
keys.
pass_key
Indicates that the attribute statement specifies EVFS behavior for passphrases
that secure user private keys.
library
Specifies the fully qualified pathname of the encryption and storage library.
Valid values:
Preparing EVFS for configuration
/usr/lib/evfs/hpux64/libevfs_pkey.so (HP Integrity servers)
/usr/lib/evfs/pa20_64/libevfs_pkey.sl (HP 9000 servers)
[
Literal left square bracket.
key_directory
Specifies the fully qualified pathname of the base directory in which to store
key data, such as /etc/evfs/pkey. See “Key storage directory
requirements” (page 31) for more information. EVFS automatically creates
a users subdirectory under the key_directory to store the key files.
Therefore, you do not need to include users in the path.
If you want to use the autostart feature, the autostart option you specify in
the /etc/evfs/evfstab file is determined by the location of the
key_directory. See “Step 6: (Optional) Configuring the autostart feature”
(page 34) for more information.
action
Specifies the EVFS action if attempts to write to or read from the
key_directory fail.
continue Causes EVFS to continue to the next
library[specifications...] term.
stop
Causes EVFS to stop processing and return an error.
Literal right square bracket.
]
Key storage directory requirements
•
Directories used to store user keys and passphrases cannot be on EVFS volumes. EVFS cannot
access key files stored on an EVFS volume to enable the EVFS volume.
•
If there are file systems on EVFS volumes in the /etc/fstab file that you want the system to
mount at system startup, the key database must reside on the local root file system (the system
must be able to access the keys early in the system startup procedure).
•
If the private key directory is an NFS-mounted directory, the directory must be mounted with
read and write access so EVFS can re-encrypt the private key file as needed (the NFS server
must not export the directory with the ro flag).
•
HP recommends that the base directory is writable by superusers or users with appropriate
privileges only. For example, the /etc/evfs/pkey directory is installed with the following
permissions, owner, and group:
drwxr-xr-x
4 bin
bin
96 Mar 16 17:26 pkey
Default pub_key, priv_key and pass_key attribute statements
The /etc/evfs/evfs.conf file installed with the EVFS product on HP Integrity servers contains
the following pub_key, priv_key, and pass_key attribute statements:
pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]
priv_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]
pass_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]
These statements configure EVFS to use the libevfs_pkey library to process all user key data
(public keys, private keys, and passphrase files), and to save all user key data in subdirectories
under the /etc/evfs/pkey/users directory (EVFS creates the users subdirectory). If EVFS
cannot access key data in the directory /etc/evfs/pkey, EVFS returns an error.
The /etc/evfs/evfs.conf file installed with the EVFS product on HP 9000 servers contains
equivalent statements, with the HP 9000 libevfs_pkey library, /usr/lib/evfs/pa20_64/
libevfs_pkey.sl.
Step 2: (Optional) Configuring alternate key database directories
31
Example: Alternate directory for public keys
The following attribute statements configure EVFS to store public keys in the user-created directory
/etc/evfs/mykeys/users and to store private keys and passphrase files in the directory
/etc/evfs/pkey/users:
pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/mykeys,onfail:stop]
priv_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]
pass_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]
Example: NFS directory for public and private keys
The following attribute statements configure EVFS to store public and private keys in the NFS-mounted
directory /nfs_server1/etc/evfs/pkey/users and to store passphrase files in the local
directory /etc/evfs/pkey/users:
pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/nfs_server1/etc/evfs/pkey,onfail:stop]
priv_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/nfs_server1/etc/evfs/pkey,onfail:stop]
pass_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]
To use the autostart feature for volumes that have keys stored in NFS-mounted directories, you must
specify the boot_remote option in the /etc/evfs/evfstab file. For more information,
see “Step 6: (Optional) Configuring the autostart feature” (page 34).
Step 3: (Optional) Modifying EVFS global parameters
Edit the /etc/evfs/evfs.conf file to modify EVFS global parameters. This step is optional,
and you can use the default attribute values for most installations. Three attributes you might want
to modify are:
•
data_cipher
The data_cipher attribute specifies the default data encryption algorithm (the algorithm
EVFS uses to encrypt volume data). You can also specify the data encryption when you enter
the evfsvol create command, as described in “Step 1: Configuring an EVS volume”
(page 45).
Valid values:
aes-128-cbc
aes-192-cbc
aes-256-cbc
aes-128-cfb
aes-192-cfb
aes-256-cfb
(128-bit AES CBC)
(192-bit AES CBC)
(256-bit AES CBC)
(128-bit AES CFB)
(192-bit AES CFB)
(256-bit AES CFB)
A longer key length provides more security, but slows data transfer rates.
Default: aes-128-cbc
•
file_cipher
The file_cipher attribute specifies the default file encryption algorithm (the algorithm EVFS
uses to encrypt file data). You can also specify the file encryption when you enter the evfsvol
create command, as described in “Step 1: Configuring an EVS volume” (page 45).
Valid values:
aes-128-cfb (128-bit AES CFB)
aes-192-cfb (192-bit AES CFB)
aes-256-cfb (256-bit AES CFB)
The following ciphers are valid only for IA:
aes-128-cbc (128-bit AES CBC)
32
Preparing EVFS for configuration
aes-192-cbc (192-bit AES CBC)
aes-256-cbc (256-bit AES CBC)
A longer key length provides more security, but slows data transfer rates.
Default file cipher for PA: aes-128-cfb
Default file cipher for IA: aes-128-cbc
•
emd_backup
The emd_backup attribute specifies the directory EVFS uses to store backup images of EMD
data.
Default: /etc/evfs/emd
•
pbe
The pbe attribute specifies the encryption library EVFS uses to secure EVFS private keys. On
systems with HP-UX Trusted Computing Services (TCS), you can modify this attribute so that
EVFS uses TCS to secure EVFS private keys.
For more information about using TCS with EVFS, see the HP-UX TCS product documentation.
For a complete list of global parameters, see evfs.conf(4).
Step 4: Configuring FIPS compliant EVFS
TIP:
Skip this step if you do not want EVFS to be FIPS compliant.
If you want EVFS to be FIPS compliant,
a. Configure HP-UX KCM to enable FIPS mode.
b. Restrict HP-UX EVFS using FIPS qualified cipher suites.
Step 4a: Configure HP-UX KCM to enable FIPS mode
For the steps to configure HP-UX KCM to enable FIPS mode, see Configuring HP-UX KCM section
in the HP-UX Kernel Cryptographic Module User Guide.
Step 4b: Restrict HP-UX EVFS using FIPS qualified cipher suites
You must edit the /etc/evfs/evfs.conf file to set fips attribute to 1. fips is a flag to restrict
EVFS using FIPS qualified cipher suites only.
Step 5: Starting the EVFS subsystem
You must start the EVFS subsystem to create EVFS keys and volumes. Starting the EVFS subsystem
does not enable encryption of the EVFS volume. You must still create the EVFS volumes and enable
EVFS for each volume.
To start the EVFS subsystem, enter the following command:
evfsadm start [-n number_threads]
where:
-n number_threads
Specifies the number of threads to create for EVFS encryption and
decryption processing.
Range: On single-processor systems, 1 is the only valid value.
On multiprocessor systems, the maximum number of threads is the
number of processors in the system.
Default: On single-processor systems, the default is 1.
Step 4: Configuring FIPS compliant EVFS
33
On multiprocessor systems, the default is the number of processors in
the system minus 1. Setting the number of threads to a lower value can
decrease EVFS throughput.
The evfsadm start command starts the EVFS subsystem by initializing the EVFS pseudo-driver
and starting the evfsevold process. The evfsevold process starts kernel threads for data
encryption and decryption. You must start the EVFS subsystem to generate EVFS user keys and
enable EVFS volumes. This command is automatically executed at system startup if EVFS is enabled
in the /etc/rc.config.d/evfs file. For more information about enabling EVFS to automatically
start at system startup, see “Step 6: (Optional) Configuring the autostart feature” (page 34).
CAUTION: Do not write to an encrypted volume when the EVFS subsystem is not running. Doing
so will cause data corruption.
Example
# evfsadm start
EVFS subsystem started.
Step 6: (Optional) Configuring the autostart feature
The EVFS autostart feature allows you to enable and mount EVFS volumes automatically at system
startup without manual intervention. You must use the autostart feature for EVFS volumes that have
file systems mounted at system startup (file systems with entries in the /etc/fstab file).
CAUTION: Using the autostart feature requires you to store passphrases, and stored passphrases
are security risks.
Use the following procedure to configure the autostart feature:
a. Enable EVFS in the /etc/rc.config.d/evfs file. Change the value for EVFS_ENABLED
to 1 as follows:
EVFS_ENABLED = 1
b.
Modify the entries in the /etc/evfs/evfstab file for the EVS volumes that you want
enabled at system startup. You must add a key ID and the boot_local or boot_remote
option. The syntax for each entry is as follows:
v volume_path evfs_volume_path user_name.key_name options
where:
v
34
Specifies that the entry is for an EVFS volume. The EVFS
subsystem automatically adds this field to the /etc/evfs/
evfstab file when you create the EVFS volume device files.
volume_path
The path for the underlying LVM, VxVM, or physical volume
block device file, such as /dev/vg01/lvol5, /dev/vx/dsk/
rootdg/vol05, or /dev/dsk/c2t0d1. The EVFS subsystem
automatically adds this field to the /etc/evfs/evfstab file
when you create the EVFS volume device files.
evfs_volume_path
Specifies the absolute pathname for the EVFS volume block
device file, such as /dev/evfs/vg01/lvol5,
/dev/evfs/vx/dsk/rootdg/vol05, or
/dev/evfs/dsk/c2t0d1. The EVFS subsystem automatically
adds this field to the /etc/evfs/evfstab file when you create
the EVFS volume device file.
user_name.key_name
A valid key ID (user name and key pair name) for this EVFS
volume. The key pair must have a stored passphrase.
Preparing EVFS for configuration
EVFS uses the stored passphrase to decrypt the private key, then
uses the private key to enable the EVFS volume.
options
Following are the valid options for the autostart feature:
boot_local
Causes EVFS to enable the EVFS volume
before local file systems in /etc/fstab are
mounted and before NFS and other
networking subsystems are started. Use this
flag if the private key and stored passphrase
used to enable the volume are located on the
root disk of the local system.
boot_local2
Enable the EVFS volume after local file
systems in /etc/fstab are mounted and
before NFS and other networking subsystems
are started. Use this flag if the private key
and stored passphrase used to enable the
volume are located on a nonroot disk of the
local system.
If you specify the boot_local2 option, the
system will be unable to automatically mount
a file system on the EVFS volume as part of
the system startup procedure and you must
manually mount the file system.
boot_remote
Enable the EVFS volume after NFS and other
networking subsystems are started. Use this
flag if the private key or stored passphrase
used to enable the volume is located on a
remote system, such as an NFS directory.
If you specify the boot_remote option, the
system will be unable to automatically mount
a file system on the EVFS volume as part of
the system startup procedure and you must
manually mount the file system.
See evfstab(4) for more information.
Example
The following entry in the /etc/evfs/evfstab file configures the autostart feature and uses
the init user's key initkey, which was created with a stored passphrase:
v /dev/vg01/lvol5 /dev/evfs/vg01/lvol5 init.initkey boot_local
c.
Verify that a stored passphrase exists for the key IDs specified in the /etc/evfs/evfstab
entries. If you did not store the passphrase when you created the key pair, use the evfspkey
passgen command to create a passphrase. See “Creating or changing a stored passphrase
for an existing key” (page 70).
Step 6: (Optional) Configuring the autostart feature
35
Part II Encrypted Volume System (EVS)
Part II includes the following topics:
•
“EVS keys and user privileges” (page 40)
•
“Configuring an EVS volume” (page 45)
•
“Administering EVS” (page 63)
•
“Backing up and restoring data on EVS volumes” (page 78)
Contents
5 EVS keys and user privileges......................................................................40
User privileges and permissions................................................................................................40
EVS volume owner keys...........................................................................................................40
Recovery keys........................................................................................................................40
Authorized user keys...............................................................................................................40
Summary of key type and privileged user capabilities..................................................................40
Creating keys.........................................................................................................................41
Guidelines for creating user keys..........................................................................................41
Creating keys for EVS volume owners...................................................................................42
Example......................................................................................................................42
Creating recovery keys.......................................................................................................43
Storing the recovery user's private key..............................................................................43
Examples.....................................................................................................................43
Creating keys for authorized users........................................................................................43
Examples.....................................................................................................................44
6 Configuring an EVS volume.......................................................................45
Configuration overview............................................................................................................45
Option 1: Creating a new EVS volume......................................................................................45
Step 1: Configuring an EVS volume......................................................................................45
Step 1a: Creating an LVM or VxVM volume for EVFS.........................................................46
Examples................................................................................................................46
Step 1b: Creating EVS volume device files........................................................................46
Examples................................................................................................................47
Step 1c: Creating the EMD.............................................................................................47
Example..................................................................................................................48
Step 1d: (Optional) Adding recovery keys and authorized user keys....................................48
Step 1e: Enabling the EVS volume...................................................................................49
Example..................................................................................................................50
Step 2: Creating and mounting a file system on an EVS volume...............................................50
Step 2a: Creating a new file system with newfs.................................................................50
Example..................................................................................................................50
Step 2b: (Optional) Using fsck to check the file volume.......................................................51
Example..................................................................................................................51
Step 2c: Creating the mount point...................................................................................51
Example..................................................................................................................51
Step 2d: Mount the file system on the EVS volume.............................................................51
Example..................................................................................................................51
Step 2e: (Optional) Adding an entry to /etc/fstab.............................................................52
Example..................................................................................................................52
Step 3: Verifying the configuration.......................................................................................52
evfsadm stat -a..............................................................................................................52
evfsvol display evfs_volume_path.....................................................................................52
Verifying data encryption...............................................................................................53
Example..................................................................................................................54
Step 4: (Optional) Migrating existing data to an EVS volume...................................................54
Example......................................................................................................................54
Step 5: Backing up your configuration..................................................................................55
Option 2: Converting a volume with existing data to an EVS volume (inline encryption)...................55
Step 1: Preparing the file system and data.............................................................................55
Step 2: Performing inline encryption.....................................................................................56
iencrypt: Inline encryption..............................................................................................56
Contents
37
Suspending an ongoing inline encryption....................................................................57
Re-starting a suspended inline encryption....................................................................57
Step 3: Verifying the configuration.......................................................................................57
evfsadm stat -a..............................................................................................................57
evfsvol display evfs_volume_path.....................................................................................58
Verifying data encryption...............................................................................................58
Example..................................................................................................................59
Step 4: Backing up your configuration..................................................................................59
Examples...............................................................................................................................59
Option 1..........................................................................................................................60
Korn shell script for creating an EVS volume and file system................................................61
Option 2..........................................................................................................................61
7 Administering EVS....................................................................................63
Starting and stopping EVFS......................................................................................................63
Enabling encryption and decryption access to EVS volumes.....................................................64
Disabling encryption and decryption access to EVS volumes....................................................64
Stopping the EVFS subsystem...............................................................................................65
Opening raw access to EVS volumes....................................................................................65
Closing raw access to EVS volumes......................................................................................66
Managing EVFS keys and users................................................................................................66
Displaying key IDs for an EVS volume...................................................................................66
Syntax.........................................................................................................................67
Example......................................................................................................................67
Restoring user keys.............................................................................................................67
Changing owner keys for an EVS volume..............................................................................68
Recovering from problems with owner keys............................................................................69
Removing keys from an EVS volume......................................................................................69
Removing user keys or stored passphrase from the EVFS key database......................................69
Changing the passphrase for a key......................................................................................70
Creating or changing a stored passphrase for an existing key..................................................70
Recovering from EMD corruption...............................................................................................71
EMD backup directory........................................................................................................71
Removing a volume from the EVFS subsystem..............................................................................72
Exporting and importing EVS volumes.......................................................................................72
Exporting an EVS volume....................................................................................................73
Importing an EVS volume....................................................................................................75
Resizing EVS volumes and file systems.......................................................................................76
LVM Example: Increasing volume and file system sizes............................................................76
Correct........................................................................................................................76
Incorrect......................................................................................................................77
8 Backing up and restoring data on EVS volumes............................................78
Backing up EVS volumes.........................................................................................................78
Backups using LVM mirrored volumes....................................................................................80
Creating encrypted backup media on a Non-EVFS device (LVM mirrored volumes) ................81
Example..................................................................................................................82
Creating encrypted backup media on a second EVS volume using a block device utility (LVM
mirrored volumes)..........................................................................................................82
Example..................................................................................................................84
Creating encrypted backup media on a second EVS volume using a file utility (LVM mirrored
volumes)......................................................................................................................84
Example..................................................................................................................85
Creating cleartext backup media (LVM mirrored volumes)...................................................86
Example: Block device utility......................................................................................86
Example: File utility...................................................................................................86
38
Contents
Backups using VxVM mirrored volumes.................................................................................87
Creating encrypted backup media on a non-EVFS device (VxVM mirrored volumes)...............87
Example..................................................................................................................88
Creating encrypted backup media on a second EVS volume using a block device utility (VxVM
mirrored volumes)..........................................................................................................89
Example..................................................................................................................90
Creating encrypted backup media on a second EVS volume using a file utility (VxVM mirrored
volumes)......................................................................................................................91
Example..................................................................................................................92
Creating cleartext backup media (VxVM mirrored volumes)................................................93
Example: Block device utility...........................................................................................93
Example: File utility.......................................................................................................93
Backups using nonmirrored volumes.....................................................................................94
Creating encrypted backup media to a non-EVFS device (nonmirrored volumes)....................94
Example..................................................................................................................95
Creating encrypted backup media on a second EVS volume using a block device utility
(nonmirrored volumes)...................................................................................................95
Example..................................................................................................................96
Creating encrypted backup media on a second EVS volume using a file utility (nonmirrored
volumes)......................................................................................................................96
Example..................................................................................................................97
Creating cleartext backup media to a non-EVFS device (nonmirrored volumes)......................97
Restoring backup media..........................................................................................................97
Restoring encrypted backup media from a non-EVFS device to an EVS volume...........................97
Example......................................................................................................................98
Restoring backup data from an EVS volume to an EVS volume.................................................98
Example......................................................................................................................99
Contents
39
5 EVS keys and user privileges
EVFS defines the following types of user keys and restricts the execution of EVFS commands based
on these keys and HP-UX user privileges:
•
EVS volume owner keys
•
Recovery keys
•
Authorized user keys
User privileges and permissions
Some EVFS commands do not require user keys. Only users with the appropriate privileges can
execute these commands. By default, the appropriate privilege required for these EVFS commands
is superuser privilege. For more information about HP-UX privileges, see the privileges(5) manpage.
To perform operations on EVS volumes and other volumes, users must also have the appropriate
file access permissions for the associated device files. In most installations, users who want to
perform operations on EVS volumes must have superuser privileges.
NOTE: EVFS user keys restrict execution of EVFS commands only. Read, write and execute access
to data on EVS volumes is still restricted by normal HP-UX file permissions and access controls.
EVS volume owner keys
When you create an EVS volume, you specify the volume owner key or owner key for the volume.
The user who owns the volume owner key (the volume owner) can use the key to perform
administrative operations on an EVS volume, including enabling and disabling EVS for the volume.
The owner can also add additional key records to the EMD.
Recovery keys
A recovery key enables you to change a volume or file owner key. Only the recovery key and the
owner key can be used to change the owner key of an EVS volume or an encrypted file. The only
operation you can perform with a recovery key is to change the owner key for an EVS volume or
an encrypted file.
At installation, EVFS creates an EVFS pseudo-user account, evfs, if it does not already exist.
Recovery keys are owned by this pseudo-user.
HP recommends that you configure a recovery key for each EVS volume, but configuring recovery
keys is not mandatory for normal EVS operation. You can configure up to two recovery key pairs
per EVS volume.
Authorized user keys
A volume owner can configure additional user keys to use to perform administrative operations
on the EVS volume. These user keys are authorized user keys for the volume.
A user with an authorized user key and the appropriate file system permissions for the volume
device files can perform the same EVS operations that the holder of an owner key can perform,
except changing the EVS volume owner, adding and deleting additional keys to a volume, and
destroying the EVS volume by removing the EMD.
Summary of key type and privileged user capabilities
Table 1 summarizes the capabilities for the different key types and for users with superuser privileges
or the appropriate privileges.
40
EVS keys and user privileges
Table 1 Key types and user capabilities
Key type/user type
Capabilities
Superuser or appropriate
privileges and file
permissions for the device
files
Any user with superuser privileges or the appropriate privileges and file permissions can
perform the following tasks (no EVFS key is required):
• Start or stop the EVFS subsystem
• Map volumes to EVFS (create EVFS device files)
• Create user keys for other users
• Display information about EVS volumes
• Restore an EVS volume's EMD
Owner Key
If a user has the owner key for an EVS volume and the appropriate file permissions for
the device file, the user can perform the following tasks:
• Enable and disable EVS volumes
• Add and remove authorized user keys to EVS volumes
• Change the owner of an EVS volume
• Destroy an EVS volume (remove the EMD; the data is irrecoverable)
• Perform inline encryption
The user can also perform tasks that do not require EVS keys, such as displaying
information about EVS volumes.
Recovery Key
If a user has the recovery key for an EVS volume and the appropriate file permissions
for the device file, the user can change the owner of an EVS volume.
The user can also perform tasks that do not require EVS keys, such as displaying
information about EVS volumes.
authorized user Key
If a user has an authorized user key for an EVS volume and the appropriate file
permissions for the device file, the user can enable and disable EVS volumes (note that
some backup procedures require the user to disable and enable the volume).
The user can also perform tasks that do not require EVFS keys, such as displaying
information about EVS volumes.
Creating keys
Each user key pair has a key name. The default key name is the name of the user for whom the
key pair is created.
This section addresses the following topics:
•
“Guidelines for creating user keys” (page 41)
•
“Creating keys for EVS volume owners” (page 42)
•
“Creating recovery keys” (page 43)
•
“Creating keys for authorized users” (page 43)
Guidelines for creating user keys
Use the following guidelines to determine the number and types of user keys to create.
•
At a minimum, you must create one user key pair (public/private key pair) for the EVS volume
owner.
•
You can use one key pair for multiple EVS volumes, but using a unique key pair for each EVS
volume is more secure.
•
HP recommends that you create at least one recovery key pair. You can use a recovery key
to assign a new owner to a volume if the owner key pair is lost or compromised. HP
recommends that you store the private recovery key off line.
•
To use the autostart feature, you must create a passphrase file. Passphrase files are a security
risk. If you use a passphrase file, you can reduce the security risk by creating a user key pair
Creating keys
41
for an authorized user and creating the passphrase file for the authorized user key pair instead
of the owner key pair.
•
To create encrypted backup media on a tape device, a user must have an authorized user
key pair for the volume. (The user must execute the evfsvol disable command as part of
the backup procedure, which requires an EVFS authorized user key or owner key pair.)
Creating and configuring an authorized user key pair will enable a non-owner to create
encrypted backup media.
•
You can create multiple key pairs for each user. For example, if a user is the owner of multiple
EVS volumes, you can create a unique key pair for each volume that the user owns.
Creating keys for EVS volume owners
Use the following evfspkey keygen command to create key pairs for EVS volume owners:
evfspkey keygen [-r | [-p [-u user] | -s [-u user]] [-c cipher] [-k
keyname] [-m keywrap]
where:
-p
Causes evfspkey to prompt for passphrase. The evfspkey utility prompts you
for a passphrase and store the passphrase in an encrypted file. The passphrase
must contain at least eight characters.
CAUTION: A stored passphrase enables you to use the EVFS autostart feature
but it is a security risk.
-s
Causes evfspkey to generate a passphrase automatically. The evfspkey utility
generates a passphrase for you and stores the passphrase in an encrypted file.
-c cipher
Specifies the type of public/private (cipher) keys to create.
Valid values:
rsa-1024 (RSA 1024-bit keys)
rsa-1536 (RSA 1536-bit keys)
rsa-2048 (RSA 2048-bit keys)
Default for PA: rsa-1536
Default for IA: rsa-2048
-u user
Specifies the user name of the key owner. If you do not specify -u user,
evfspkey uses your user name as the key owner. You must have superuser
privileges or the appropriate privileges to create a key pair for another user.
-k keyname
Specifies the key name. If you do not specify -k keyname, evfspkey uses the
user name as the key name.
Valid value: An ASCII string, 1 to 255 characters long.
-m keywrap
Specifies the module used to decrypt or encrypt private keys.
NOTE: Do not use the -s option when creating a key pair for an EVS volume owner. The -s
option does not prompt for a passphrase. It automatically generates the passphrase, so there is
no way for you to know the passphrase. You must know the owner key's passphrase when creating
an EVS volume.
Example
In the following example, the root user creates a key with the rootkey1 key name :
# evfspkey keygen -k rootkey1
Enter passphrase:(enter a passphrase)
Re-enter passphrase:(re-enter the passphrase to confirm it)
42
EVS keys and user privileges
Public/Private key pair "root.rootkey1" has been successfully generated.
(The evfspkey utility shows the key ID, which is the owner name, root,
and the key name, rootkey1.)
Creating recovery keys
Creating recovery keys is optional, but HP recommends that you create at least one recovery key
pair.
Use the following evfspkey keygen command to create a public/private key pair for the
recovery user. The evfspkey utility will prompt you for a passphrase to secure the private key.
The passphrase must contain at least eight characters.
You must have superuser privileges or the appropriate privileges to create a key for the recovery
user.
evfspkey keygen -c rsa-2048 -r [-k keyname]
where:
-r
-k keyname
Specifies that the key pair created is a recovery key pair.
Key name. If you do not specify -k keyname, evfspkey uses the EVFS
pseudo-user name (evfs) as the key name.
Valid value: An ASCII string, 1 to 255 characters long.
Storing the recovery user's private key
When you create the key pair for the recovery user, evfspkey saves the private key in the current
working directory with the file name key_name.priv, or evfs.priv by default. Store this
private key off line. Copy the private key to removable media, and delete the private key on the
local system.
Examples
In the following example, the user creates a recovery key. The evfspkey utility saves the private
key in the current directory with the file name evfs.priv. Store this file off line.
# evfspkey keygen -c rsa-2048 -r
In the following example, the user creates a second recovery key. The evfspkey utility saves the
private key in the current directory with the file name evfs2.priv. Store this file off line.
# evfspkey keygen -c rsa-2048 -r -k evfs2
Creating keys for authorized users
Creating keys for authorized users is optional. A user with an authorized user key can enable and
disable encryption and decryption access to an EVS volume, but cannot change the EVS volume
owner, destroy a volume, or add and delete keys to a volume.
Use the following evfspkey keygen command to create key pairs for authorized users:
evfspkey keygen [-r | [-p [-u user] | -s [-u user]] [-c cipher] [-k
keyname] [-m keywrap]
where:
-p
Causes evfspkey to prompt for passphrase. The evfspkey utility will prompt
you for a passphrase and store the passphrase in an encrypted file. The
passphrase must contain at least eight characters.
CAUTION: A stored passphrase enables you to use the EVFS autostart feature
but it is a security risk.
-s
Causes evfspkey to generate a passphrase automatically. The evfspkey utility
will generate a passphrase for you and store the passphrase in an encrypted file.
Creating keys
43
-c cipher
Specifies the type of public/private (cipher) keys to create.
Valid values:
rsa-1024 (RSA 1024-bit keys)
rsa-1536 (RSA 1536-bit keys)
rsa-2048 (RSA 2048-bit keys)
Default for PA: rsa-1536
Default for IA: rsa-2048
-u user
Specifies the user name of the key owner. If you do not specify -u user,
evfspkey uses your user name as the key owner. You must have superuser
capability or the appropriate privileges to create a key pair for another user.
-k keyname
Specifies the key name. If you do not specify -k keyname, evfspkey uses the
user name as the key name.
Valid value: An ASCII string, 1 to 255 characters long.
-m keywrap
Specifies the module used to decrypt/encrypt private keys.
Examples
In the following example, the root user creates a key for the user init with the key name
initkey. The key will be used for the autostart feature. The evfspkey utility generates a
passphrase and stores the passphrase.
# evfspkey keygen -s -u init -k initkey
Public/Private key pair "init.initkey" has been successfully generated.
In the following example, the root user creates a key for the user mittal-musa. The key name
is also mittal-musa.
# evfspkey keygen -u mittal-musa
Enter passphrase:(enter a passphrase)
Re-enter passphrase:(re-enter the passphrase to confirm it)
Public/Private key pair "mittal-musa.mittal-musa" has been
successfully generated.
44
EVS keys and user privileges
6 Configuring an EVS volume
This chapter describes how to configure an EVS volume after preparing EVFS for configuration.
This chapter addresses the following topics:
•
“Configuration overview” (page 45)
•
“Option 1: Creating a new EVS volume” (page 45)
•
“Option 2: Converting a volume with existing data to an EVS volume (inline encryption)”
(page 55)
•
“Examples” (page 59)
Configuration overview
There are two procedures to configure an EVS volume:
•
Option 1: Creating a new EVS volume
This procedure creates a new EVS volume. Use this option to create an EVS volume on an
unused LVM, VxVM or physical volume. After you have created the EVS volume, you can
migrate existing data to the new EVS volume.
CAUTION:
You cannot create an LVM or VxVM volume above an EVS volume.
You can create an EVS volume on an existing LVM, VxVM, or physical volume, but any existing
data on the volume is rendered unusable.
•
Option 2: Converting a volume with existing data into an EVS volume (Inline Encryption)
This procedure converts a volume with existing data into an EVS volume using the inline
encryption feature.
IMPORTANT: To use inline encryption, 3 MB of spare disk space are required at the end of
the volume, and the minimum volume size must be 4 MB. If the entire volume is used, extend
the volume using lvextend for LVM, or vxassist for VXVM.
NOTE: The inline encryption process takes approximately 1.2 minute per GB on 4-CPU
rx4640. Actual performance times vary depending on usage and configuration.
Option 1: Creating a new EVS volume
This section describes how to create a new EVS Volume. This section addresses the following topics:
•
“Step 1: Configuring an EVS volume” (page 45)
•
“Step 2: Creating and mounting a file system on an EVS volume” (page 50)
•
“Step 3: Verifying the configuration” (page 52)
•
“Step 4: (Optional) Migrating existing data to an EVS volume” (page 54)
•
“Step 5: Backing up your configuration” (page 55)
Before using this procedure, you must complete the tasks in Chapter 4 (page 28).
Step 1: Configuring an EVS volume
Use
a.
b.
c.
the following procedure to configure an EVS volume.
Create an LVM or VxVM volume for the EVS volume if you are not using whole disk access.
Create EVS volume device files by mapping the LVM, VxVM, or physical volume to EVFS.
Create the EMD area on the EVS volume.
Configuration overview
45
d.
e.
(Optional) Add recovery keys and authorized user keys.
Enable the EVS volume.
Step 1a: Creating an LVM or VxVM volume for EVFS
Skip this step if you are not using LVM or VxVM (if you are directly accessing the whole physical
disk as a physical volume). You will create the EVS volume directly above the physical volume in
the next step.
If you are using LVM or VxVM (you are not directly accessing the physical disk as a physical
volume), use the lvcreate or vxassist command to create a new LVM or VxVM volume to
use for the EVS volume. Include 1 MB for the EVFS Encryption Metadata (EMD) area. Ffor more
information, see lvcreate(1M) or vxassist(1M).
Mirrored volumes
To use an LVM or VxVM mirrored volume for the EVS volume, create or enable mirroring on the
volume before configuring EVFS on the volume. Use the appropriate LVM command (lvcreate
-m or lvextend -m) or VxVM command (vxassist mirror or vxplex att).
CAUTION:
You cannot create an LVM or VxVM volume above an EVS volume.
You can create an EVS volume on an existing LVM, VxVM, or physical volume, but any existing
data on the volume is rendered unusable.
Examples
In the following example, the user creates a new LVM volume in the vg01 volume group:
# lvcreate -L 64 -n lvol5 vg01
Logical volume "/dev/vg01/lvol5" has been successfully created with
character device "/dev/vg01/rlvol5".
Volume Group configuration for /dev/vg01 has been saved in
/etc/lvmconf/vg01.conf
In the following example, the user creates a new VxVM volume in the rootdg disk group:
# vxassist -g rootdg make vol05 64m
Step 1b: Creating EVS volume device files
Use the evfsadm map command to create the EVS volume device files by mapping the LVM,
VxVM, or physical volume to EVFS .
You cannot use EVFS with the following objects:
•
Files or disk areas used during system boot. This includes the following objects:
◦
the root disk (/)
◦
the boot disk
◦
the HP-UX kernel directory (/stand)
◦
the /usr directory"
EVFS cannot decrypt the kernel or other data before the system boots.
CAUTION: Encrypting the boot disk makes the boot disk unusable and prevents you from
booting the system.
•
Swap space (swap devices or file swap space).
CAUTION:
•
46
Encrypting swap space can cause the system to panic.
Dump devices.
Configuring an EVS volume
The syntax of the evfsadm map command is as follows:
evfsadm map volume_path
where:
volume_path
Specifies the absolute path of the block device file for the underlying LVM,
VxVM, or physical volume, such as /dev/vx/dsk/rootdg/vol01, /dev/
vg01/lvol5, or /dev/dsk/c2d0t0.
The evfsadm map command maps the underlying LVM, VxVM, or physical volume to an EVS
volume. The command also creates a block and a character () device file for the EVS volume and
adds them to the kernel registry. The evfsadm command stores the EVS volume device files using
the same file names as the underlying volume block and character device files, but in subdirectories
under the /dev/evfs directory instead of the /dev directory. Once the volume is mapped, access
to both the underlying volume path (/dev/disk) and the EVS volume path (/dev/evfs/disk)
is shared. HP recommends that you use the EVS volume path (for example, /dev/evfs/disk).
NOTE:
The maximum number of volumes that the system can map to EVFS is 1023.
Examples
In the following example, the user maps the LVM volume /dev/vg01/lvol5 to an EVS volume:
# evfsadm map /dev/vg01/lvol5
Logical volume "/dev/vg01/lvol5" has been successfully mapped
to encrypted volume "/dev/evfs/vg0l/lvol5".
The evfsadm utility creates the following EVS volume device files:
/dev/evfs/vg01/lvol5
/dev/evfs/vg01/rlvol5
In the following example, the user maps the VxVM volume/dev/vx/dsk/rootdg/vol05 to an
EVS volume:
# evfsadm map /dev/vx/dsk/rootdg/vol05
Logical volume "/dev/vx/dsk/rootdg/vol05" has been successfully mapped
to encrypted volume "/dev/evfs/vx/dsk/rootdg/vol05".
The evfsadm utility creates the following EVS volume device files:
/dev/evfs/vx/dsk/rootdg/vol05
/dev/evfs/vx/rdsk/rootdg/vol05
In the following example, the user maps the physical volume /dev/dsk/c2t0d0 to an EVS
volume:
# evfsadm map /dev/dsk/c2t0d0
Logical volume "/dev/dsk/c2t0d0" has been successfully mapped to
encrypted volume "/dev/evfs/dsk/c2t0d0".
The evfsadm utility creates the following EVS volume device files:
/dev/evfs/dsk/c2t0d0
/dev/evfs/rdsk/c2t0d0
Step 1c: Creating the EMD
Use the evfsvol create command to create the EMD area on the EVS volume and specify the
owner key pair for the volume:
evfsvol create -k keyname [-c cipher]evfs_volume_path
where:
-k keyname
-c cipher
Specifies the key pair name. The evfsadm utility creates the EMD area
with the keyname as the owner key. For information about user keys,
see “Creating keys” (page 41).
Specifies the cipher (cryptography) algorithm EVFS uses to encrypt the
volume data.
Option 1: Creating a new EVS volume
47
Valid values:
aes-128-cbc
aes-192-cbc
aes-256-cbc
aes-128-cfb
aes-192-cfb
aes-256-cfb
(128-bit AES CBC)
(256-bit AES CBC)
(256-bit AES CBC)
(128-bit AES CFB)
(256-bit AES CFB)
(256-bit AES CFB)
A longer key length provides more security, but it slows data transfer
rates.
Default: The value of the data_cipher attribute in the /etc/evfs/
evfs.conf file. The default value for this attribute is aes-128-cbc.
evfs_volume_path
CAUTION:
Specifies the absolute pathname for the EVS volume device file, such as
/dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05,
or /dev/evfs/dsk/c2t0d1.
The evfsvol create command overwrites any existing data on the volume.
If you have existing data that you want to protect with EVFS, you must use one of the following
methods:
•
Use option 1 to create an EVS volume on an unused LVM, VxVM, or physical volume and
then copy the data to the EVS volume.
•
Use option 2 to convert an existing volume into an EVS volume.
For more information, see “Configuration overview” (page 45).
When the evfsvol utility creates the EMD, it:
•
Reads operating parameters from the /etc/evfs/evfs.conf file, such as the data
encryption algorithm for the volume, and writes them to the EMD.
•
Generates the volume encryption key (the symmetric key used to encrypt the volume data).
•
Creates a key record for the owner by encrypting the volume encryption key using the owner's
public key. The evfsvol utility then writes this key record to the EMD.
Example
The root user enters the following evfsvol create command. EVFS creates the EMD and
overwrites any existing data on the volume. The owner key for the volume will be root.rootkey1.
# evfsvol create -k rootkey1 /dev/evfs/vg01/lvol5
Enter owner passphrase:(Enter the passphrase for rootkey1.)
Encrypted volume "/dev/evfs/vg01/lvol5" has been successfully created.
Step 1d: (Optional) Adding recovery keys and authorized user keys
Optionally, use the evfsvol add command to add recovery and authorized user key pairs to
the EVS volume. HP recommends that you add a recovery key pair to each EVS volume.
i. Use the following command to add a recovery key pair:
evfsvol add -r [-k keyname] evfs_volume_path
where:
—r
-k keyname
48
Configuring an EVS volume
Specifies that the key pair is a recovery key pair.
Specifies the name of the key pair to add. If you do not specify -k
keyname, evfsvol uses the EVFS pseudo-user (evfs) as the key
owner and key name. You can configure up to two recovery keys
per EVS volume. For information about user keys, see “Creating
keys” (page 41).
evfs_volume_path
Specifies the absolute pathname for the EVS volume device file,
such as /dev/evfs/vg01/lvol5,
/dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/
c2t0d1.
You must be the owner of the EVS volume to add a recovery key. If you do not have a stored
passphrase for the owner key, evfsvol prompts you for the passphrase.
Example
The following command adds the default recovery key to the /dev/evfs/vg01/lvol5
volume. The default recovery key owner and key name is evfs.
# evfsvol add -r /dev/evfs/vg01/lvol5
Enter owner passphrase:
(Enter the passphrase for the recovery key evfs.)
Key "evfs.evfs" has been successfully added to encrypted volume
"/dev/evfs/vg01/lvol5".
ii.
Use the following command to add authorized user key pairs for the EVS volume. Authorized
users can perform all the operations on the EVS volume that the owner can, except changing
the EVS volume owner, adding keys to the volume, and destroying the EMD.
evfsvol add -u user [-k keyname] evfs_volume_path
where:
-k keyname
Specifies the name of the key to add. If you do not specify -k
keyname, evfsvol uses your user name as the key name.
evfs_volume_path
Specifies the absolute pathname for the EVS volume device file,
such as /dev/evfs/vg01/lvol5,
/dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/rdsk/
c2t0d1.
You must be the owner of the EVS volume to add an authorized user key. If you do not have
a stored passphrase for the owner's private key, evfsvol prompts you for the passphrase.
Example
In the following example, the EVS volume owner adds an authorized user key pair to the EMD:
# evfsvol add -u init -k initkey /dev/evfs/vg01/lvol5
Enter owner passphrase:
(Enter the passphrase for the owner's key.)
Key ID "init.initkey" has been successfully added to encrypted volume
"/dev/evfs/vg01/lvol5"
Step 1e: Enabling the EVS volume
Use the evfsvol enable command to enable encryption and decryption access for the EVS
volume:
evfsvol enable [-p]|[-k keyname] evfs_volume_path
where:
-p
-k keyname
Specifies non-interactive mode. EVFS uses the key ID from the /etc/
evfs/evfstab file and uses a stored passphrase. To use this option,
you must add a key ID to the entry in the /etc/evfs/evfstab file
for this volume and have a stored passphrase for the private key. If you
do not specify this option, evfsvol prompts you for the passphrase for
the private key.
Specifies the name of the key pair to use. This must be the owner key
or the key of an authorized user for this EVS volume. If you do not specify
-k keyname, evfsvol uses your user name as the key name.
Option 1: Creating a new EVS volume
49
evfs_volume_path
Specifies the absolute pathname for the EVS volume device file, such as
/dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05,
or /dev/evfs/dsk/c2t0d1.
To enable the EVS volume, the evfsvol utility:
•
Retrieves the passphrase for the owner or authorized user's private key by prompting the user
for the passphrase or by using system data to decrypt the stored passphrase.
•
Uses the passphrase to decrypt the owner or authorized user's private key.
•
Uses the private key to decrypt the volume encryption key in the appropriate key record. EVFS
can now use the volume encryption key to encrypt and decrypt the volume data.
NOTE: On IA, if the algorithm used to create the message digest value for EMD is SHA1, EMD
and its backup are updated with the digest value re-computed using SHA2.
Example
The root user enters the following command to enable the EVS volume:
# evfsvol enable -k rootkey1 /dev/evfs/vg01/lvol5
Enter user passphrase:
(Enter the passphrase for the key rootkey1.)
Encrypted volume "/dev/evfs/vg01/lvol5" has been successfully enabled.
Step 2: Creating and mounting a file system on an EVS volume
Use the following procedure to create and mount a file system on an EVS volume. This procedure
is the same as the one used to create and mount a file system on an LVM, VxVM, or physical
volume except that you specify the EVFS character (raw) and block volume device files instead of
the LVM, VxVM, or physical device files.
a. Use the newfs command to create a new file system on the character (raw) EVS volume.
b. (Optional) Use the fsck command to check the integrity of the file volume.
c. Use the mkdir command to create a mount point for the new file system.
d. Mount the file system on the EVS volume.
e. (Optional) Add an entry to the /etc/fstab file for the encrypted volume.
Step 2a: Creating a new file system with newfs
Use the newfs command to create a new file system on the character (raw) EVS volume. For
example:
newfs [-F file_sys_type] raw_evfs_volume_path
where:
-F file_sys_type
raw_evfs_volume_path
Specifies the file system type. This must be a file system type
supported by the underlying LVM, VxVM, or physical volume,
such as hfs or vxfs.
Specifies the absolute pathname of the character (raw) EVS volume
device file, such as /dev/evfs/vg01/rlvol5, /dev/evfs/
vx/rdsk/rootdg/vol05, or /dev/evfs/rdsk/c2t0d1.
Example
The following example creates a new file system on the character (raw) EVS volume /dev/evfs/
vg01/rlvol5 (the underlying volume is an LVM volume).
# newfs -F vxfs /dev/evfs/vg01/rlvol5
The following example creates a new file system on the character (raw) EVS volume /dev/evfs/
vx/rdsk/rootdg/vol05 (the underlying volume is a VxVM volume).
# newfs -F vxfs /dev/evfs/vx/rdsk/rootdg/vol05
50
Configuring an EVS volume
Step 2b: (Optional) Using fsck to check the file volume
Optionally, use the fsck command to check the integrity of the file volume:
fsck [-F file_sys_type] raw_evfs_volume_path
where:
-F file_sys_type
Specifies the file system type. This must be a file system type
supported by the underlying LVM, VxVM, or physical volume,
such as hfs or vxfs. If you do not specify this option, fsck uses
the file system type from the corresponding entry in the /etc/
fstab file. For more information, see fsck(1m).
raw_evfs_volume_path
Specifies the absolute pathname for the character (raw) EVS
volume device file, such as /dev/evfs/vg01/rlvol5,
/dev/evfs/vx/rdsk/rootdg/vol05, or /dev/evfs/rdsk/
c2t0d1.
Example
The following example checks the integrity of the file system on the EVS volume created in the
previous step:
# fsck /dev/evfs/vg01/rlvol5
Step 2c: Creating the mount point
Use the mkdir command to create the mount point. For example:
mkdir mount_point
where:
mount_point
Specifies the path for the mount point.
Example
The following command creates the mount point /opt/encrypted_data:
# mkdir /opt/encrypted_data
Step 2d: Mount the file system on the EVS volume
Mount the file system on the EVS volume:
mount [-F file_sys_type] evfs_volume_path mount_point
where:
-F file_sys_type
Specifies the file system type. If you do not specify this option, the mount
command uses the file system type from the corresponding entry in
/etc/fstab. For more information, see mount(1m).
evfs_volume_path
Specifies the absolute pathname for the EVFS volume device file, such
as /dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05,
or /dev/evfs/dsk/c2t0d1.
mount_point
The path for the mount point.
Example
The following command mounts the EVFS-based file system on the mount point created in the
previous step:
# mount -F vxfs /dev/evfs/vg01/lvol5 /opt/encrypted_data
Option 1: Creating a new EVS volume
51
Step 2e: (Optional) Adding an entry to /etc/fstab
Optionally, add an entry to the /etc/fstab file for the encrypted volume. The system can use
this entry for the mount -a command (mount all file systems in the /etc/fstab file) or to
automatically mount the file system at system startup. For file systems on EVS volumes in the /etc/
fstab file that you want the system to mount at system startup, the key database must reside on
the local root file system (the system must be able access the keys early in the system startup
procedure).
The syntax for the entry is as follows:
evfs_volume_path
mount_point file_sys_type [options]
where:
evfs_volume_path
Specifies the absolute pathname for the EVS volume device file, such as
/dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05,
or /dev/evfs/dsk/c2t0d1.
mount_point
The path for the mount point.
file_sys_type
The file system type. This must be a file system type supported by the
underlying LVM, VxVM, or physical volume, such as hfs or vxfs.
options
Options for the entry. For more information, see fstab(4).
Example
The administrator adds the following entry for the new file system in the /etc/fstab file:
/dev/evfs/vg01/lvol5 /opt/encrypted_data vxfs defaults 0 2
Step 3: Verifying the configuration
Use the following commands to verify your EVFS configuration:
•
evfsadm stat -a
•
evfsvol display evfs_volume_path
evfsadm stat -a
After you access data or mount a file system on an EVS volume that is correctly configured, the
output for the evfsadm stat -a command shows nonzero values for the number of blocks read
(bpr), written (bpw), decrypted (bpd), and encrypted (bpe). The output is similar to the following:
# evfadm stat -a
----- EVFS statistics ----Total EVFS Volumes:
1
EVFS Subsystem Status:
up
Active Encryption Threads:
2
---- EVFS Volume Name ----|--- State ---|---------------- Queues -------------|
orr
owr
odr
oer
/dev/evfs/vg01/lvol5
enabled
0
0
0
0
---- EVFS Volume Name ----|--- State ---|-------------- Counters -------------|
bpr
bpw
bpd
bpe
/dev/evfs/vg01/lvol5
enabled
2074
52441
362
52345
---- EVFS Volume Name ----|--- State ---|---------------- Rates --------------|
kbpsr
kbpsw
dkbps
ekbps
/dev/evfs/vg01/lvol5
enabled
25
3
362
34
For descriptions of the output fields, see “Displaying I/O and encryption statistics (evfsadm stat)”
(page 149) .
evfsvol display evfs_volume_path
The evfsvol display evfs_volume_path command displays information about the EVS
volume, including the name of the underlying LVM, VxVM, or physical volume device file, and the
52
Configuring an EVS volume
names of the keys configured for the EVS volume. The output for the evfsvol display
evfs_volume_path is similar to the following:
# evfsvol display /dev/evfs/vg01/lvol5
EVFS Volume Name:
/dev/evfs/vg01/lvol5
Mapped Volume Name:
/dev/vg01/lvol5
EVFS Volume State:
enabled
EMD Size (Kbytes):
520
Max User Envelopes:
1024
Data Encryption Cipher:
aes-128-cbc
Digest:
sha2
Owner Key ID:
root.rootkey1
Recovery Agent Key IDs:
evfs.evfs
Total Recovery Agent Keys:
1
User Key IDs:
init.initkey
Total User Keys:
1
For more information, see “Displaying EVFS volume keys and operating parameters (evfsvol
display)” (page 151).
Verifying data encryption
You can use the following procedure to verify that EVFS is encrypting data before it is written to
the underlying LVM, VxVM, or physical volume:
1. Write text (a character string) to a file on an enabled EVS volume.
2. Use the strings utility to search the EVS volume device file. The text is stored in the underlying
LVM, VxVM or physical volume as encrypted data, but the strings utility is reading from
the EVS volume. The EVFS subsystem will provide decrypted data to the strings utility, and
strings will find and display the text string you wrote.
3. Verify that applications that bypass EVFS receive encrypted data. To do this, you must disable
EVFS on the volume. Use the following procedure to disable EVFS on the volume:
a. For data consistency, stop all applications accessing the EVS volume. You can use the
fuser -cu command to determine the processes accessing files and the fuser -cku
command to terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by
changing the system runlevel to single-user level with the shutdown utility. For more
information, see shutdown(1M).
b.
c.
Use the umount command to unmount the file system. For more information, see umount(
(1M)).
Use the following command to disable encryption and decryption access to the volume:
evfsvol disable [-k keyname] evfs_volume_path
For more information, see “Disabling encryption and decryption access to EVS volumes”
(page 64).
4.
Use the following command to open the EVS volume for raw access:
evfsvol raw evfs_volume_path
For more information, see “Opening raw access to EVS volumes” (page 65) and the evfsvol(
(1M)) manpage.
CAUTION: After you open the volume for raw access, any entity reading data from the EVS
volume receives encrypted data. Any entity writing data to the EVS volume writes directly to
the underlying disk; EVFS does not encrypt the text. HP recommends that you use the evfsvol
raw command only when creating encrypted backup media or restoring encrypted backup
media.
Option 1: Creating a new EVS volume
53
5.
6.
Use the strings utility and try to find the text. The strings utility will not find the text
because it receives data from the EVS volume in encrypted form.
Return the EVS volume to a working state. Close raw access using the following command:
evfsvol close evfs_volume_path
Enable the volume using the following command:
evfsvol enable –k keyname evfs_volume_path
Remount the file system using the mount command.
Example
In the following example, the administrator writes the string TOP SECRET TOP SECRET to the
EVS volume. When the administrator uses the strings command to search the EVS volume for
this string, the search is successful. When the administrator searches the underlying LVM volume
for the same string, the search is unsuccessful.
# echo "TOP SECRET TOP SECRET" > /opt/encrypted_data/my_evfs_test
# strings /dev/evfs/vg01/lvol5 | grep "TOP SECRET"
(The strings command finds the string "TOP SECRET" on the EVS volume.)
TOP SECRET TOP SECRET
(Disable EVFS so we open raw access to the file)
# fuser -cku /opt/encrypted_data
# umount /opt/encrypted_data
# evfsvol disable /dev/evfs/vg01/lvol5
Enter user passphrase: (enter the passphrase)
# evfsvol raw /dev/evfs/vg01/lvol5 (EVFS will print a warning and ask
if you want to continue)
# strings /dev/vg01/lvol5 | grep "TOP SECRET"
(The strings command does not find the string "TOP SECRET")
# evfsvol close /dev/evfs/vg01/lvol5
# evfsvol enable /dev/evfs/vg01/lvol5
Enter user passphrase: (enter the passphrase)
# mount -F vxfs /dev/evfs/vg01/lvol5 /opt/encrypted_data
Step 4: (Optional) Migrating existing data to an EVS volume
Use the following procedure to migrate an existing directory of data to the EVS volume:
a. For data consistency, stop all applications accessing the data. You can use the fuser -cu
command to determine the processes accessing files, and the fuser -cku command to
terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level with the shutdown utility. For more information, see
shutdown(1M).
b.
c.
d.
e.
f.
g.
(Optional) Create a backup of the existing data.
Use the cp command or other utility to copy the data from the existing files to an EVS volume.
(Optional) Remove the old files or directories. If you migrated all the data from a file system,
you can unmount the old file system. For more information, see umount(1M).
(Optional) If you unmounted a file system in the previous step, remove the entry for the file
system from the /etc/fstab file.
(Optional) Use the ln command to create a symbolic link from the old directory to the
appropriate directory on the encrypted volume. For more information, see ln(4).
Restart applications that use the data as needed.
Example
In the following example, the /opt/encrypted_data directory is located on an EVS volume
has already been created and enabled.
54
Configuring an EVS volume
#
#
#
#
fuser
fuser
cp -R
rm -r
-cu /opt/my_data
-cku /opt/my_data
/opt/my_data/* /opt/encrypted_data
/opt/mydata
(If /opt/mydata was a file system, you would unmount it instead and remove the corresponding
entry from the /etc/fstab file.)
# ln -s /opt/encrypted_data /opt/my_data
Step 5: Backing up your configuration
After you have completed your configuration, back up the files and subdirectories under the /etc/
evfs directory.
You must back up the user key database. You cannot re-create lost or corrupt user keys or
passphrases. Determine the directories used for the key database by checking the pkey attribute
statement in the /etc/evfs/evfs.conf file. By default, EVFS stores the user key database in
subdirectories below the /etc/evfs/pkey/users directory.
Option 2: Converting a volume with existing data to an EVS volume (inline
encryption)
This section describes how to convert existing data on a volume into an EVS volume. This section
addresses the following topics:
•
“Step 1: Preparing the file system and data” (page 55)
•
“Step 2: Performing inline encryption” (page 56)
•
“Step 3: Verifying the configuration” (page 57)
•
“Step 4: Backing up your configuration” (page 59)
Before using this procedure, you must complete the tasks in Chapter 4 (page 28).
IMPORTANT: To use inline encryption, 3 MB of spare disk space are required at the end of the
volume, and the minimum volume size must be 4 MB. If the entire volume is used, extend the volume
using lvextend for LVM, or vxassist for VXVM.
Step 1: Preparing the file system and data
a.
Verify the file systems or volumes you want to secure with EVFS are suitable for encryption.
You cannot use EVFS with the following objects:
•
Files or disk areas used during system boot. This includes the following objects:
◦
the root disk (/)
◦
the boot disk
◦
the HP-UX kernel directory (/stand)
◦
the /usr directory"
EVFS cannot decrypt the kernel or other data before the system boots.
Option 2: Converting a volume with existing data to an EVS volume (inline encryption)
55
CAUTION: Encrypting the boot disk makes the boot disk unusable and prevents you
from booting the system.
•
Swap space (swap devices or file swap space).
CAUTION:
•
b.
Encrypting swap space can cause the system to panic.
Dump devices.
For data consistency, stop all applications accessing the data. You can use the fuser -cu
command to determine the processes accessing files, and the fuser -cku command to
terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level with the shutdown utility. For more information, see
shutdown(1M).
c.
d.
Back up the data on the volume. This ensures data recovery is possible if an unexpected event
occurs before completion of the operation.
Unmount the file system:
# umount file_system
e.
f.
Extend the volume if there is no spare disk space at the end of the volume. 3 MB of spare disk
space are required at the end of the volume. Extend the volume by using the lvextend
command on an LVM volume, or the vxassist command on a VxVM volume. If you do not
know if there is spare disk space at the end of the volume, you can check if there is still space
available for you to extend the volume by using the vgdisplay command on a LVM volume
group, or the vxdg command on a VxVM disk group that the volume belongs to.
Map the regular volume to an EVS volume:
# evfsadm map volume_name
Step 2: Performing inline encryption
a.
Start inline encryption:
# evfsvol iencrypt [-f] [-k keyname] [-c cipher] evfs_volume_path
For more information about the evfsvol iencrypt command, see “iencrypt: Inline
encryption” (page 56).
b.
Enable the EVS volume:
# evfsvol enable evfs_volume_path
c.
Mount the file system to the EVS volume:
# mount evfs_volume_path file_system
For more information about mounting file systems, see “Step 2: Creating and mounting a file
system on an EVS volume” (page 50).
iencrypt: Inline encryption
When the EVS volume state is iencrypt in progress or iencrypt suspended, the volume
is not accessible.
When the EVS volume state is iencrypt suspended, only the following commands can be
applied to the EVS volume:
evfsvol iencrypt
Use this command to resume the inline encryption operation.
evfsvol display
56
Configuring an EVS volume
Use this command to display the status of the volume.
CAUTION:
The following two operations render the volume data irrecoverable.
evfsvol create –f
Use this command to recreate the EMD on the volume.
evfsvol destroy
Use this command to remove the EMD header from the volume.
The percentage of progress is reported after every 1 MB of data is processed. When the entire
volume is converted successfully, a message is displayed.
If the option -f is specified, we force the operation without prompting.
Suspending an ongoing inline encryption
HP does not recommend suspending an ongoing inline encryption. However, inline encryption
can be a long operation which can take many hours for a large volume. The following common
signals used to stop a process are handled by evfsvol iencrypt:
•
SIGTERM
•
SIGHUP
•
SIGQUIT
•
SIGABRT
•
SIGINT
When one of these signals is received by evfsvol iencrypt, the user is shown the following
prompt:
Are you sure you want to abort inline-encrypting "/dev/evfs/vg00/lvolxx"?
Interrupting this operation is not recommended! Answer [yes/no]:
NOTE: Do not use the SIGKILL signal to terminate an evfsvol iencrypt process (do not use
the command kill -KILL evfsvol-iencrypt-pid).
Re-starting a suspended inline encryption
To resume a previously stopped inline encryption, use the following command:
# evfsvol iencrypt [-k keyname] evfs_volume_path
The –f and –c options are not valid for a resumed inline encryption. The volume owner key is
needed to resume an operation, and you will be prompted for a passphrase.
Step 3: Verifying the configuration
Use the following commands to verify your EVFS configuration:
•
evfsadm stat -a
•
evfsvol display evfs_volume_path
evfsadm stat -a
After you access data or mount a file system on an EVS volume that is correctly configured, the
output for the evfsadm stat -a command shows nonzero values for the number of blocks read
(bpr), written (bpw), decrypted (bpd), and encrypted (bpe). The output is similar to the following:
# evfadm stat -a
----- EVFS statistics ----Total EVFS Volumes:
1
EVFS Subsystem Status:
up
Active Encryption Threads:
2
---- EVFS Volume Name ----|--- State ---|---------------- Queues -------------|
orr
owr
odr
oer
/dev/evfs/vg01/lvol5
enabled
0
0
0
0
Option 2: Converting a volume with existing data to an EVS volume (inline encryption)
57
---- EVFS Volume Name ----|--- State ---|-------------- Counters -------------|
bpr
bpw
bpd
bpe
/dev/evfs/vg01/lvol5
enabled
2074
52441
362
52345
---- EVFS Volume Name ----|--- State ---|---------------- Rates --------------|
kbpsr
kbpsw
dkbps
ekbps
/dev/evfs/vg01/lvol5
enabled
25
3
362
34
For descriptions of the output fields, see “Displaying I/O and encryption statistics (evfsadm stat)”
(page 149).
evfsvol display evfs_volume_path
The evfsvol display evfs_volume_path command displays information about the EVS
volume, including the name of the underlying LVM, VxVM, or physical volume device file, and the
names of the keys configured for the EVS volume. The output for the evfsvol display
evfs_volume_path is similar to the following:
# evfsvol display /dev/evfs/vg01/lvol5
EVFS Volume Name:
/dev/evfs/vg01/lvol5
Mapped Volume Name:
/dev/vg01/lvol5
EVFS Volume State:
enabled
EMD Size (Kbytes):
520
Max User Envelopes:
1024
Data Encryption Cipher:
aes-128-cbc
Digest:
sha2
Owner Key ID:
root.rootkey1
Recovery Agent Key IDs:
evfs.evfs
Total Recovery Agent Keys:
1
User Key IDs:
init.initkey
Total User Keys:
1
For more information, see “Displaying EVFS volume keys and operating parameters (evfsvol
display)” (page 151).
Verifying data encryption
You can use the following procedure to verify that EVFS is encrypting data before it is written to
the underlying LVM, VxVM, or physical volume:
1. Write text (a character string) to a file on an enabled EVS volume.
2. Use the strings utility to search the EVS volume device file. The text is stored in the underlying
LVM, VxVM or physical volume as encrypted data, but the strings utility is reading from
the EVS volume. The EVFS subsystem will provide decrypted data to the strings utility, and
strings will find and display the text string you wrote.
3. Verify that applications that bypass EVFS receive encrypted data. To do this, you must disable
EVFS on the volume. Use the following procedure to disable EVFS on the volume:
a. For data consistency, stop all applications accessing the EVS volume. You can use the
fuser -cu command to determine the processes accessing files and the fuser -cku
command to terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by
changing the system runlevel to single-user level with the shutdown utility. For more
information, see shutdown(1M).
b.
c.
Use the umount command to unmount the file system. For more information, see umount(
(1M)).
Use the following command to disable encryption and decryption access to the volume:
evfsvol disable [-k keyname] evfs_volume_path
For more information, see “Disabling encryption and decryption access to EVS volumes”
(page 64).
58
Configuring an EVS volume
4.
Use the following command to open the EVS volume for raw access:
evfsvol raw evfs_volume_path
For more information, see “Opening raw access to EVS volumes” (page 65) and the evfsvol(
(1M)) manpage.
CAUTION: After you open the volume for raw access, any entity reading data from the EVS
volume receives encrypted data. Any entity writing data to the EVS volume writes directly to
the underlying disk; EVFS does not encrypt the text. HP recommends that you use the evfsvol
raw command only when creating encrypted backup media or restoring encrypted backup
media.
5.
6.
Use the strings utility and try to find the text. The strings utility will not find the text
because it receives data from the EVS volume in encrypted form.
Return the EVS volume to a working state. Close raw access using the following command:
evfsvol close evfs_volume_path
Enable the volume using the following command:
evfsvol enable –k keyname evfs_volume_path
Remount the file system using the mount command.
Example
In the following example, the administrator writes the string TOP SECRET TOP SECRET to the
EVS volume. When the administrator uses the strings command to search the EVS volume for
this string, the search is successful. When the administrator searches the underlying LVM volume
for the same string, the search is unsuccessful.
# echo "TOP SECRET TOP SECRET" > /opt/encrypted_data/my_evfs_test
# strings /dev/evfs/vg01/lvol5 | grep "TOP SECRET"
(The strings command finds the string "TOP SECRET" on the EVFS volume.)
TOP SECRET TOP SECRET
(Disable EVFS so we open raw access to the file)
# fuser -cku /opt/encrypted_data
# umount /opt/encrypted_data
# evfsvol disable /dev/evfs/vg01/lvol5
Enter user passphrase: (enter the passphrase)
# evfsvol raw /dev/evfs/vg01/lvol5 (EVFS will print a warning and ask
if you want to continue)
# strings /dev/vg01/lvol5 | grep "TOP SECRET"
(The strings command does not find the string "TOP SECRET")
# evfsvol close /dev/evfs/vg01/lvol5
# evfsvol enable /dev/evfs/vg01/lvol5
Enter user passphrase: (enter the passphrase)
# mount -F vxfs /dev/evfs/vg01/lvol5 /opt/encrypted_data
Step 4: Backing up your configuration
After you have completed your configuration, back up the files and subdirectories under the /etc/
evfs directory.
You must back up the user key database. You cannot re-create lost or corrupt user keys or
passphrases. Determine the directories used for the key database by checking the pkey attribute
statement in the /etc/evfs/evfs.conf file. By default, EVFS stores the user key database in
subdirectories below the /etc/evfs/pkey/users directory.
Examples
This section contains configuration examples for “Option 1” (page 60) and “Option 2” (page 61).
Examples
59
Option 1
Step 1a: Create an EVS volume. If you are using LVM or VxVM, create a new LVM or VxVM volume
to use as the underlying volume. If you reuse an existing LVM or VxVM volume as the underlying
volume, you will lose all existing data. You can skip this step if you are using whole disk access.
# lvcreate -L 64 -n lvol5 /dev/vg01
Step 1b: Map the new LVM or VxVM volume or physical volume to an EVS volume.
# evfsadm map /dev/vg01/lvol5
Step 1c: Create the EMD on the new EVS volume. The root user (the owner of the key named
rootkey1) will be the volume owner. evfsvol prompts for the passphrase to the owner's private
key.
# evfsvol create -k rootkey1 /dev/evfs/vg01/lvol5
Step 1d: Optional – Add a recovery user key. evfsvol prompts for the passphrase to the owner's
private key.
# evfsvol add -r /dev/evfs/vg01/lvol5
Step 1e: Enable the EVS volume. evfsvol prompts for the passphrase for your key named
rootkey1.
# evfsvol enable -k rootkey1 /dev/evfs/vg01/lvol5
Step 2a: Create a new file system on the character/raw EVS volume.
# newfs -F vxfs /dev/evfs/vg01/rlvol5
Step 2b: Verify the file system.
# fsck /dev/evfs/vg01/rlvol5
Step 2c: Create the directory for the new mount point.
# mkdir /opt/my_secure_dir
Step 2d: Mount the new file system.
# mount -F vxfs /dev/evfs/vg01/lvol5 /opt/my_secure_dir
Step 2e: Optional—Add an entry to /etc/fstab. In this example, the administrator used the
echo command, but you can also use an editor to do this
# echo "/dev/evfs/vg01/lvol5 /opt/my_secure_dir vxfs defaults 0 2" >>
/etc/fstab
Step 3: Verify the EVFS configuration.
# evfsadm stat –a
# evfsvol display /dev/evfs/vg01/lvol5
Step 4: Migrate any existing data.
To migrate an existing directory of data to the new EVS volume, follow these steps:
Step 4b: Stop all applications accessing the existing data.
# fuser –cu /opt/my_data
# fuser –cku /opt/my_data
Step 4d: Copy the existing data to the new EVFS directory.
# cp –R /opt/my_data /opt/my_secure_dir
Clean up the old data and create a symbolic link to the EVFS data.
Optionally, configure the autostart feature, as described in “Step 6: (Optional) Configuring the
autostart feature” (page 34). Finally, backup your EVFS configuration and user keys, as described
in “Step 4: Backing up your configuration” (page 59).
60
Configuring an EVS volume
Korn shell script for creating an EVS volume and file system
The following Korn shell (ksh) script configures an EVS volume and creates and mounts a file
system on the volume. This script is a basic script, and HP recommends that you enhance it to
perform error checking. The script does not use file locking when editing /etc/evfs/evfstab
or /etc/fstab. This script assumes the administrator has already performed the following tasks:
•
Created an alternate recovery user account, if necessary.
•
Created EVFS owner and recovery key pairs for the EVS volume using the evfspkey keygen
command.
•
Created a new LVM or VxVM volume for the EVS volume using the lvcreate or vxassist
command or SAM.
The
1.
2.
3.
4.
script takes the following four arguments as input:
Block volume device file name.
Character (raw) volume device file name.
Name of the owner key pair for the EVS volume.
Mount point for the new file system.
#! /bin/ksh
block_volume=$1
raw_volume=$2
owner_key=$3
mount_point=$4
evolume=/dev/evfs/${block_volume#/dev/}
raw_evolume=/dev/evfs/${raw_volume#/dev/}
# Create the EVS volume
evfsadm map $block_volume
evfsvol create -k $owner_key $evolume
# Add the recovery key
evfsvol add -r $evolume
# Enable the volume
evfsvol enable $evolume
# create and mount the file system
newfs -F vxfs $raw_evolume
mkdir $mount_point
mount -F vxfs $evolume $mount_point
echo "$evolume $mount_point vxfs defaults 0 2" >> /etc/fstab
Option 2
In the following example, there is existing data on a 96 MB LVM volume (for example,
/dev/vg00/lvol10) with a file system (for example, /home) configured on it:
# umount /home
# vgdisplay /dev/vg00
# lvextend -L 100 /dev/vg00/lvol10
(The existing size is 96 MB; we now extend it by 4 MB, to 100 MB)
# evfsadm map /dev/vg00/lvol10
# evfsvol iencrypt /dev/evfs/vg00/lvol10
# evfsvol enable /dev/evfs/vg00/lvol10
# mount /dev/evfs/vg00/lvol10 /home
# evfsadm stat –a
# evfsvol display /dev/evfs/vg00/lvol10
In the following example, there is existing data on a 96 MB VxVM volume (for example,
/dev/vx/dsk/rootdg/lvol10) with a file system (for example, /home) configured on it:
# umount /home
# vxdg -g rootdg free
# vxassist -g rootdg growby vol10 4m
(The existing size is 96 MB; we now extend it by 4 MB, to 100 MB)
# evfsadm map /dev/vx/dsk/rootdg/vol10
# evfsvol iencrypt /dev/evfs/vx/dsk/rootdg/vol10
Examples
61
#
#
#
#
evfsvol enable /dev/evfs/vx/dsk/rootdg/vol10
mount /dev/evfs/vx/dsk/rootdg/vol10 /home
evfsadm stat –a
evfsvol display /dev/evfs/vx/dsk/rootdg/vol10
Optionally, configure the autostart feature, as described in “Step 6: (Optional) Configuring the
autostart feature” (page 34). Finally, backup your EVFS configuration and user keys, as described
in “Step 4: Backing up your configuration” (page 59).
62
Configuring an EVS volume
7 Administering EVS
This chapter describes how to perform the following EVFS administrative tasks:
•
•
Starting and stopping EVFS components. This includes the tasks described in the following
sections:
◦
“Enabling encryption and decryption access to EVS volumes” (page 64)
◦
“Disabling encryption and decryption access to EVS volumes” (page 64)
◦
“Stopping the EVFS subsystem” (page 65)
◦
“Opening raw access to EVS volumes” (page 65)
◦
“Closing raw access to EVS volumes” (page 66)
Managing EVFS keys and users. This includes the tasks described in the following sections:
◦
“Displaying key IDs for an EVS volume” (page 66)
◦
“Restoring user keys” (page 67)
◦
“Changing owner keys for an EVS volume” (page 68)
◦
“Recovering from problems with owner keys” (page 69)
◦
“Removing keys from an EVS volume” (page 69)
◦
“Removing user keys or stored passphrase from the EVFS key database” (page 69)
◦
“Changing the passphrase for a key” (page 70)
◦
“Creating or changing a stored passphrase for an existing key” (page 70)
•
Recovering from encryption metadata (EMD) corruption. This task is described in the section
“Recovering from EMD corruption” (page 71).
•
Removing a volume from the EVFS subsystem. This task is described in “Removing a volume
from the EVFS subsystem” (page 72).
•
Exporting and importing EVS volumes. This includes the tasks described in the following
sections:
•
◦
“Exporting an EVS volume” (page 73)
◦
“Importing an EVS volume” (page 75)
“Resizing EVS volumes and file systems” (page 76)
Starting and stopping EVFS
This section describes the following procedures for enabling and disabling EVFS components:
•
Starting the EVFS Subsystem (see “Step 5: Starting the EVFS subsystem” (page 33))
•
“Enabling encryption and decryption access to EVS volumes” (page 64)
•
“Disabling encryption and decryption access to EVS volumes” (page 64)
•
“Stopping the EVFS subsystem” (page 65)
•
“Opening raw access to EVS volumes” (page 65)
•
“Closing raw access to EVS volumes” (page 66)
Starting and stopping EVFS
63
Enabling encryption and decryption access to EVS volumes
The following evfsvol enable commands enable EVFS encryption and decryption access to
EVS volumes. The EVS volumes must already be configured, as described in “Preparing EVFS for
configuration” (page 28). You can use the evfsvol enable command in the following ways:
•
To enable a single EVS volume without a stored passphrase:
evfsvol enable [-k keyname] evfs_volume_path
You must be the volume owner or an authorized user for the volume to execute this command.
•
To enable a single EVS volume with a stored passphrase and an entry in the /etc/evfs/
evfstab file:
evfsvol enable -p evfs_volume_path
•
To enable EVFS encryption and decryption for all volumes in the file /etc/evfs/evfstab
that include a key ID field:
evfsvol enable -a
where:
-a
Causes EVFS to enable encryption and decryption for all volumes in the
/etc/evfs/evfstab file.
-p
Causes EVFS to use a stored passphrase to enable encryption and
decryption for the named EVS volume. The /etc/evfs/evfstab file
must contain an entry for this volume with a key ID field.
-k keyname
Specifies the key name. If you do not specify -k keyname, evfspkey
uses the user name as the key name.
Valid value: An ASCII string, 1 to 255 characters long.
evfs_volume_path
Specifies the absolute pathname for the EVS volume device file, such as
/dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05,
or /dev/evfs/dsk/c2t0d1.
Disabling encryption and decryption access to EVS volumes
The evfsvol disable command disables encryption and decryption access to EVS volumes.
The evfsvol disable command fails if a file system is mounted on the EVS volume or if the
EVS volume device file is opened by any process.
Use the following procedure to disable encryption and decryption access to a volume:
1. For data consistency, stop all applications accessing the data. You can use the fuser -cu
command to determine the processes accessing files, and the fuser -cku command to
terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level with the shutdown utility. For more information, see
the shutdown(1M) manpage.
2.
64
If you have a file system mounted on the EVS volume, use the umount command to unmount
the file system. For more information, see umount(1M).
Administering EVS
3.
Use the evfsvol disable command to disable EVFS operation for the volume as follows:
•
To disable a single EVS volume without a stored passphrase:
evfsvol disable [-k keyname] evfs_volume_path
You must be the volume owner or an authorized user for the volume to execute this
command.
•
To disable a single EVS volume with a stored passphrase and an entry in the /etc/
evfs/evfstab file:
evfsvol disable -p evfs_volume_path
•
To disable EVFS encryption and decryption for all volumes in the /etc/evfs/evfstab
file that include a key ID field:
evfsvol disable -a
where:
-a
Causes EVFS to disable encryption and decryption for all volumes
in the file /etc/evfs/evfstab.
-p
Causes EVFS to use a stored passphrase to disable encryption and
decryption for the specified EVS volume. The /etc/evfs/evfstab
file must contain an entry for this volume with a key ID field.
-k keyname
Specifies the key name. If you do not specify -k keyname,
evfspkey uses the user name as the key name.
Valid value: An ASCII string, 1 - 255 characters long.
evfs_volume_path
Specifies the absolute pathname for the EVS volume device file,
such as /dev/evfs/vg01/lvol5,
/dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/
c2t0d1.
Stopping the EVFS subsystem
The evfsadm stop command stops the EVFS subsystem and terminates all kernel EVFS threads.
Use the following procedure to stop the EVFS subsystem:
1. For data consistency, stop all applications accessing the data. You can use the fuser -cu
command to determine the processes accessing files, and the fuser -cku command to
terminate the processes. For more information, see the fuser(1M) manpage.
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level with the shutdown utility. For more information, see
shutdown(1M).
2.
3.
4.
If you have a file system mounted on the EVS volume, use the umount command to unmount
the file system. For more information, see the umount(1M) manpage.
Disable all the EVS volumes using the evfsvol disable command, as described in
“Disabling encryption and decryption access to EVS volumes” (page 64). You must be the
volume owner or an authorized user for the volume to disable the volume.
Enter the following evfsadm stop command:
evfsadm stop
Opening raw access to EVS volumes
Use the following evfsvol raw command to open an EVS volume for raw access. When an EVS
volume is open for raw access, EVFS does not decrypt data read from the volume and does not
encrypt data written to the volume. Entities reading data from the EVS volume receive encrypted
Starting and stopping EVFS
65
data. Entities writing data to the EVS volume write directly to the underlying disk; EVFS does not
encrypt the text.
CAUTION: Writing data to or reading data from an EVS volume when it is opened for raw access
can cause data corruption. HP recommends that you use this operation only when creating encrypted
backup media or restoring encrypted backup media, as described in “Backing up EVS volumes”
(page 78).
Use the following procedure to open raw access to an EVS volume:
1. Disable encrypted and decrypted access to the EVS volume using the evfsvol disable
command, as described in “Disabling encryption and decryption access to EVS volumes”
(page 64). You must be the volume owner or an authorized user for the volume to disable the
volume.
2. Enter the evfsvol raw command. The syntax is as follows:
evfsvol raw evfs_volume_path
where:
evfs_volume_path
Specifies the absolute pathname for the EVS volume device file,
such as /dev/evfs/vg01/lvol5,
/dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/
c2t0d1.
Closing raw access to EVS volumes
Use the following evfsvol close command to close raw access to a volume. After you close
raw access, you can enable encrypted and decrypted access to the volume using the evfsvol
enable command.
You must be the volume owner or an authorized user for the volume to execute the evfsvol
close command.
evfsvol close evfs_volume_path
where:
evfs_volume_path
Specifies the absolute pathname for the EVS volume device file, such as
/dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05,
or /dev/evfs/dsk/c2t0d1.
Managing EVFS keys and users
This section describes the following procedures for managing EVFS keys and users:
•
“Displaying key IDs for an EVS volume” (page 66)
•
“Restoring user keys” (page 67)
•
“Changing owner keys for an EVS volume” (page 68)
•
“Recovering from problems with owner keys” (page 69)
•
“Removing keys from an EVS volume” (page 69)
•
“Removing user keys or stored passphrase from the EVFS key database” (page 69)
•
“Changing the passphrase for a key” (page 70)
•
“Creating or changing a stored passphrase for an existing key” (page 70)
Displaying key IDs for an EVS volume
Use the following evfsvol display command to display EMD information for EVS volumes,
including the owner key ID, recovery key IDs, and authorized user key IDs. The evfsvol display
66
Administering EVS
command also displays operating parameters for the EVS volume, including the volume encryption
algorithm and the underlying LVM, VxVM, or physical volume device file name.
Syntax
evfsvol display [-a|evfs_volume_path]
where:
-a
Displays the EMD information for all configured EVS volumes.
-evfs_volume_path
Specifies the absolute pathname for the EVS volume device file, such
as /dev/evfs/vg01/lvol5,
/dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/
c2t0d1. The evfsvol utility displays the EMD information for the
volume.
Example
The output for the evfsvol display evfs_volume_path is similar to the following:
# evfsvol display /dev/evfs/vg01/lvol5
EVFS Volume Name:
/dev/evfs/vg01/lvol5
Mapped Volume Name:
/dev/vg01/lvol5
EVFS Volume State:
enabled
EMD Size (Kbytes):
520
Max User Envelopes:
1024
Data Encryption Cipher:
aes-128-cbc
Digest:
sha2
Owner Key ID:
root.rootkey1
Recovery Agent Key IDs:
evfs.evfs
Total Recovery Agent Keys:
1
User Key IDs:
root.admink
Total User Keys:
1
The Owner Key ID, Recovery Agent Key IDs, and User Key IDs fields show the key
IDs configured for the volume.
Restoring user keys
Use the following procedure to restore user key files from backup media:
1. Verify the directory structure for the key database, and re-create it if necessary. By default,
EVFS stores the user key database in subdirectories below the /etc/evfs/pkey/users
directory, with a subdirectory for each user. The administrator can configure alternate database
directory or directories using the pkey attribute in the /etc/evfs/evfs.conf file.
HP recommends that the primary directory is writable only by superusers. For example, the
/etc/evfs/pkey directory is installed with the following permissions, owner, and group:
drwxr-xr-x
4 bin
bin
96 Mar 16 17:26 pkey
You must create the directory users as a subdirectory of the directory configured with pkey
attributes. By default when the first user key is created, EVFS automatically creates the
/etc/evfs/pkey/users directory with the following permissions, owner, and group:
drwxr-xr-x
4 root
sys
96 Aug 16 17:26 users
Make sure that the users directory is in place before you can create subdirectories for each
user.
2.
Create the appropriate directory for each user, such as /etc/evfs/pkey/users/root.
Each directory must have the following permissions, owner, and group:
drwxr-xr-x
3.
2 user
sys
96 Mar 16 17:27 user
Create a directory to store the recovery keys. If you are using the default name for the EVFS
pseudo-user account and the default key storage directory, create the /etc/evfs/pkey/
Managing EVFS keys and users
67
users/evfs directory (or a subdirectory under the key storage directory using the EVFS
pseudo-user name) with the following permissions, owner, and group:
drwxr-xr-x
4.
2 bin
bin
96 Mar 16 17:27 evfs
Restore the public and private key files and any passphrase files with the following name,
owner, group, and permissions:
•
•
•
Public Key
◦
File name: key_storage_directory/users/user_name/key_name.pub
(/etc/evfs/pkey/users/user_name/key_name.pub if you are using the
default key storage directory)
◦
Owner: the user name for the owner
◦
Group: sys
◦
Permissions: Readable and writable by the owner, readable by group, and readable
by everyone else (644, or -rw-r--r--)
Private Key:
◦
File name: key_storage_directory/users/user_name/key_name.priv
(/etc/evfs/pkey/users/user_name/key_name.priv if you are using the
default key storage directory)
◦
Owner: the user name for the owner
◦
Group: sys
◦
Permissions: Readable and writable by only the owner (600, or -rw-------)
◦
If you have a file named key_name.privext, restore it to the same location and
with the same permissions as for key_name.priv.
Passphrase File:
◦
File name:
key_storage_directory/users/user_name/key_name.pass.nnn
(/etc/evfs/pkey/users/user_name/key_name.pass.nnn if you are using
the default key storage directory), where nnn is a number based on system-specific
data
◦
Owner: the user name for the owner
◦
Group: sys
◦
Permissions: Readable and writable only by the owner (600, or -rw-------)
After you restore these files, a listing of the files shows output similar to the following:
# ll /etc/evfs/pkey/users/root
total 32
-rw------1 root sys
-rw-r--r-1 root sys
-rw-r--r-1 root sys
192003-6e81-11d9-8b9e-b8f2666e6f49
634 Mar 16 17:26 rootkey2.priv
344 Mar 16 17:26 rootkey2.pub
272 Mar 16 17:26 rootkey2.pass.08
Changing owner keys for an EVS volume
Use the following evfsvol assign command to change the owner or owner key of an EVS
volume. To execute this command, you must be the current owner of the EVS volume or have the
private key file for the volume recovery key. (The procedure for creating a recovery key is described
68
Administering EVS
in “Creating recovery keys” (page 43). The procedure for adding a recovery key to an EVS volume
is described in “Step 1d: (Optional) Adding recovery keys and authorized user keys” (page 48).)
evfsvol assign -u newowner [-r recoveryprivkeyfile] [-k keyname]
evfs_volume_path
where:
-u newowner
Specifies the name of the new owner for the EVS volume.
-r recoveryprivkeyfile
Specifies the name of the file containing private key that
corresponds to a recovery user's key in the EMD. If you do not
specify this option, you must be the EVS volume owner to
execute this command; evfsvol prompts you for the
passphrase for the owner's key.
-k keyname
Specifies the key pair name for the new owner. If you do not
specify this option or the -r option, evfsvol uses the owner's
user name as the key pair name.
evfs_volume_path
Specifies the absolute pathname for the EVS volume device
file, such as /dev/evfs/vg01/lvol5,
/dev/evfs/vx/dsk/rootdg/vol05, or
/dev/evfs/dsk/c2t0d1.
Recovering from problems with owner keys
If the keys for an owner of an EVS volume cannot be restored or are compromised, or if the owner
forgets the passphrase for the private key, you must use the recovery user's private key to assign
a new owner for the EVS volume. For more information, see the section “Changing owner keys
for an EVS volume” (page 68).
Removing keys from an EVS volume
Use the following evfsvol delete command to remove a key record pair from an EVS volume.
You must be the owner of the EVS volume to execute this command.
evfsvol delete [-u username|-r] [-k keyname] evfs_volume_path
where:
-u username
Specifies the user name for the keys you want to delete from the volume.
If you do not specify this argument or the -r option, evfsvol uses your
user name.
-r
Specifies that you want to delete recovery user keys.
-k keyname
Specifies the name of the key pair you want to delete. If you do not
specify this option, evfsvol uses the user name as the key name.
evfs_volume_path
Specifies the absolute pathname for the EVS volume device file, such as
/dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05,
or /dev/evfs/dsk/c2t0d1.
Removing user keys or stored passphrase from the EVFS key database
Use the evfspkey delete command to remove a user key pair from the EVFS key database
or to remove the passphrase for a private key. You must have superuser privileges to delete a key
pair or passphrase that you do not own.
evfspkey delete [-u username|-r] [-p] [-k keyname]
where:
-u username
Specifies the user name for the keys you want to delete from the database. If
you do not specify this argument or the -r option, evfsvol uses your user
name.
Managing EVFS keys and users
69
-r
Specifies that you want to delete recovery user keys.
-p
Specifies that you only want to delete the stored passphrase for the private key.
-k keyname
Specifies the name of the key pair you want to delete. If you do not specify this
option, evfsvol uses the user name as the key name.
Changing the passphrase for a key
Use the evfspkey passgen command to change the passphrase for an existing private key.
You must have superuser privileges to change the passphrase for a key that you do not own. If a
stored passphrase does not exist for the current passphrase, evfspkey prompts you for the current
passphrase.
The syntax for changing the passphrase for a volume owner or authorized user key is as follows:
evfspkey passgen [-u username] [-k keyname]
The syntax for changing the passphrase for a recovery key is as follows:
evfspkey passgen -r recovkey_file
where:
-u username
Specifies the name of the user for the passphrase you want to delete. If
you do not specify this argument, evfsvol uses your user name.
-k keyname
Specifies the name of the key pair that corresponds to the passphrase
you want to change. If you do not specify this option, evfsvol uses
the user name as the key name.
-r recovkey_file
Specifies the name of the file that contains the recovery user's private
key, for example, /tmp/recovery.priv. HP recommends that you
store the recovery user's private key off line and restore only when
needed.
Creating or changing a stored passphrase for an existing key
Use the evfspkey passgen command to create or change a stored passphrase for an existing
private key. You must have superuser privileges to create a stored passphrase for a key that you
do not own. If the current passphrase has not been previously stored, the evfspkey command
prompts you for the current passphrase.
EVFS encrypts stored passphrases with system-specific information. A stored passphrase is usable
only on the system on which it was created.
CAUTION:
risk.
A stored passphrase enables you to use the EVFS autostart feature, but it is a security
evfspkey passgen –f|–p|–s [-u username] [-k keyname]
where:
-f
70
Causes evfspkey to create a stored passphrase. The evfspkey utility prompts
you for the current passphrase and stores the passphrase in an encrypted file.
-p
Causes evfspkey to change the current passphrase and create a stored
passphrase. If the current passphrase is not stored, evfspkey prompts you for
the current passphrase. The evfspkey utility prompts you for a new passphrase,
then stores the new passphrase in an encrypted file. The passphrase must be
at least eight characters.
-s
Causes evfspkey to to generate a new passphrase and store it. If the current
passphrase is not stored, evfspkey prompts you for the current passphrase.
The evfspkey utility generates a passphrase for you and stores the passphrase
in an encrypted file.
Administering EVS
-u username
Specifies the name of the user for the key pair that corresponds to the passphrase
you want to modify. If you do not specify this argument, evfsvol uses your
user name. You must have superuser or appropriate privileges to specify a
different user.
-k keyname
Specifies the name of the key pair that corresponds to the passphrase you want
to modify. If you do not specify this option, evfsvol uses the user name as
the key name.
Recovering from EMD corruption
EVFS stores one backup image of the EMD for each EVS volume. When you change the owner of
an EVS volume, or add or delete user keys for a volume, EVFS updates the EMD. Before EVFS
updates the EMD, it stores a backup copy of the current EMD. The evfsvol restore command
restores the backup copy of the EMD for an EVS volume.
Use the following procedure to restore a backup copy of an EMD:
1. For data consistency, stop all applications accessing the data. You can use the fuser -cu
command to determine the processes accessing files, and the fuser -cku command to
terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level with the shutdown utility. For more information, see
shutdown(1M).
2.
3.
4.
(Optional) Create a cleartext backup copy of the data, or copy the cleartext data from the
EVS volume to another disk device using a utility such as fbackup, cp, or tar.
If you have a file system mounted on the EVS volume, use the umount command to unmount
the file system. For more information, see umount(1M).
Use the following command to disable encryption and decryption on the target volume:
evfsvol disable [-k keyname] evfs_volume_path
For more information, see “Disabling encryption and decryption access to EVS volumes”
(page 64).
5.
Use the following evfsvol restore command to restore the EMD:
evfsvol restore evfs_volume_path
where:
evfs_volume_path
6.
Specifies the absolute pathname for the EVS volume device file,
such as /dev/evfs/vg01/lvol5,
/dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/
c2t0d1.
Use the following command to enable EVFS operation for the volume:
evfsvol enable [-k keyname] evfs_volume_path
For more information, see “Enabling encryption and decryption access to EVS volumes”
(page 64).
7.
8.
If you had a file system mounted on the EVS volume, use the mount command to remount the
file system. For more information, see mount(1M).
restart applications, as necessary.
EMD backup directory
By default, EVFS stores EMD backup images in the directory /etc/evfs/emd. See “Step 3:
(Optional) Modifying EVFS global parameters” (page 32) information about changing this directory
path. Ensure there is enough space in this directory to store all the system's backup EMDs from the
encrypted volumes. The storage requirement is approximately 1 MB per encrypted volume.
Recovering from EMD corruption
71
Removing a volume from the EVFS subsystem
Use the following procedure to deconfigure EVFS on a volume and remove it from the EVFS
subsystem.
1. For data consistency, suspend or stop all applications accessing the data. You can use the
fuser -cu command to determine the processes accessing files and the fuser -cku
command to terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level with the shutdown utility. For more information, see
shutdown(1M).
2.
3.
4.
Create a cleartext backup copy of the data, or copy the cleartext data from the EVS volume
to another disk device using a utility such as fbackup, cp or tar.
If you have a file system mounted on the EVS volume, use the umount command to unmount
the file system. For more information, see umount(1M).
Use the following command to disable encryption and decryption access to the volume:
evfsvol disable [-k keyname] evfs_volume_path
For more information, see “Disabling encryption and decryption access to EVS volumes”
(page 64).
5.
Use the following evfsvol command to destroy the EMD for the volume:
evfsvol destroy [-f] evfs_volume_path
The -f option forcibly destroys the EMD, even if the EMD is corrupt. You must be the volume
owner to execute this command.
CAUTION: Destroying the EMD is irreversible. You cannot recover data from the EVS volume
after you destroy the EMD.
Example
# evfsvol destroy /dev/evfs/vg01/lvol5
Enter owner passphrase:(enter the passphrase for the owner's private key)
Are you sure you want to destroy "/dev/evfs/vg01/lvol5"? Continuing with this
operation will make your data permanently irrecoverable!
Answer [yes/no]: yes
6.
Use the following evfsadm unmap command to remove the EVS volume device files and
delete the device entries in kernel registry:
evfsadm unmap evfs_volume_path
where:
evfs_volume_path
7.
Specifies the absolute pathname for the EVS volume device file,
such as /dev/evfs/vg01/lvol5,
/dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/
c2t0d1.
You can now create a new file system on the underlying device (LVM, VxVM, or physical
volume device), mount the file system, and add an entry for the underlying device in /etc/
fstab. You can also restore the cleartext data stored in step 2.
Exporting and importing EVS volumes
This section describes procedures for exporting and importing EVS volumes. You can use these
procedures to remove EVFS data from a system when moving (exporting) a volume and disk in
72
Administering EVS
from one system and installing (importing) the volume and disk on another system. This section
describes the following procedures:
•
“Exporting an EVS volume” (page 73)
•
“Importing an EVS volume” (page 75)
NOTE: Do not use the procedures in this section to configure EVS volumes for use in an HP
Serviceguard cluster. For more information, see “Using EVFS with HP Serviceguard” (page 168).
Exporting an EVS volume
Use the following procedure to export an EVS volume. You can use this procedure to remove EVS
volume information from a system before moving the volume and disk to another system. If you
are using LVM, repeat the following procedure for each volume in the group before you execute
the vgexport command.
Exporting and importing EVS volumes
73
1.
If you are moving the volume to another system, add an authorized user key pair for the
administrator on the destination system. You will use this key pair on the destination system.
a. Create a new key pair for the administrator on the destination system using the following
criteria:
•
The user account for the key owner must exist on the destination system.
•
The key name must be unique for the owner on the destination system.
•
You must know the passphrase for the private key, so do not specify the -s option
for the evfspkey command. When you use the -s option, EVFS generates and
stores the passphrase for you, and you cannot retrieve the passphrase. Stored
passphrase files are encrypted with system-specific information, so a stored passphrase
created on one system is unusable on any other system.
Use the following evfspkey keygen command syntax:
evfspkey keygen [-c cipher] [-u user] [-k keyname]
where:
-c cipher
Specifies the type of public/private keys to create.
Valid values:
rsa-1024 (RSA 1024-bit keys)
rsa-1536 (RSA 1536-bit keys)
rsa-2048 (RSA 2048-bit keys)
Default for PA: rsa-1536
Default for IA : rsa-2048
-u user
Specifies the user name of the key owner. This must be a valid user
name on the destination system. If you do not specify -u user,
evfspkey uses your user name as the key owner. You must have
superuser or the appropriate privileges to create a key pair for another
user.
-k keyname
Specifies the key name. Specify a key name that does not already exist
for the key owner on the destination system. If you do not specify -k
keyname, evfspkey uses the user name as the key name.
Valid value: An ASCII string, 1 to 255 characters long.
The evfspkey utility prompts you for a passphrase to protect the private key.
IMPORTANT: Make a note of this passphrase, because you must specify it when you
administer the EVS volume on the target system.
b.
Use the following command to add the key to the EVS volume:
evfsvol add -u user [-k keyname] evfs_volume_path
where:
-k keyname
evfs_volume_path
74
Administering EVS
Specifies the name of the key to add. If you do not specify -k
keyname, evfsvol uses your user name as the key name.
Specifies the absolute pathname for the EVS volume device
file, such as /dev/evfs/vg01/lvol5,
/dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/
c2t0d1.
2.
Copy the owner's public and private keys files to removable media. You must restore these
files on the destination system.
By default, EVFS stores the user key database in subdirectories below
/etc/evfs/pkey/users, with a subdirectory for each user. The administrator can configure
alternate database directories using the pub_key, priv_key, and pass_key attributes in
the /etc/evfs/evfs.conf file. Using the default key storage directory, the key file names
are:
Public Key
/etc/evfs/pkey/users/user_name/key_name.pub, where
user_name is the key owner's name and key_name is the key name.
Private Key
3.
/etc/evfs/pkey/users/user_name/key_name.priv, where
user_name is the key owner's name and key_name is the key name.
For data consistency, stop all applications accessing the data. You can use the fuser -cu
command to determine the processes accessing files, and the fuser -cku command to
terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level with the shutdown utility. For more information, see
shutdown(1M).
4.
5.
6.
Create a cleartext backup copy of the data or copy the cleartext data from the EVS volume
to another disk device using a utility such as fbackup, cp or tar.
If you have a file system mounted on the EVS volume, use the umount command to unmount
the file system. For more information, see umount(1M).
Use the following command to disable encryption and decryption access to the volume:
evfsvol disable [-k keyname] evfs_volume_path
For more information, see “Disabling encryption and decryption access to EVS volumes”
(page 64).
7.
Use the following evfsvol export command to remove the EVS volume device files and
delete the device entries in kernel registry:
evfsvol export evfs_volume_path
where:
evfs_volume_path
Specifies the absolute pathname for the EVS volume device file,
such as /dev/evfs/vg01/lvol5,
/dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/
c2t0d1.
Importing an EVS volume
Use the following procedure to import an EVS volume. If you are using LVM, use this procedure
after importing the volume group using vgimport, and repeat the procedure for each volume in
the group.
1. Copy the key files saved from the source system to the target system. Use the procedure
described in “Restoring user keys” (page 67) to install the key files from the source system on
the target system.
2. Use the following evfsvol import command to create the EVS volume device files and
add the entries in kernel registry:
evfsvol import volume_path
where:
volume_path
Specifies the path for the underlying LVM, VxVM, or physical volume device
file, such as /dev/vx/dsk/rootdg/vol01, /dev/vg01/lvol5, or
/dev/dsk/c0d0t2.
Exporting and importing EVS volumes
75
3.
Use the evfsvol enable command to enable the encrypted volume:
evfsvol enable [-p] [-k keyname] evfs_volume_path
For more information, see “Step 1: Configuring an EVS volume” (page 45) or evfsvol(1m).
4.
If the EVS volume had a file system, use the mount command to mount the file system to a
mount point. Add an entry to the /etc/fstab file.
For more information, see “Step 2: Creating and mounting a file system on an EVS volume”
(page 50).
Resizing EVS volumes and file systems
If you resize EVS volumes and file systems created on EVS volumes, HP recommends that you
create a backup copy of the data before resizing an EVS volume or file system above an EVS
volume. In addition, you must:
•
Allow 1 MB on the EVS volume for the encryption metadata (EMD). Subtract 1 MB from the
size of the underlying LVM, VxVM, or physical volume when calculating the number of bytes
available for the file system. The size of the EMD depends on the configured maximum number
of user records, as specified by the emd_envelopes attribute in the /etc/evfs/evfs.conf
file. The actual size of the EMD might be less than 1 MB, but HP recommends that you allow
1 MB for the EMD.
CAUTION: If you do not allocate sufficient space for the EVFS EMD when reducing the size
of a file system and underlying volume, the file system is rendered unusable.
•
Resize an EVS volume by resizing the underlying LVM or VxVM volume. Use the appropriate
LVM or VxVM command and specify the LVM or VxVM device file. For example:
# lvextend -L 112 /dev/vg01/lvol5
•
If you have a file system on the EVS volume, you must resize the file system as a separate
operation using the extendfs or fsadm utilities.
CAUTION: Do not use the vxresize -F fstype command to resize the VxVM and the
file system in one operation. The vxresize command does not allocate space on the VxVM
volume for the EMD.
LVM Example: Increasing volume and file system sizes
In the following sessions, the VxFS file system size is 65016 Kbytes, created on a 64-Mbyte
(65536-Kbyte) LVM volume (520 Kbytes is used for the EMD). The user increases the size of the
LVM volume to 112 Mbytes and wants to increase the corresponding file system size.
Correct
The user increases the LVM volume size to 112 Mbytes (114688 Kbytes). When calculating the
number of Kbytes available for the file system, the user reserves 1 Mbyte for the EVFS EMD: (112
–1) * 1024 = 113664 Kbytes. The existing file system size is 65016 Kbytes, so the user increases
the file system size by 48648 Kbytes (113664 – 65016 = 48648).
# lvdisplay /dev/vg01/lvol5
--- Logical volumes --LV Name
VG Name
LV Permission
:
:
LV Size (Mbytes)
:
76
Administering EVS
/dev/vg01/lvol5
/dev/vg01
read/write
64
:
# bdf /test5
Filesystem
kbytes
used
avail %used Mounted on
/dev/evfs/vg01/lvol5
65016
1125
59905
2% /test5
# umount /test5
# lvextend -L 112 /dev/vg01/lvol5
Logical volume "/dev/vg01/lvol5" has been successfully extended.
Volume Group configuration for /dev/vg01 has been saved in
/etc/lvmconf/vg01.conf
# lvdisplay /dev/vg01/lvol5
--- Logical volumes --LV Name
/dev/vg01/lvol5
VG Name
/dev/vg01
:
:
LV Size (Mbytes)
112
:
:
# extendfs -F vxfs -s 48648 /dev/evfs/vg01/rlvol5
# mount -F vxfs /dev/evfs/vg01/lvol5 /test5
# bdf /test5
Filesystem
kbytes
used
avail %used Mounted on
/dev/evfs/vg01/lvol5
113664
1141 105498
1% /test5
Incorrect
When calculating the number of Kbytes available for the file system, the user does not reserve
space for the EVFS EMD. The LVM is 112 Mbytes = 114688 Kbytes. The user attempts to increase
the current file system size, 65016 Kbytes, by 49672 Kbytes to use all available space on the
LVM for the file system (114688 – 65016 = 49672).
# extendfs -F vxfs -s 49672 /dev/evfs/vg01/rlvol5
# vxfs extendfs: New size (114688 blocks) beyond device capacity (114168 blocks).
Resizing EVS volumes and file systems
77
8 Backing up and restoring data on EVS volumes
This chapter contains procedures for backing up and restoring data on EVS volumes and addresses
the following topics:
•
“Backing up EVS volumes” (page 78)
•
“Backups using LVM mirrored volumes” (page 80)
•
“Backups using VxVM mirrored volumes” (page 87)
•
“Backups using nonmirrored volumes” (page 94)
•
“Restoring backup media” (page 97)
Backing up EVS volumes
This section contains procedures for backing up data on EVS volumes. The backup procedures
differ depending on the following factors:
•
Use of mirrored volumes or nonmirrored volumes. The mirrored volumes can be LVM or VxVM.
NOTE: You cannot perform online encrypted backups to a tape or other non-EVFS device
unless you use mirrored volumes. If you do not have mirrored volumes, you can still perform
online encrypted backups, but you must use a second EVS volume as the target device.
•
The format of the backup media (encrypted or cleartext).
•
The type of target backup device (non-EVFS device, such as a tape, or a second EVS volume).
•
The backup utility type (block device utility, such as dd, or file utility, such as tar or cp).
When using a block device utility, verify that the size of the EVS volume is appropriate for the
backup media you are using and for the time it will take to back up a whole volume.
Table 2 lists backup types for installations using LVM or VxVM mirrored volumes. Table 3 lists
backup types for installations not using mirrored volumes.
NOTE: The backup procedures in this section use the dd and cp utilities for basic operation and
clarity in the examples. Other procedures can be found in the Backing Up and Restoring Data on
HP-UX EVFS Volumes Using HP OpenView Storage Data Protector 6.0 white paper. For the latest
white papers and announcements about EVFS deployment tips and best practices, see the EVFS
product documentation set at http://www.hp.com/go/hpux-security-docs.
Table 2 Backup types with LVM or VxVM mirrored volumes
Media format Target device
Encrypted
Tape or other
non-EVFS
device
Backup utility
type
Block device
utility, such as
dd
Supported?
Source EVFS
volume state
Yes
Raw
Notes
One volume in the mirror will be
off line (unavailable to users). The
remaining volume in the mirror is
still available for user access.
See “Creating encrypted backup
media on a Non-EVFS device (LVM
mirrored volumes) ” (page 81) or
“Creating encrypted backup media
on a non-EVFS device (VxVM
mirrored volumes)” (page 87).
Encrypted
78
Tape or other
non-EVFS
device
File utility
Backing up and restoring data on EVS volumes
No
–
–
Table 2 Backup types with LVM or VxVM mirrored volumes (continued)
Media format Target device
Backup utility
type
Supported?
Source EVFS
volume state
Notes
Encrypted
EVS volume
Block device
utility, such as
dd
Yes
Enabled
The target EVS volume must also
be enabled. See “Creating
encrypted backup media on a
second EVS volume using a block
device utility (LVM mirrored
volumes)” (page 82) or “Creating
encrypted backup media on a
second EVS volume using a block
device utility (VxVM mirrored
volumes)” (page 89).
Encrypted
EVS volume
File utility
Yes
Enabled
The target EVS volume must also
be enabled, and both EVS volumes
must have file systems mounted.
See “Creating encrypted backup
media on a second EVS volume
using a file utility (LVM mirrored
volumes)” (page 84) or “Creating
encrypted backup media on a
second EVS volume using a file
utility (VxVM mirrored volumes)”
(page 91).
Cleartext
Tape or other
non-EVFS
device
Block device
utility, such as
dd
Yes
Enabled
See “Creating cleartext backup
media (LVM mirrored volumes)”
(page 86) or “Creating cleartext
backup media (VxVM mirrored
volumes)” (page 93).
Cleartext
Tape or other
non-EVFS
device
File utility
Yes
Enabled
The source volume must have a file
system mounted. See “Creating
cleartext backup media (LVM
mirrored volumes)” (page 86) or
“Creating cleartext backup media
(VxVM mirrored volumes)”
(page 93).
Cleartext
EVS volume
Block device
utility, such as
dd
No
–
–
Cleartext
EVS volume
File utility
No
–
–
Supported?
Source EVFS
volume state
Notes
Table 3 Backup types with nonmirrored volumes
Media format Target device
Backup utility
type
Encrypted
Tape or other
non-EVFS
device
Block device
utility, such as
dd
Yes
Raw
Offline Backup. See “Creating
encrypted backup media to a
non-EVFS device (nonmirrored
volumes)” (page 94).
Encrypted
Tape or other
non-EVFS
device
File utility
No
–
–
Encrypted
EVS volume
Block device
utility, such as
dd
Yes
Enabled
The source volume can be on line,
but HP recommends that you stop
access to the source volume.
The target EVS volume must also
be enabled.
Backing up EVS volumes
79
Table 3 Backup types with nonmirrored volumes (continued)
Media format Target device
Backup utility
type
Supported?
Source EVFS
volume state
Notes
See “Creating encrypted backup
media on a second EVS volume
using a block device utility
(nonmirrored volumes)” (page 95).
Encrypted
EVS volume
File utility
Yes
Enabled
The source volume can be on line,
but HP recommends that you stop
access to the source volume.
The target EVS volume must also
be enabled, and both EVS volumes
must have file systems mounted.
See “Creating encrypted backup
media on a second EVS volume
using a file utility (nonmirrored
volumes)” (page 96).
Cleartext
Tape or other
non-EVFS
device
Block device
utility, such as
dd
Yes
Enabled
The source volume can be on line,
but HP recommends that you stop
access to the source volume.
See “Creating cleartext backup
media to a non-EVFS device
(nonmirrored volumes)” (page 97).
Cleartext
Tape or other
non-EVFS
device
File utility
Yes
Enabled
The source volume can be on line,
but HP recommends that you stop
access to the source volume.
The source volume must have a file
system mounted.
See “Creating cleartext backup
media to a non-EVFS device
(nonmirrored volumes)” (page 97).
Cleartext
EVS volume
Block device
utility, such as
dd
No
–
–
Cleartext
EVS volume
File utility
No
–
–
Backups using LVM mirrored volumes
If you have EVS volumes configured on LVM mirrored volumes, you can back up the EVS volumes
on line, without disabling the EVS volume or interrupting access to the data.
To create LVM mirrored volumes, you must have the MirrorDisk/UX product installed. If you do
not have the MirrorDisk/UX product, you can backup an EVS volume to a spare EVS volume, or
you can back up an EVS volume to a tape or other non-EVFS device by disabling the EVS volume
and performing offline backups. For more information, see “Backups using nonmirrored volumes”
(page 94).
This section describes the following procedures:
80
•
“Creating encrypted backup media on a Non-EVFS device (LVM mirrored volumes) ” (page 81).
•
“Creating encrypted backup media on a second EVS volume using a block device utility (LVM
mirrored volumes)” (page 82).
•
“Creating encrypted backup media on a second EVS volume using a file utility (LVM mirrored
volumes)” (page 84).
•
“Creating cleartext backup media (LVM mirrored volumes)” (page 86).
Backing up and restoring data on EVS volumes
Creating encrypted backup media on a Non-EVFS device (LVM mirrored volumes)
If you have LVM mirrored volumes, use the following procedure to perform online encrypted backups
to a non-EVFS target device, such as a tape drive. You must use a block device backup utility, such
as dd.
You must have the appropriate file permissions to access the EVS volume device file to use this
procedure.
1. Configure the mirror, if you have not already done so. Create the mirror copy using the
lvcreate –m or lvextend –m command. Configure EVFS on the LVM volume using the
evfsadm map and evfsvol create commands. Enable the EVS volume using the evfsvol
enable command and migrate data to the EVS volume, if necessary.
2. Create a backup copy of the user key database (user key pairs and any passphrase files) if
a copy does not already exist. Determine the directories used for the key database by checking
the pkey attribute statement in the /etc/evfs/evfs.conf file and back up the database.
By default, EVFS stores the user key database in subdirectories below the
/etc/evfs/pkey/users directory.
If you will be restoring the data to another system, you must know and make note of the
passphrase for the volume owner's private key. Stored passphrase files are encrypted with
system-specific information, so a stored passphrase created on one system is unusable on any
other system.
3.
Split the mirrored LVM volume into two logical volumes using the lvsplit command.
command. In the following example, the mirror LVM volume device file is /dev/vg01/lvol5,
and the –s backup option creates a backup mirror volume name using the suffix backup
(/dev/vg01/lvol5backup):
# lvsplit –s backup /dev/vg01/lvol5
Logical volume "/dev/vg01/lvol5backup" has been successfully created
with character device "/dev/vg01/rlvol5backup".
Logical volume "/dev/vg01/lvol5" has been successfully split.
Volume Group configuration has been saved in /etc/lvmconf/vg01.conf
4.
Map the backup volume to EVFS. For example:
# evfsvol map /dev/vg01/lvol5backup
This creates the device files /dev/evfs/vg01/lvol5backup and /dev/evfs/vg01/
rlvol5backup.
5.
Do not create an EMD area for the EVS volume. The backup volume inherits a copy of the
EMD from the original volume. However, because the backup volume inherits its EMD, the
dirty bit is set even though the backup volume has not been enabled. You must reset the dirty
bit in the EMD of the backup volume using the evfsvol check –r command. The syntax
is as follows:
evfsvol check -r evfs_volume_path
Where evfs_volume_path is the absolute pathname for the EVS volume device file.
For example:
# evfsvol
Encrypted
Resetting
Encrypted
6.
check -r /dev/evfs/vg01/lvol5backup
volume "/dev/evfs/vg01/lvol5backup" has not been properly shut down.
dirty bit...
volume "/dev/evfs/vg01/lvol5backup" has been successfully recovered
Open raw access to the backup EVS volume using the evfsvol raw command.
CAUTION: After you open the volume for raw access, any entity reading data from the EVS
volume receives encrypted data. Any entity writing data to the EVS volume writes directly to
the underlying disk; EVFS does not encrypt the text. HP recommends that you use the evfsvol
raw command only when creating encrypted backup media or restoring encrypted backup
media.
Backing up EVS volumes
81
The syntax for the evfsvol raw command is as follows:
evfsvol raw evfs_volume_path
where evfs_volume_path is the absolute pathname for the EVS volume device file.
For example:
# evfsvol raw /dev/evfs/vg01/lvol5backup
7.
Use a block device utility such as dd to copy data from the EVFS backup volume to the target
device. For example:
# dd bs=64k if=/dev/evfs/vg01/lvol5backup of=/dev/rmt/0m
8.
Close raw access to the backup EVS volume using the evfsvol close command to begin
the procedure to return the backup volume to its original state. For example:
# evfsvol close /dev/evfs/vg01/lvol5backup
9.
Unmap the backup EVS volume using the evfsadm unmap command. For example:
# evfsadm unmap /dev/evfs/vg01/lvol5backup
10. Merge the backup volume back with the original LVM volume using the lvmerge command.
For example:
# lvmerge /dev/vg01/lvol5backup /dev/vg01/lvol5
Example
In the following example, the administrator splits the /dev/vg01/lvol5 mirror volume and
creates the /dev/vg01/lvol5backup volume. The target is the /dev/rmt/0m tape device.
The dd command receives encrypted text from the source EVS volume because the volume is open
for raw access.
#
#
#
#
#
#
#
#
lvsplit –s backup /dev/vg01/lvol5
evfsvol map /dev/vg01/lvol5backup
evfsvol check -r /dev/evfs/vg01/lvol5backup
evfsvol raw /dev/evfs/vg01/lvol5backup (EVFS prompts if you want to continue.)
dd bs=64k if=/dev/evfs/vg01/lvol5backup of=/dev/rmt/0m
evfsvol close /dev/evfs/vg01/lvol5backup
evfsadm unmap /dev/evfs/vg01/lvol5backup
lvmerge /dev/vg01/lvol5backup /dev/vg01/lvol5
Creating encrypted backup media on a second EVS volume using a block device utility (LVM
mirrored volumes)
If you have LVM mirrored volumes, use the following procedure to perform online encrypted backups
to a second (target) EVS volume using a block device backup utility, such as dd.
To use this backup procedure, you must have the appropriate file permissions to access the EVS
volume device file and meet at least one of the following criteria:
•
You are the volume owner.
•
You are an authorized user for the volume.
•
A stored passphrase exists for one of the volume's user key pairs, and you know the key ID
for the key pair.
CAUTION:
Encryption and decryption must be enabled on both the source volume and target
volume. The backup utility will receive cleartext data from the source EVS volume, and EVFS will
encrypt the data when writing it to the target EVS volume.
Do not back up data from a volume with EVFS encryption and decryption disabled to a volume
with EVFS encryption and decryption enabled. If you do, the data will be encrypted twice.
82
Backing up and restoring data on EVS volumes
1.
2.
Configure the mirror, if you have not already done so. Create the mirror copy using the
lvcreate –m or lvextend –m command. Configure EVFS on the LVM volume using the
evfsadm map and evfsvol create commands. Enable the EVS volume using the evfsvol
enable command and migrate data to the EVS volume, if necessary.
Split the mirrored LVM volume into two logical volumes using the lvsplit command. In the
example below, the mirror LVM volume device file is /dev/vg01/lvol5 and the –s backup
option creates a backup mirror volume name using the suffix backup (/dev/vg01/
lvol5backup):
# lvsplit –s backup /dev/vg01/lvol5
Logical volume "/dev/vg01/lvol5backup" has been successfully created
with character device "/dev/vg01/rlvol5backup".
Logical volume "/dev/vg01/lvol5" has been successfully split.
Volume Group configuration has been saved in /etc/lvmconf/vg01.conf
3.
Map the backup volume to EVFS. For example:
# evfsvol map /dev/vg01/lvol5backup
This creates the device files /dev/evfs/vg01/lvol5backup and /dev/evfs/vg01/
rlvol5backup.
4.
Do not create an EMD area for the EVS volume. The backup volume inherits a copy of the
EMD from the original volume. However, because the backup volume inherits its EMD, the
dirty bit is set even though the backup volume has not been enabled. You must reset the dirty
bit in the EMD of the backup volume using the evfsvol check –r command.
The syntax is as follows:
evfsvol check -r evfs_volume_path
Where evfs_volume_path is the absolute pathname for the EVS volume device file.
For example:
# evfsvol
Encrypted
Resetting
Encrypted
5.
check -r /dev/evfs/vg01/lvol5backup
volume "/dev/evfs/vg01/lvol5backup" has not been properly shut down.
dirty bit...
volume "/dev/evfs/vg01/lvol5backup" has been successfully recovered
Enable the EVFS backup volume using the evfsvol enable command. You must be the
volume owner or authorized user for the original EVS volume to complete this step, and EVFS
prompts you for a passphrase if one is not stored. For example:
# evfsvol enable –k mykey /dev/evfs/vg01/lvol5backup
6.
EVFS encryption and decryption must be enabled on the target volume also. Use the evfsadm
stat -a or evfsvol display evfs_volume_path command to verify that EVFS is
enabled on the target volume. In this example, /dev/evfs/vg01/lvol6 is a spare EVS
volume that will be used as the backup target device:
# evfsvol display /dev/evfs/vg01/lvol6
7.
Create encrypted backup media by using dd to copy the entire volume to a second EVS volume
that is also enabled.
For example:
# dd bs=64k if=/dev/evfs/vg01/lvol5backup of=/dev/evfs/vg01/lvol6
8.
Disable the EVFS backup volume to begin the procedure to return the backup volume to its
original state. For example:
# evfsvol disable -k mykey /dev/evfs/vg01/lvol5backup
The evfsvol utility prompts you for the passphrase if a stored passphrase does not exist.
9.
Unmap EVS volume using the evfsadm unmap command. For example:
# evfsadm unmap /dev/evfs/vg01/lvol5backup
Backing up EVS volumes
83
10. Merge the backup volume back with the original LVM volume using the lvmerge command.
For example:
# lvmerge /dev/vg01/lvol5backup /dev/vg01/lvol5
Example
In the following example, the administrator splits the /dev/vg01/lvol5 mirror volume and
creates the /dev/vg01/lvol5backup volume. The target is the EVS volume/dev/evfs/vg01/
lvol6. The dd command receives cleartext from the source EVS volume and the target EVS volume
encrypts the data.
#
#
#
#
lvsplit –s backup /dev/vg01/lvol5 (LVM creates the /dev/vg01/lvol5backup volume.)
evfsvol map /dev/vg01/lvol5backup
evfsvol check -r /dev/evfs/vg01/lvol5backup
evfsvol enable -k mykey /dev/evfs/vg01/lvol5backup (evfsvol prompts for
a passphrase if there is no stored passphrase.)
# evfsvol display /dev/evfs/vg01/lvol6 (Verify that the target EVFS volume is enabled)
# dd bs=64k if=/dev/evfs/vg01/lvol5backup of=/dev/evfs/vg01/lvol6
# evfsvol disable -k mykey /dev/evfs/vg01/lvol5backup (evfsvol prompts for
a passphrase if there is no stored passphrase)
# evfsadm unmap /dev/evfs/vg01/lvol5backup
# lvmerge /dev/vg01/lvol5backup /dev/vg01/lvol5
Creating encrypted backup media on a second EVS volume using a file utility (LVM mirrored
volumes)
If you have LVM mirrored volumes, use the following procedure to perform online encrypted backups
to a second (target) EVS volume using a file-based backup utility, such as tar or cp.
To use this backup procedure, you must have the appropriate file permissions to access the EVS
volume device file and meet at least one of the following criteria:
•
You are the volume owner.
•
You are an authorized user for the volume.
•
A stored passphrase exists for one of the volume's user key pairs, and you know the key ID
for the key pair.
CAUTION:
You must enable encryption and decryption on both the source volume and target
volume. This requirement causes the backup utility to receive cleartext data from the source EVS
volume, and causes EVFS to encrypt the data when writing it to the target EVS volume.
Do not back up data from a volume with EVFS encryption and decryption disabled to a volume
with EVFS encryption and decryption enabled. If you do, the data is encrypted twice.
1.
2.
Configure the mirror, if you have not already done so. Create the mirror copy using the
lvcreate –m or lvextend –m command. Configure EVFS on the LVM volume using the
evfsadm map and evfsvol create commands. Enable the EVS volume using the evfsvol
enable command, and migrate data to the EVS volume, if necessary.
Split the mirrored LVM volume into two logical volumes using the lvsplit command. In the
following example, the mirror LVM volume device file is /dev/vg01/lvol5 and the –s
backup option creates a backup mirror volume name using the suffix backup (/dev/vg01/
lvol5backup):
# lvsplit –s backup /dev/vg01/lvol5
Logical volume "/dev/vg01/lvol5backup" has been successfully created
with character device "/dev/vg01/rlvol5backup".
Logical volume "/dev/vg01/lvol5" has been successfully split.
Volume Group configuration has been saved in /etc/lvmconf/vg01.conf
3.
Map the backup volume to EVFS. For example:
# evfsvol map /dev/vg01/lvol5backup
This creates the device files /dev/evfs/vg01/lvol5backup and /dev/evfs/vg01/
rlvol5backup.
84
Backing up and restoring data on EVS volumes
4.
Do not create an EMD area for the EVS volume. The backup volume inherits a copy of the
EMD from the original volume. However, because the backup volume inherits its EMD, the
dirty bit is set even though the backup volume has not been enabled. You must reset the dirty
bit in the EMD of the backup volume using the evfsvol check –r command.
The syntax is as follows:
evfsvol check -r evfs_volume_path
Where evfs_volume_path is the absolute pathname for the EVS volume device file.
For example:
# evfsvol
Encrypted
Resetting
Encrypted
5.
check -r /dev/evfs/vg01/lvol5backup
volume "/dev/evfs/vg01/lvol5backup" has not been properly shut down.
dirty bit...
volume "/dev/evfs/vg01/lvol5backup" has been successfully recovered
Enable the EVFS backup volume using the evfsvol enable command. You must be the
volume owner or authorized user for the original EVS volume to complete this step, and EVFS
prompts you for a passphrase if one is not stored. For example:
# evfsvol enable –k mykey /dev/evfs/vg01/lvol5backup
6.
Check the file system on the EVFS backup volume for consistency using the fsck command.
For example:
# fsck -F vxfs /dev/evfs/vg01/rlvol5backup
7.
Create a temporary directory to use as mount point for the EVFS backup volume. For example:
# mkdir /opt/evfs/backup_source
8.
Mount the temporary directory on the EVFS backup volume. For example:
# mount -F vxfs /dev/evfs/vg01/lvol5backup /opt/evfs/backup_source
9.
EVFS encryption and decryption must be enabled on the target volume also. Use the evfsadm
stat -a or evfsvol display evfs_volume_path command to verify that EVFS is
enabled on the target volume. In this example, /dev/evfs/vg01/lvol6 is a spare EVS
volume that will be used as the backup target device:
# evfsvol display /dev/evfs/vg01/lvol6
10. Use a file-based backup utility to back up data from temporary directory to a directory on the
target volume. In this example, the directory /opt/evfs/backup_target is mounted on
the spare EVS volume /dev/evfs/vg01/lvol6:
# cp -r /opt/evfs/backup_source /opt/evfs/backup_target
11. Unmount the file system on the EVFS backup volume to begin the procedure to return the
backup volume to its original state. For example:
# umount /opt/evfs/backup_source
12. Disable the EVFS backup volume. For example:
# evfsvol disable -k mykey /dev/evfs/vg01/lvol5backup
The evfsvol utility prompts you for the passphrase if a stored passphrase does not exist.
13. Unmap the backup EVS volume using the evfsadm unmap command. For example:
# evfsadm unmap /dev/evfs/vg01/lvol5backup
14. Merge the backup volume back with the original LVM volume using the lvmerge command
. For example:
# lvmerge /dev/vg01/lvol5backup /dev/vg01/lvol5
Example
In the following example, the administrator splits the mirror volume /dev/vg01/lvol5 and
creates the volume /dev/vg01/lvol5backup and mounts the file system on /opt/evfs/
backup_source. The target is the directory /opt/evfs/backup_target, which is mounted
Backing up EVS volumes
85
on the EVS volume/dev/evfs/vg01/lvol6. The cp command receives cleartext from the source
EVS volume and the target EVS volume encrypts the data.
# lvsplit –s backup /dev/vg01/lvol5 (LVM creates the /dev/vg01/lvol5backup volume)
# evfsvol map /dev/vg01/lvol5backup
# evfsvol check -r /dev/evfs/vg01/lvol5backup
# evfsvol enable -k mykey /dev/evfs/vg01/lvol5backup (evfsvol prompts for
a passphrase if there is no stored passphrase.)
# fsck -F vxfs /dev/evfs/vg01/lvol5backup
# mkdir /opt/evfs/backup_source
# mount -F vxfs /dev/evfs/vg01/lvol5/backup /opt/evfs/backup_source
# evfsvol display /dev/evfs/vg01/lvol6 (Verify that the target EVFS volume is enabled.)
# cp -r /opt/evfs/backup_source /opt/evfs/backup_target (/opt/evfs/backup_target is
mounted on /dev/evfs/vg01/lvol6)
# umount /opt/evfs/backup_source
# evfsvol disable -k mykey /dev/evfs/vg01/lvol5backup (evfsvol prompts for
a passphrase if there is no stored passphrase.)
# evfsadm unmap /dev/evfs/vg01/lvol5backup
# lvmerge /dev/vg01/lvol5backup /dev/vg01/lvol5
Creating cleartext backup media (LVM mirrored volumes)
If you have mirrored LVM volumes, you can create cleartext backup media using the procedure
described in “Creating encrypted backup media on a second EVS volume using a block device
utility (LVM mirrored volumes)” (page 82) or “Creating encrypted backup media on a second EVS
volume using a file utility (LVM mirrored volumes)” (page 84). However, instead of using a second
EVS volume as the target for the backup utility, use a non-EVFS device as the target. In both cases,
the source EVS volume is enabled when you execute the backup utility, so the backup utility receives
the data in cleartext.
Example: Block device utility
In the following example, the administrator splits the /dev/vg01/lvol5 mirror volume and
creates the /dev/vg01/lvol5backupvolume. The target is the /dev/rmt/0m tape device. The
dd command receives cleartext from the source EVS volume.
#
#
#
#
a
#
#
lvsplit –s backup /dev/vg01/lvol5 (LVM creates the /dev/vg01/lvol5backup volume.)
evfsvol map /dev/vg01/lvol5backup
evfsvol check -r /dev/evfs/vg01/lvol5backup
evfsvol enable -k mykey /dev/evfs/vg01/lvol5backup (evfsvol prompts for
passphrase if there is no stored passphrase.)
dd bs=64k if=/dev/evfs/vg01/lvol5backup of=/dev/rmt/0m
evfsvol disable -k mykey /dev/evfs/vg01/lvol5backup (evfsvol prompts for
a passphrase if there is no stored passphrase.)
# evfsadm unmap /dev/evfs/vg01/lvol5backup
# lvmerge /dev/vg01/lvol5backup /dev/vg01/lvol5
Example: File utility
In the following example, the administrator splits the /dev/vg01/lvol5 mirror volume, creates
the /dev/vg01/lvol5backup volume, and mounts the file system on /opt/evfs/
backup_source. The target is the non-encrypted directory /opt/foo/backup_target. The
cp command receives cleartext from the source EVS volume.
#
#
#
#
a
#
#
#
#
#
#
a
#
#
86
lvsplit –s backup /dev/vg01/lvol5 (LVM creates the /dev/vg01/lvol5backup volume.)
evfsvol map /dev/vg01/lvol5backup
evfsvol check -r /dev/evfs/vg01/lvol5backup
evfsvol enable -k mykey /dev/evfs/vg01/lvol5backup (evfsvol prompts for
passphrase if there is no stored passphrase.)
fsck -F vxfs /dev/evfs/vg01/lvol5backup
mkdir /opt/evfs/backup_source
mount -F vxfs /dev/evfs/vg01/lvol5/backup /opt/evfs/backup_source
cp -r /opt/evfs/backup_source /opt/foo/backup_target
umount /opt/evfs/backup_source
evfsvol disable -k mykey /dev/evfs/vg01/lvol5backup (evfsvol prompts for
passphrase if there is no stored passphrase.)
evfsadm unmap /dev/evfs/vg01/lvol5backup
lvmerge /dev/vg01/lvol5backup /dev/vg01/lvol5
Backing up and restoring data on EVS volumes
Backups using VxVM mirrored volumes
If you have VxVM mirrored volumes, you can back up the EVS volumes on line, without disabling
the EVS volume or interrupting access to the data.
This section describes the following procedures:
•
“Creating encrypted backup media on a non-EVFS device (VxVM mirrored volumes)” (page 87)
•
“Creating encrypted backup media on a second EVS volume using a block device utility (VxVM
mirrored volumes)” (page 89)
•
“Creating encrypted backup media on a second EVS volume using a file utility (VxVM mirrored
volumes)” (page 91)
•
“Creating cleartext backup media (VxVM mirrored volumes)” (page 93)
Creating encrypted backup media on a non-EVFS device (VxVM mirrored volumes)
If you have VxVM mirrored volumes, use the following procedure to perform online encrypted
backups to a non-EVFS target device, such as a tape drive. You must use a block device backup
utility, such as dd.
You must have the appropriate file permissions to access the EVS volume device file to use this
procedure.
1. Configure the mirror, if you have not already done so. Create the mirror by using the
vxassist mirror command or by creating a plex and attaching it to a VxVM volume using
the vxplex att command. Configure EVFS on the VxVM volume using the evfsadm map
and evfsvol create commands. Enable the EVS volume using the evfsvol enable
command, and migrate data to the EVS volume if necessary.
2. Create a backup copy of the user key database (user key pairs and any passphrase files) if
a copy does not already exist. Determine the directories used for the key database by checking
the pkey attribute statement in the /etc/evfs/evfs.conf file, and back up the database.
By default, EVFS stores the user key database in subdirectories below the /etc/evfs/pkey/
users directory.
If you are restoring the data to another system, you must know the passphrase for the volume
owner's private key. Stored passphrase files are encrypted with system-specific information,
so a stored passphrase created on one system is unusable on any other system.
3.
Dissociate a plex from the volume using the vxplex dis command. In the following example,
the vol05 volume in the testdg disk group has two plexes, vol05–01 and vol05–02,
and the administrator dissociates the vol05–02 plex to use as the source for the backup:
# vxplex -g testdg dis -v vol05 vol05-02
4.
Use the vxmake command to create a temporary volume for the backup, such as backupvol,
with the dissociated plex. For example:
# vxmake -g testdg -U gen vol backupvol plex=vol05-02
5.
Start the backup VxVM volume using the vxvol start command. For example:
# vxvol -g testdg start backupvol
6.
Map the backup VxVM volume to EVFS. For example:
# evfsvol map /dev/vx/dsk/testdg/backupvol
This creates the device files /dev/evfs/vx/dsk/testdg/backupvol and /dev/evfs/
vx/rdsk/testdg/backupvol.
7.
Do not create an EMD area for the EVS volume. The backup volume inherits a copy of the
EMD from the original volume. However, because the backup volume inherits its EMD, the
dirty bit is set even though the backup volume has not been enabled. You must reset the dirty
bit in the EMD of the backup volume using the evfsvol check –r command.
The syntax is as follows:
Backing up EVS volumes
87
evfsvol check -r evfs_volume_path
Where evfs_volume_path is the absolute pathname for the EVS volume device file.
For example:
# evfsvol
Encrypted
Resetting
Encrypted
8.
check -r /dev/evfs/vx/dsk/testdg/backupvol
volume "/dev/evfs/vx/dsk/testdg/backupvol" has not been properly shut down.
dirty bit...
volume "/dev/evfs/vx/dsk/testdg/backupvol" has been successfully recovered
Open raw access to the backup EVS volume using the evfsvol raw command.
CAUTION: After you open the volume for raw access, any entity reading data from the EVS
volume receives encrypted data. Any entity writing data to the EVS volume writes directly to
the underlying disk; EVFS does not encrypt the text. HP recommends that you use the evfsvol
raw command only when creating encrypted backup media or restoring encrypted backup
media.
The syntax for the evfsvol raw command is as follows:
evfsvol raw evfs_volume_path
where evfs_volume_path is the absolute pathname for the EVS volume device file.
For example:
# evfsvol raw
9.
/dev/evfs/vx/dsk/testdg/backupvol
Use a block device utility, such as dd, to copy data from the backup EVS volume to the target
device. For example:
# dd bs=64k if=/dev/evfs/vx/dsk/testdg/backupvol of=/dev/rmt/0m
10. Close raw access to the backup EVS volume using the evfsvol close command to begin
the procedure to return the backup volume to its original state. For example:
# evfsvol close /dev/evfs/vx/dsk/testdg/backupvol
11. Unmap the backup EVS volume using the evfsadm unmap command. For example:
# evfsadm unmap /dev/evfs/vx/dsk/testdg/backupvol
12. Stop the backup VxVM volume using the vxvol stop command. For example:
# vxvol -g testdg stop backupvol
13. Dissociate the plex from the backup VxVM volume using the vxplex dis command. For
example:
# vxplex -g testdg -v backupvol dis vol05-02
14. Attach the plex back to the original VxVM volume using the vxplex att command. For
example:
# vxplex -g testdg -v vol05 att vol05-02
15. Remove the temporary backup volume using the vxassist remove volume command.
For example:
# vxassist -g testdg remove volume backupvol
Example
In the following example, the volume vol05 in disk group testdg has two plexes, vol05–01
and vol05–02. The administrator dissociates plex vol05–02 to use as the source for the backup.
The target is the tape device /dev/rmt/0m. The dd command receives encrypted text from the
source EVS volume because it is open for raw access.
#
#
#
#
#
#
88
vxplex -g testdg dis -v vol05 vol05-02
vxmake -g testdg -U gen vol backupvol plex=vol05-02
vxvol -g testdg start backupvol
evfsvol map /dev/vx/dsk/testdg/backupvol
evfsvol check -r /dev/evfs/vx/dsk/testdg/backupvol
evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol (EVFS prompts if you want to continue.)
Backing up and restoring data on EVS volumes
#
#
#
#
#
#
#
dd bs=64k if=/dev/evfs/vx/dsk/testdg/backupvol of=/dev/rmt/0m
evfsvol close /dev/evfs/vx/dsk/testdg/backupvol
evfsadm unmap /dev/evfs/vx/dsk/testdg/backupvol
vxvol -g testdg stop backupvol
vxplex -g testdg -v backupvol dis vol05-02
vxplex -g testdg -v vol05 att vol05-02
vxassist -g testdg remove volume backupvol
Creating encrypted backup media on a second EVS volume using a block device utility (VxVM
mirrored volumes)
If you have VxVM mirrored volumes, use the following procedure to perform online encrypted
backups to second (target) EVS volume using a block device backup utility, such as dd.
To use this backup procedure, you must have the appropriate file permissions to access the EVS
volume device file and meet at least one of the following criteria:
•
You are the volume owner.
•
You are an authorized user for the volume.
•
A stored passphrase exists for one of the volume's user key pairs, and you know the key ID
for the key pair.
CAUTION:
You must enable encryption and decryption on both the source volume and target
volume. This requirement causes the backup utility to receive cleartext data from the source EVS
volume, and causes EVFS to encrypt the data when writing it to the target EVS volume.
Do not back up data from a volume with EVFS encryption and decryption disabled to a volume
with EVFS encryption and decryption enabled. If you do, the data is encrypted twice.
1.
2.
Configure the mirror if you have not already done so. Create the mirror by using the vxassist
mirror command or by creating a plex and attaching it to a VxVM volume using the
vxplex att command. Configure EVFS on the VxVM volume using the evfsadm map and
evfsvol create commands. Enable the EVS volume using the evfsvol enable command,
and migrate data to the EVS volume if necessary.
Dissociate a plex from the volume using the vxplex dis command. In the following example,
the volume vol05 in disk group testdg has two plexes, vol05–01 and vol05–02, and
the administrator dissociates plex vol05–02 to use as the source for the backup:
# vxplex -g testdg -v vol05 dis vol05-02
3.
Use the vxmake command to create a temporary volume for the backup, such as backupvol,
with the dissociated plex. For example:
# vxmake -g testdg -U gen vol backupvol plex=vol05-02
4.
Start the backup VxVM volume using the vxvol start command. For example:
# vxvol -g testdg start backupvol
5.
Map the backup VxVM volume to EVFS. For example:
# evfsvol map /dev/vx/dsk/testdg/backupvol
This creates the device files /dev/evfs/vx/dsk/testdg/backupvol and /dev/evfs/
vx/rdsk/testdg/backupvol
6.
Do not create an EMD area for the EVS volume. The backup volume inherits a copy of the
EMD from the original volume. However, because the backup volume inherits its EMD, the
dirty bit is set even though the backup volume has not been enabled. You must reset the dirty
bit in the EMD of the backup volume using the evfsvol check –r command.
The syntax is as follows:
evfsvol check -r evfs_volume_path
Where evfs_volume_path is the absolute pathname for the EVS volume device file.
For example:
Backing up EVS volumes
89
# evfsvol
Encrypted
Resetting
Encrypted
7.
check -r /dev/evfs/vx/dsk/testdg/backupvol
volume "/dev/evfs/vx/dsk/testdg/backupvol" has not been properly shut down.
dirty bit...
volume "/dev/evfs/vx/dsk/testdg/backupvol" has been successfully recovered
Enable the encryption and decryption access to the backup volume using the evfsvol
enable command. For example:
# evfsvol enable –k mykey /dev/evfs/vx/dsk/testdg/backupvol
8.
Use the evfsadm stat -a or evfsvol display evfs_volume_path command to
verify that EVFS is enabled on the target volume. In this example, /dev/evfs/vx/dsk/
testdg/vol06 is a spare EVS volume that will be used as the backup target device:
# evfsvol display /dev/evfs/vx/dsk/testdg/vol06
9.
Create encrypted backup media by using a block-device utility, such as dd, to copy the entire
volume to a second EVS volume that is also enabled.
For example:
# dd bs=64k if=/dev/evfs/vx/dsk/testdg/backupvol of=/dev/evfs/vx/dsk/testdg/vol06
10. Begin the procedure to bring the backup volume and plex back to their original state. Disable
the EVFS backup volume. For example:
# evfsvol disable -k my_key /dev/evfs/vx/dsk/testdg/backupvol
The evfsvol utility prompts you for the passphrase if a stored passphrase does not exist.
11. Unmap the backup EVS volume using the evfsadm unmap command. For example:
# evfsadm unmap /dev/evfs/vx/dsk/testdg/backupvol
12. Stop the backup VxVM volume using the vxvol stop command. For example:
# vxvol -g testdg stop backupvol
13. Dissociate the plex from the backup VxVM volume using the vxplex dis command. For
example:
# vxplex -g testdg -v backupvol dis vol05-02
14. Attach the plex back to the original VxVM volume using the vxplex att command. For
example:
# vxplex -g testdg -v vol05 att vol05-02
15. Remove the temporary backup volume using the vxassist remove volume command.
For example:
# vxassist -g testdg remove volume backupvol
Example
In the following example, the volume vol05 in disk group testdg has two plexes, vol05–01
and vol05–02. The administrator dissociates plex vol05–02 to use as the source for the backup,
and mounts the file system on the temporary mount point /opt/evfs/backup_source. The
target is the EVS volume /dev/evfs/vx/dsk/testdg/vol06. The dd command receives
cleartext from the source EVS volume, and the target EVS volume encrypts the data.
#
#
#
#
#
#
#
#
#
#
#
#
#
#
90
vxplex -g testdg dis -v vol05 vol05-02
vxmake -g testdg -U gen vol backupvol plex=vol05-02
vxvol -g testdg start backupvol
evfsvol map /dev/vx/dsk/testdg/backupvol
evfsvol check -r /dev/evfs/vx/dsk/testdg/backupvol
evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol
evfsvol display /dev/evfs/vx/dsk/testdg/vol06 (the target volume must be enabled)
dd bs=64k if=/dev/evfs/vx/dsk/testdg/backupvol of=/dev/evfs/vx/dsk/testdg/vol06
evfsvol disable -k mykey /dev/evfs/vx/dsk/testdg/backupvol
evfsadm unmap /dev/evfs/vx/dsk/testdg/backupvol
vxvol -g testdg stop backupvol
vxplex -g testdg -v backupvol dis vol05-02
vxplex -g testdg -v vol05 att vol05-02
vxassist -g testdg remove volume backupvol
Backing up and restoring data on EVS volumes
Creating encrypted backup media on a second EVS volume using a file utility (VxVM mirrored
volumes)
If you have VxVM mirrored volumes, use the following procedure to perform online encrypted
backups to a second (target) EVS volume using a file-based backup utility, such as tar or cp.
To use this backup procedure, you must have the appropriate file permissions to access the EVS
volume device file and meet at least one of the following criteria:
•
You are the volume owner.
•
You are an authorized user for the volume.
•
A stored passphrase exists for one of the volume's user key pairs, and you know the key ID
for the key pair.
CAUTION:
You must enable encryption and decryption on both the source volume and target
volume. This requirement causes the backup utility to receive cleartext data from the source EVS
volume, and causes EVFS to encrypt the data when writing it to the target EVS volume.
Do not back up data from a volume with EVFS encryption and decryption disabled to a volume
with EVFS encryption and decryption enabled. If you do, the data is encrypted twice.
1.
2.
Configure the mirror if you have not already done so. Create the mirror by using the vxassist
mirror command or by creating a plex and attaching it to a VxVM volume using the
vxplex att command. Configure EVFS on the VxVM volume using the evfsadm map and
evfsvol create commands. Enable the EVS volume using the evfsvol enable command,
and migrate data to the EVS volume if necessary.
Dissociate a plex from the volume using the vxplex dis command. In the following example,
the volume vol05 in disk group testdg has two plexes, vol05–01 and vol05–02, and
the administrator dissociates plex vol05–02 to use as the source for the backup:
# vxplex -g testdg -v vol05 dis vol05-02
3.
Use the vxmake command to create a temporary volume for the backup, such as backupvol,
with the dissociated plex. For example:
# vxmake -g testdg -U gen vol backupvol plex=vol05-02
4.
Start the backup VxVM volume using the vxvol start command. For example:
# vxvol -g testdg start backupvol
5.
Map the backup VxVM volume to EVFS. For example:
# evfsvol map /dev/vx/dsk/testdg/backupvol
This creates the device files /dev/evfs/vx/dsk/testdg/backupvol and /dev/evfs/
vx/rdsk/testdg/backupvol
6.
Do not create an EMD area for the EVS volume. The backup volume inherits a copy of the
EMD from the original volume. However, because the backup volume inherits its EMD, the
dirty bit is set even though the backup volume has not been enabled. You must reset the dirty
bit in the EMD of the backup volume using the evfsvol check –r command.
The syntax is as follows:
evfsvol check -r evfs_volume_path
Where evfs_volume_path is the absolute pathname for the EVS volume device file.
For example:
# evfsvol
Encrypted
Resetting
Encrypted
7.
check -r /dev/evfs/vx/dsk/testdg/backupvol
volume "/dev/evfs/vx/dsk/testdg/backupvol" has not been properly shut down.
dirty bit...
volume "/dev/evfs/vx/dsk/testdg/backupvol" has been successfully recovered
Enable the EVFS backup volume using the evfsvol enable command. For example:
# evfsvol enable –k mykey /dev/evfs/vx/dsk/testdg/backupvol
Backing up EVS volumes
91
8.
Check the file system on the character (raw) EVFS backup volume for consistency using the
fsck command. For example:
# fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol
9.
Create a temporary directory to use as mount point for the EVFS backup volume. For example:
# mkdir /opt/evfs/backup_source
10. Mount the temporary directory on the EVFS backup volume. For example:
# mount -F vxfs /dev/evfs/vx/dsk/testdg/backupvol /opt/evfs/backup_source
11. Use the evfsadm stat -a or evfsvol display evfs_volume_path command to
verify that EVFS is enabled on the target volume. In this example, /dev/evfs/vx/dsk/
testdg/vol06 is a spare EVS volume that is used as the backup target device:
# evfsvol display /dev/evfs/vg01/lvol6
12. Use a file-based backup utility to back up data from temporary directory to a directory on the
target volume. In this example, the directory /opt/evfs/backup_target is mounted on
the spare EVS volume /dev/evfs/vx/dsk/testdg/vol06:
# cp -r /opt/evfs/backup_source /opt/evfs/backup_target
13. Unmount the file system on the EVFS backup volume to begin the procedure to return the
backup volume to its original state. For example:
# umount /opt/evfs/backup_source
14. Disable the EVFS backup volume. For example:
# evfsvol disable -k my_key /dev/evfs/vx/dsk/testdg/backupvol
The evfsvol utility prompts you for the passphrase if a stored passphrase does not exist.
15. Unmap the backup EVS volume using the evfsadm unmap command. For example:
# evfsadm unmap /dev/evfs/vx/dsk/testdg/backupvol
16. Stop the backup VxVM volume using the vxvol stop command. For example:
# vxvol -g testdg stop backupvol
17. Dissociate the plex from the backup VxVM volume using the vxplex dis command. For
example:
# vxplex -g testdg -v backupvol dis vol05-02
18. Attach the plex back to the original VxVM volume using the vxplex att command. For
example:
# vxplex -g testdg -v vol05 att vol05-02
19. Remove the temporary backup volume using the vxassist remove volume command.
For example:
# vxassist -g testdg remove volume backupvol
Example
In the following example, the volume vol05 in disk group testdg has two plexes, vol05–01
and vol05–02. The administrator dissociates plex vol05–02 to use as the source for the backup,
and mounts the file system on the temporary mount point /opt/evfs/backup_source. The
target is the directory /opt/evfs/backup_target, which is mounted on the EVS volume /dev/
evfs/vx/dsk/testdg/vol06. The cp command receives cleartext from the source EVS volume,
and the target EVS volume encrypts the data.
#
#
#
#
#
#
#
92
vxplex -g testdg dis -v vol05 vol05-02
vxmake -g testdg -U gen vol backupvol plex=vol05-02
vxvol -g testdg start backupvol
evfsvol map /dev/vx/dsk/testdg/backupvol
evfsvol check -r /dev/evfs/vx/dsk/testdg/backupvol
evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol
fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol
Backing up and restoring data on EVS volumes
#
#
#
#
#
#
#
#
#
#
mount -f vxfs /dev/evfs/vx/dsk/testdg/backupvol /opt/evfs/backup_source
evfsvol display /dev/evfs/vx/dsk/testdg/vol06 (the target volume must be enabled)
cp -r /opt/evfs/backup_source /opt/evfs/backup_target
umount /opt/evfs/backup_source
evfsvol disable -k mykey /dev/evfs/vx/dsk/testdg/backupvol
evfsadm unmap /dev/evfs/vx/dsk/testdg/backupvol
vxvol -g testdg stop backupvol
vxplex -g testdg -v backupvol dis vol05-02
vxplex -g testdg -v vol05 att vol05-02
vxassist -g testdg remove volume backupvol
Creating cleartext backup media (VxVM mirrored volumes)
If you have mirrored VxVM volumes, you can create cleartext backup media using the procedure
described in “Creating encrypted backup media on a second EVS volume using a block device
utility (VxVM mirrored volumes)” (page 89) or “Creating encrypted backup media on a second
EVS volume using a file utility (VxVM mirrored volumes)” (page 91). However, instead of using a
second EVS volume as the target for the backup utility, use a non-EVFS device as the target. In
both cases, the source EVS volume is enabled when you execute the backup utility, so the backup
utility receives the data in cleartext.
Example: Block device utility
In the following example, the volume vol05 in disk group testdg has two plexes, vol05–01
and vol05–02. The administrator dissociates plex vol05–02 to use as the source for the backup
and mounts the file system on the temporary mount point /opt/evfs/backup_source. The
tape device /dev/rmt/0m is the target. The dd command receives cleartext from the source EVS
volume.
# vxplex -g testdg dis -v vol05 vol05-02
# vxmake -g testdg -U gen vol backupvol plex=vol05-02
# vxvol -g testdg start backupvol
# evfsvol map /dev/vx/dsk/testdg/backupvol
# evfsvol check -r /dev/evfs/vx/dsk/testdg/backupvol
# evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol (evfsvol
prompts for a passphrase if there is no stored passphrase)
# dd bs=64k if=/dev/evfs/vx/dsk/testdg/backupvol of=/dev/rmt/0m
# evfsvol disable -k mykey /dev/evfs/vx/dsk/testdg/backupvol
# evfsadm unmap /dev/evfs/vx/dsk/testdg/backupvol
# vxvol -g testdg stop backupvol
# vxplex -g testdg -v backupvol dis vol05-02
# vxplex -g testdg -v vol05 att vol05-02
# vxassist -g testdg remove volume backupvol
Example: File utility
In the following example, the volume vol05 in disk group testdg has two plexes, vol05–01
and vol05–02. The administrator dissociates plex vol05–02 to use as the source for the backup
and mounts the file system on the temporary mount point /opt/evfs/backup_source. The
directory /opt/evfs/backup_target is a non-encrypted file system. The cp command receives
cleartext from the source EVS volume.
# vxplex -g testdg dis -v vol05 vol05-02
# vxmake -g testdg -U gen vol backupvol plex=vol05-02
# vxvol -g testdg start backupvol
# evfsvol map /dev/vx/dsk/testdg/backupvol
# evfsvol check -r /dev/evfs/vx/dsk/testdg/backupvol
# evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol (evfsvol
prompts for a passphrase if there is no stored passphrase)
# fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol
# mount -f vxfs /dev/evfs/vx/dsk/testdg/backupvol /opt/evfs/backup_source
# cp -r /opt/evfs/backup_source /opt/backup_target
# umount /opt/evfs/backup_source
# evfsvol disable -k mykey /dev/evfs/vx/dsk/testdg/backupvol (evfsvol prompts
for a passphrase if there is no stored passphrase)
# evfsadm unmap /dev/evfs/vx/dsk/testdg/backupvol
Backing up EVS volumes
93
#
#
#
#
vxvol -g testdg stop backupvol
vxplex -g testdg -v backupvol dis vol05-02
vxplex -g testdg -v vol05 att vol05-02
vxassist -g testdg remove volume backupvol
Backups using nonmirrored volumes
This section contains procedures for performing backups without mirrored volumes.
NOTE: To create encrypted backup media to a tape or other non-EVFS device without using
mirrored volumes , you must disable access to the EVS volume. The EVS volume will be off line
and unavailable to users or applications. If you do not have mirrored volumes, you can still perform
online encrypted backups, but you must use a second EVS volume as the target device.
This section describes the following procedures:
•
“Creating encrypted backup media to a non-EVFS device (nonmirrored volumes)” (page 94)
•
“Creating encrypted backup media on a second EVS volume using a block device utility
(nonmirrored volumes)” (page 95)
•
“Creating encrypted backup media on a second EVS volume using a file utility (nonmirrored
volumes)” (page 96)
•
“Creating cleartext backup media to a non-EVFS device (nonmirrored volumes)” (page 97)
Creating encrypted backup media to a non-EVFS device (nonmirrored volumes)
Use the following procedure to create encrypted backup media to a non-EVFS device, such as a
tape drive. You must disable access to the EVS volume to complete this procedure, and you must
use a block device utility, such as dd.
To use this backup procedure, you must have the appropriate file permissions to access the EVS
volume device file and meet at least one of the following criteria:
•
You are the volume owner.
•
You are an authorized user for the volume.
•
A stored passphrase exists for one of the volume's user key pairs, and you know the key ID
for the key pair.
Create a backup copy of the user key database (user key pairs and any passphrase files) if
a copy does not already exist. Determine the directories used for the key database by checking
the pkey attribute statement in the /etc/evfs/evfs.conf file, and back up the database.
By default, EVFS stores the user key database in subdirectories below the /etc/evfs/pkey/
users directory.
1.
If you are restoring the data to another system, you must know the passphrase for the volume
owner's private key. Stored passphrase files are encrypted with system-specific information,
so a stored passphrase created on one system is unusable on any other system.
2.
For data consistency, suspend or stop all applications accessing the data. You can use the
fuser -cu command to determine the processes accessing files on the source volume, and
the fuser -cku command to terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level with the shutdown utility. For more information, see
shutdown(1M).
3.
4.
If a file system exists on the volume, use the umount command to unmount the file system on
the source volume. For more information, see umount(1M).
Disable the EVFS backup volume. This is required to open the EVS volume for raw access. For
example:
# evfsvol disable
94
-k my_key /dev/evfs/vg01/lvol5
Backing up and restoring data on EVS volumes
The evfsvol utility prompts you for the passphrase if a stored passphrase does not exist.
5.
Open raw access to the backup EVS volume using the evfsvol raw command.
CAUTION: After you open the volume for raw access, any entity reading data from the EVS
volume receives encrypted data. Any entity writing data to the EVS volume writes directly to
the underlying disk; EVFS does not encrypt the text. HP recommends that you use the evfsvol
raw command only when creating encrypted backup media or restoring encrypted backup
media.
The syntax for the evfsvol raw command is as follows:
evfsvol raw evfs_volume_path
where evfs_volume_path is the absolute pathname for the EVS volume device file.
For example:
# evfsvol raw
6.
/dev/evfs/vg01/lvol5
Use a file-based utility or a block device utility, such as dd, to copy data from the backup EVS
volume to the target device. For example:
# dd bs=64k if=/dev/evfs/vg01/lvol5 of=/dev/rmt/0m
7.
Close raw access to the backup EVS volume using the evfsvol close command to begin
the procedure to return the volume to its original state. For example:
# evfsvol close /dev/evfs/vg01/lvol5
8.
Enable the EVS volume using the evfsvol enable command and remount the file system
on the EVS volume.
Example
In the following example, /dev/evfs/vg01/lvol5 is the source volume, and /dev/rmt/0m
is the target tape device. The dd command receives encrypted text from the source EVS volume
because it is open for raw access.
#
#
#
#
#
#
#
#
fuser -cku /opt/encrypted_data
umount /dev/evfs/vg01/lvol5
evfsvol disable -k my_key /dev/evfs/vg01/lvol5
evfsvol raw /dev/evfs/vg01/lvol5 (EVFS prompts if you want to continue)
dd bs=64k if=/dev/evfs/vg01/lvol5 of=/dev/rmt/0m
evfsvol close /dev/evfs/vg01/lvol5
evfsvol enable -k my_key /dev/evfs/vg01/lvol5
mount -F vxfs /dev/evfs/vg01/lvol5 /opt/encrypted_data
Creating encrypted backup media on a second EVS volume using a block device utility (nonmirrored
volumes)
Use the following procedure to perform an offline backup and create encrypted media on a second
EVS volume. You must have the appropriate file permissions to access the EVS volume device file.
CAUTION:
EVFS must be enabled on both the source volume and target volume. The backup
utility will receive cleartext data from the source EVS volume, and EVS will encrypt the data when
writing it to the target EVS volume.
Do not back up data from a volume with EVFS disabled to a volume with EVFS enabled. If you
do, the data will be encrypted twice.
Backing up EVS volumes
95
1.
For data consistency, suspend or stop all applications accessing the data on both volumes.
You can use the fuser -cu command to determine the processes accessing files, and the
fuser -cku command to terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level with the shutdown utility. For more information, see
shutdown(1M).
2.
3.
(Optional) If file systems are mounted on the EVS volumes, use the umount command to
unmount the file systems and prevent any new I/O requests to the volume. For more information,
see umount( (1M)).
Do not disable encryption and decryption on the source or target volumes. Use the following
evfsadm stat command to verify that EVFS is enabled on both the source and target volume:
evfsadm stat -a
4.
Use a block device utility to copy data from the EVS volume device file to the target volume.
The target volume now contains the data from the source EVS volume, but encrypted using
the target volume's EVFS data key.
For example, you can use a dd command similar to the following:
dd if=/dev/evfs/vg01/lvol5 of=/dev/evfs/vg01/lvol6
Example
In the following example, /dev/evfs/vg01/lvol5 is the source volume and /dev/evfs/
vg01/lvol6 is the target volume. The dd command receives cleartext from the source EVS volume,
and the target EVS volume encrypts the data.
#
#
#
#
fuser -cku /dev/evfs/vg01/lvol5
fuser -cku /dev/evfs/vg01/lvol6
evfsadm stat -a (verify that EVFS is enabled on the source and target volumes)
dd if=/dev/evfs/vg01/lvol5 of=/dev/evfs/vg01/lvol6
Creating encrypted backup media on a second EVS volume using a file utility (nonmirrored volumes)
Use the following procedure to perform an offline backup and create encrypted media on a second
EVS volume.
CAUTION:
EVFS must be enabled on both the source volume and target volume. The backup
utility will receive cleartext data from the source EVS volume, and EVFS will encrypt the data when
writing it to the target EVS volume.
Do not back up data from a volume with EVFS disabled to a volume with EVFS enabled. If you
do, the data will be encrypted twice.
1.
For data consistency, suspend or stop all applications accessing the data on both volumes.
You can use the fuser -cu command to determine the processes accessing files, and the
fuser -cku command to terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level with the shutdown utility. For more information, see
shutdown(1M).
2.
Do not disable encryption and decryption on the source or target volumes. Use the following
evfsadm stat command to verify that EVFS is enabled on both the source and target volume:
evfsadm stat -a
96
Backing up and restoring data on EVS volumes
3.
Use a file-based utility, such as cp, to copy data from the EVS volume device file to the target
volume. The target volume now contains the data from the source EVS volume, encrypted
using the target volume's EVFS data key.
In the following example, /opt/encrypted_data is mounted on the source EVS volume,
and /opt/evfs_backup is mounted on the EVS volume. Both EVS volumes are enabled:
cp -r /opt/encrypted_data /opt/evfs_backup
Example
In the following example, /dev/evfs/vg01/lvol5 is the source volume, with /opt/
encrypted_data mounted on it, and /dev/evfs/vg01/lvol6 is the target volume, with
/opt/evfs_backup mounted on it. The cp command receives cleartext from the source EVS
volume, and the target EVS volume encrypts the data.
#
#
#
#
fuser -cku /dev/evfs/vg01/lvol5
fuser -cku /dev/evfs/vg01/lvol6
evfsadm stat -a (verify that EVFS is enabled on the source and target volumes)
cp -r /opt/encrypted_data /opt/evfs_backup
Creating cleartext backup media to a non-EVFS device (nonmirrored volumes)
You do not need to use a special procedure to create cleartext backup media from an EVS volume.
You can back up individual files or directories from the EVS volume, or you can specify the EVS
volume device file as the source for the backup utility. The EVS volume must have encryption and
decryption enabled.
Restoring backup media
This section describes how to restore backup media, and describes the following procedures:
•
“Restoring encrypted backup media from a non-EVFS device to an EVS volume” (page 97)
•
“Restoring backup data from an EVS volume to an EVS volume” (page 98)
Restoring encrypted backup media from a non-EVFS device to an EVS volume
When restoring encrypted backup media created on a non-EVFS device (such as a tape device)
that contains an EVS volume, the target volume to which you are restoring the data must meet the
following criteria:
•
The target volume must be an EVS volume. If you do not have an EVS volume, use the procedure
described in “Step 1: Configuring an EVS volume” (page 45) to create an EVS volume.
•
The EVS volume must have EVFS disabled.
CAUTION: If you do not disable encryption and decryption on the target volume, EVFS
encrypts the encrypted data you restore (the data is encrypted twice).
To use this procedure, you must have the appropriate file permissions to access the EVS volume
device file and meet at least one of the following criteria:
•
You are the volume owner.
•
You are an authorized user for the volume.
•
A stored passphrase exists for one of the volume's user key pairs, and you know the key ID
for the key pair.
Use the following procedure to restore encrypted backup media:
1. If the user key pairs used with the source EVS volume are not available on the system, restore
them. For information on restoring EVFS user key pairs, see“Restoring user keys” (page 67).
Restoring backup media
97
2.
For data consistency, suspend or stop any applications accessing data on the target volume.
You can use the fuser -cu command to determine the processes accessing files, and the
fuser -cku command to terminate the processes.
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level with the shutdown utility. For more information, see
shutdown(1M).
3.
4.
If a file system exists on the target volume, use the umount command to unmount the file
system on the target volume. For more information, see umount(1M).
Use the following command to disable encryption and decryption access to the target volume:
evfsvol disable [-k keyname] evfs_volume_path
For more information, see “Disabling encryption and decryption access to EVS volumes”
(page 64).
5.
Use the following command to enable raw access to the target volume:
evfsvol raw evfs_volume_path
This enables the utility you use in the next step to write data to the EVS volume without
encrypting the data.
CAUTION: After you open the volume for raw access, any entity reading data from the EVS
volume receives encrypted data. Any entity writing data to the EVS volume writes directly to
the underlying disk; EVFS does not encrypt the text. HP recommends that you use the evfsvol
raw command only when creating encrypted backup media or restoring encrypted backup
media.
6.
7.
8.
9.
Use a block device utility, such as dd, to copy the encrypted data from the source device,
such as the /dev/rmt/0m tape device file, to the target EVS volume.
Use the evfsvol close evfs_volume_path command to close raw access to the EVS
volume.
Use the evfsvol enable evfs_volume_path command to re-enable encryption and
decryption on the volume.
If a file system exists on the volume, use the mount command to remount the file system. For
more information, see mount(1M).
Example
In the following example, the tape device /dev/rmt/0m has a tape with encrypted backup data
created from the /dev/evfs/vg01/lvol5 EVS volume.
#
#
#
a
#
#
#
#
#
fuser -cku /dev/evfs/vg01/lvol5
umount /dev/evfs/vg01/lvol5
evfsvol disable -k my_key /dev/evfs/vg01/lvol5(evfsvol prompts for
passphrase if there is no stored passphrase)
evfsvol raw /dev/evfs/vg01/lvol5 (EVFS prompts if you want to continue)
dd bs=64k if=/dev/rmt/0m of=/dev/evfs/vg01/lvol5
evfsvol close /dev/evfs/vg01/lvol5
evfsvol enable -k my_key /dev/evfs/vg01/lvol5
mount -F vxfs /dev/evfs/vg01/lvol5 /opt/encrypted_data
Restoring backup data from an EVS volume to an EVS volume
Use the following procedure to restore backup data when the source volume and the target device
are both EVS volumes. You must also have the appropriate file permissions to access the EVS
volume device file.
CAUTION:
98
EVFS must be enabled on the source and target volumes.
Backing up and restoring data on EVS volumes
1.
For data consistency, suspend or stop all applications accessing the data on both volumes.
You can use the fuser -cu command to determine the processes accessing files, and the
fuser -cku command to terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level with the shutdown utility. For more information, see
shutdown(1M).
2.
3.
4.
If file systems are mounted on the EVS volumes and you did not use a file-based utility to
backup the data, use the umount command to unmount the file systems and prevent any new
I/O requests to the volume. For more information, see umount(1M).
Do not disable encryption and decryption on the source or target volumes. Use the evfsadm
stat -a to verify that EVFS is enabled on both the source and target volume.
Use the same utility that you used to create the backup media to restore the media (or an
equivalent utility). If you used a file-based utility to create the backup media, use a file-based
utility to restore the data; if you used a block device utility to create the backup media, use a
block device utility to restore the data. After you restore the data, the target volume now
contains the data from the backup (source) EVS volume, encrypted using the target volume's
EVFS data key.
Example
In the following example, /dev/evfs/vg01/lvol5 is the original volume, with /opt/
encrypted_data mounted on it. The /dev/evfs/vg01/lvol6 volume contains backup data,
with /opt/evfs_backup mounted on it. The cp command receives cleartext from the backup
EVS volume and the original EVS volume re-encrypts the data.
#
#
#
#
fuser -cku /dev/evfs/vg01/lvol5
fuser -cku /dev/evfs/vg01/lvol6
evfsadm stat -a (verify that EVFS is enabled on the source and target volumes)
cp -r /opt/backup_evfs /opt/encrypted_data
Restoring backup media
99
Part III Encrypted File System (EFS)
Part III includes the following topics:
•
“Determining user roles” (page 103)
•
“Creating an EFS volume and file system” (page 105)
•
“Using EFS” (page 108)
•
“Managing keys” (page 131)
Contents
9 Determining user roles.............................................................................103
The system administrator role..................................................................................................103
The user role........................................................................................................................103
The key manager role...........................................................................................................103
Enabling the key manager................................................................................................104
10 Creating an EFS volume and file system...................................................105
Creating an LVM or VxVM volume..........................................................................................105
Mapping the volume to EVFS.................................................................................................105
Creating a file system............................................................................................................106
Performing operations on an EFS file system.............................................................................106
11 Using EFS............................................................................................108
Using a secure session..........................................................................................................108
Logging into a secure session............................................................................................108
Exiting from a secure session.............................................................................................109
Displaying secure session information.................................................................................109
Creating an encrypted file.....................................................................................................109
Reading from or writing to an encrypted file.............................................................................109
Changing the file permissions................................................................................................110
Changing the file owner/group..............................................................................................110
File encryption attributes........................................................................................................110
Enabling a directory or a file system for encryption...............................................................110
Enabling encryption at the FS level................................................................................111
Enabling encryption at the directory level.......................................................................111
Enabling encryption at the FS and directory level.............................................................112
Disabling a directory or FS for encryption...........................................................................112
Disabling encryption at the FS level...............................................................................112
Disabling encryption at the directory level......................................................................113
Listing file encryption attributes..........................................................................................113
Sharing encrypted files via groups and group keys....................................................................113
File conversion operations......................................................................................................114
Converting a cleartext file to an encrypted file.....................................................................114
Converting an encrypted file to a cleartext file.....................................................................115
Changing the file encryption key (rekey)..............................................................................116
Cipher precedence..........................................................................................................117
Using the evfsxfr command....................................................................................................117
Examples........................................................................................................................117
EFS backup and restore.........................................................................................................118
The EVFS wrapper commands................................................................................................120
The cp command.............................................................................................................120
The chown and chgrp commands.......................................................................................122
The mv command............................................................................................................123
The usermod and groupmod commands.............................................................................125
The userdel and groupdel commands.................................................................................126
Using the evfsrun command...................................................................................................127
The EFS recovery key.............................................................................................................128
12 Managing keys....................................................................................131
Types of keys........................................................................................................................131
Key manager key.................................................................................................................131
Managing a user key............................................................................................................132
Creating a user key .........................................................................................................132
Contents
101
Changing the passphrase.................................................................................................134
Displaying user key information.........................................................................................136
Exporting a user key........................................................................................................136
Importing a user key.........................................................................................................137
Deleting a user key..........................................................................................................138
Managing a group key.........................................................................................................138
Creating a group key.......................................................................................................139
Displaying group key information.......................................................................................140
Exporting group key information........................................................................................140
Importing group key information........................................................................................141
Deleting a group key........................................................................................................141
Key manager operations.......................................................................................................142
Granting a member access to a group key..........................................................................142
Removing a member from a group key................................................................................143
Check or synchronize users and groups...............................................................................144
Key file location....................................................................................................................144
102 Contents
9 Determining user roles
EFS consists of three user functions defined as follows:
•
The system administrator
•
The user
•
The key manager
The system administrator role
The
1.
2.
3.
system administrator (the root user) performs the following system operations:
Creates volumes
Creates file system
Sets encryption parameters on a directory
The system administrator must use the EFS version of the following commands:
•
usermod (see “The usermod and groupmod commands” (page 125))
•
userdel (see “The userdel and groupdel commands” (page 126))
•
groupmod (see “The usermod and groupmod commands” (page 125))
•
groupdel (see “The userdel and groupdel commands” (page 126))
These commands are located in the /opt/evfs/bin directory.
The system administrator can also perform these additional functions:
•
Usually, the file owner/group and the file EMD information are synchronized. In the unlikely
event that the file owner/group and the file EMD information are not synchronized, use the
evfsfile sync command to synchronize the information. Only the system administrator is
allowed to perform this function.
For example, when encrypted files are transferred to a different system by various users that
belong to the same group, the DAC owner is different from the EMD owner. To synchronize
the permissions of the file, use the evfsfile sync command.
•
Backup and restore of EFS volumes
Special consideration is required when backing up EFS files or volume. For more information,
see “EFS backup and restore” (page 118).
For more information on the operations that the system administrator can perform, see Chapter 10
(page 105).
The user role
The
1.
2.
3.
4.
5.
user performs the following file operations:
Creates an encryption file
Reads from or writes to an encrypted file
Changes the file permissions
Changes the file owner or group
Sets encryption parameters on a directory owned by the user
For more information on these operations, see Chapter 11 (page 108).
The key manager role
The key manager performs the following key operations:
The system administrator role 103
1.
2.
3.
4.
5.
6.
Creates user keys
Deletes user keys
Displays user key information
Changes a user’s passphrase which protects the private key (requires the user’s old key
passphrase)
Imports user keys
Exports user keys (requires the user’s key passphrase)
The system administrator can also perform operations 1 through 4. Only the key manager can
perform operations 5 and 6.
NOTE:
Users who are the key owners can perform all of these operations.
For more information on these operations, see Chapter 12 (page 131).
Enabling the key manager
The key manager mainly performs key administration without having special privileges to access
a user’s encrypted file and key files. The use of a key manager is optional. After logging into the
system, the key manager is allowed to manage all user keys similarly to the system administrator.
In addition, the key manager is also allowed to import and export user keys, which is not allowed
by the system administrator.
To enable the use of a key manager, follow these steps:
1. Create a user account and identify a person to become the account owner to perform key
operations. Note that the key manager cannot have an EFS secure session.
2. Edit the /etc/evfs/evfs.conf file and remove the comment # sign from the key_manager
line. Set the user account created in the previous step to key_manager.
104 Determining user roles
10 Creating an EFS volume and file system
This section describes the procedure to configure a new encrypted file system or to convert an
existing file system to an encryption file system:
•
Starting the EVFS Subsystem (see “Step 5: Starting the EVFS subsystem” (page 33))
•
Creating an LVM or VxVM volume (see “Creating an LVM or VxVM volume” (page 105))
•
Mapping the volume to EVFS in EFS mode (see “Mapping the volume to EVFS” (page 105))
•
Creating a file system (see “Creating a file system” (page 106))
•
Performing operations on an EFS file system (see “Performing operations on an EFS file system”
(page 106))
Creating an LVM or VxVM volume
NOTE:
Skip this step if you are not using LVM or VxVM.
Use the lvcreate or vxassist command to create a new LVM or VxVM volume to use for the
file level encryption.
Mapping the volume to EVFS
Similar to volume level encryption, use the evfsadm map command to create the EFS volume
device files by mapping the LVM, VxVM, or physical volume to EVFS. The evfsadm command
stores the EFS volume device files using the same file names as the underlying volume block and
character device files, but in subdirectories under the /dev/evfs directory instead of the /dev
directory.
You cannot use EVFS with the following objects:
•
The root disk (/)
•
The boot disk
•
The HP-UX kernel directory (/stand)
•
The /usr directory
•
The swap space (swap devices or file swap space)
•
Dump devices
•
EFS volumes currently cannot be used with NFS
To map an LVM, VxVM, or physical volume to EVFS for file level encryption, enter:
# evfsadm map -f volume_path
The parameters are as follows:
volume_path
Specifies the absolute path of the block device file for the underlying LVM,
VxVM, or physical volume, such as /dev/vx/dsk/rootdg/vol01,
/dev/vg01/lvol5, or /dev/dsk/c2d0t0.
-f
Specifies file level encryption.
NOTE: A volume can be configured either for file level encryption (EFS) or for volume level
encryption (EVS), but not for both. If you specify the –f option, the volume will have file level
encryption. If you do not specify the –f option, the volume will be used for volume level encryption,
which is the default behavior.
Once the volume is mapped for EFS, the EFS volume is always in the active state. For the evfsvol
command, only the display sub-command is available for the EFS volume. Once the volume is
Creating an LVM or VxVM volume 105
mapped, access to both the underlying volume path (/dev/disk) and the EVFS volume path
(/dev/evfs/disk) is shared. HP recommends that you use the EVFS volume path (for example,
/dev/evfs/disk).
Creating a file system
NOTE:
Skip this step if you already have an existing file system.
To create a file system, enter the same command as you would to create a normal file system on
an LVM, VxVM, or on a physical volume:
# newfs
–F FSTYPE volume_path
The parameters are as follows:
FSTYPE
The file system type: HFS or VxFS.
volume_path
The absolute path for the LVM, VxVM, physical, or EVFS character device path.
For example, /dev/vg01/rlvol1, /dev/vx/rdsk/testdg/vol1,
/dev/rdsk/c2d0d0, or /dev/evfs/vg/lvol1.
Performing operations on an EFS file system
On EFS file system, you can perform all the operations that you perform on a regular HFS or VxFS
file system, as follows:
Mounting an encrypted file system
Use the mount command with the -o stackfs option to mount an encrypted file system:
# mount -F FSTYPE -o stackfs=sefs evfs_volume_path mount_dir
You must specify the EFS volume instead of the regular physical volume. The parameters are as
follows:
FSTYPE
File system type; it can be HFS or VxFS.
stackfs=sefs
Stackable encrypted file system.
evfs_volume_path
Mapped LVM, VxVM, or physical EVFS volume path. For example,
/dev/evfs/vg01/lvol1, /dev/evfs/vx/dsk/testdg/lvol1,
or /dev/evfs/dsk/c2d0d0.
Unmounting an encrypted file system
Use the umount command to unmount the mounted encrypted file system:
# umount
mounted_directory | mounted_evfs_volume_path
You must invoke this command on a mounted EVFS volume path or from the mount directory where
the file system is mounted.
Other operations on encrypted file systems
You can use all other regular file system commands as well as the encrypted file systems commands.
Some of these commands are as follow:
•
The extendfs command to change the size of file system.
•
The fsadm command to administer the file system.
•
The fsck command to verify the integrity of the file system.
•
The newfs, newfs_hfs, and newfs_vxfs wrapper commands on top of the file system.
This example shows how to create and mount an encrypted file system on the /dev/vg01/lvol1
volume:
1. Map the LVM volume to an EVFS volume for file level encryption:
# evfsadm map -f /dev/vg01/lvol1
106 Creating an EFS volume and file system
2.
This command creates the EVFS raw and block device files /dev/evfs/vg01/rlvol1 and
/dev/evfs/vg01/lvol1.
Create a file system on the EVFS volume mapped for file level encryption, using either one of
the following commands:
# newfs –F vxfs /dev/evfs/vg01/rlvol1
or
# newfs –F vxfs /dev/vg01/rlvol1
3.
Mount the file system on the /efsmnt directory:
# mount –F vxfs -o stackfs=sefs /dev/evfs/vg01/lvol1 /efsmnt
You can modify /etc/fstab to include it, as follows:
/dev/evfs/vg01/lvol1 /efsmnt vxfs stackfs=sefs,delaylog
0 2
Performing operations on an EFS file system 107
11 Using EFS
Once you have an EFS file system mounted, you can create and manipulate an encrypted file.
This chapter describes the various operations that you can perform on an encrypted file, as follows:
•
“Using a secure session” (page 108)
•
“Creating an encrypted file” (page 109)
•
“Reading from or writing to an encrypted file” (page 109)
•
“Changing the file permissions” (page 110)
•
“Changing the file owner/group” (page 110)
•
“File encryption attributes” (page 110)
•
“Sharing encrypted files via groups and group keys” (page 113)
•
“File conversion operations” (page 114)
•
“Using the evfsxfr command” (page 117)
•
“EFS backup and restore” (page 118)
•
“The EVFS wrapper commands” (page 120)
•
“Using the evfsrun command” (page 127)
•
“The EFS recovery key” (page 128)
For more information on how to create an encrypted file system, see Chapter 10 (page 105).
Using a secure session
To create or manipulate an encrypted file, you must be in a secure session. If your credential does
not exist, you will be prompted to create it. This credential is inherited to all the children for the
process. Use the evfsauth display command to display your credential. Exiting the process
(if in a shell, usually with the exit command) terminates the session.
You can perform these secure session operations using the evfsauth command.
Logging into a secure session
Use the evfsauth login command to log into an EVFS secure session. The evfsauth login
command loads the user's credential and starts the user’s default shell, which creates a secure
session. Without running the evfsauth login command, you cannot use EFS to protect your
files.
To create a secure session, run the evfsauth login command. The command prompts you for
your user key passphrase, as follows:
# evfsauth login
Enter your EFS passphrase:
You are entering in a secure session. Use "exit" to end the session.
Whether you have a stored passphrase or not, the evfsauth login command always prompts
for the passphrase. If you want to create your own key before entering the secure session, you
need to run the evfspkey keygen command without the -s option to be able to enter your own
passphrase.
If the user key does not exist, the evfsauth login command automatically creates the user key
and loads it into the kernel, as follows:
# evfsauth login
You don't have a key pair to use EFS. Do you want to create one?
Answer [yes/no]:yes
Enter passphrase:
108 Using EFS
Re-enter passphrase:
You are entering into a secure session. Use "exit" to end the session.
If the key manager changed your user key, the evfsauth login command forces you to reset
your passphrase, as follow:
# evfsauth login
Enter passphrase:
You need to reset EFS passphrase.
Enter new passphrase:
Re-enter new passphrase:
You are entering in a secure session. Use "exit" to end the session.
You can use the following options with the evfsauth login command. These options are used
only when a new user key is generated or when the passphrase is reset:
-c <cipher>
Specifies the type of key to create.
-m <keywrap>
Specifies the keywrap to override configuration in the
/etc/evfs/evfs.conf file.
Exiting from a secure session
To exit a secure session, enter the following:
# exit
This will unload all keys. Once you exit from a secure shell, you can no longer manipulate the
encrypted files. To create a new encrypted file or make any modifications to an existing encrypted
file, you must run the evfsauth login command once again to log into a secure session.
Displaying secure session information
Use the evfsauth display command to display the type of session that you are running and
if any, the keys that are loaded into the kernel, as follows:
# evfsauth display
You are not in a secure session.
# evfsauth display
User key:
Key name: jsmith.jsmith
Group key:
Group ID: 20
Key name: users.users
Recovery key:
Key name: evfs.efs1
Creating an encrypted file
To create an encrypted file, follow these steps:
1. Login to the system.
2. Enter a secure session by using the evfsauth login command.
3. Convert an existing clear file with the evfsfile encrypt command.
4. Or enable the directory or file system for encryption and create encrypted files in it.
Reading from or writing to an encrypted file
To read from or write to an encrypted file, follow these steps:
1. Login to the system.
2. Enter a secure session by using the evfsauth login command.
3. Verify that the file is encrypted using the evfsfile list command.
Read and write to the encrypted file as usual.
Creating an encrypted file 109
Changing the file permissions
Use the HP-UX chmod command to change the mode bits (user and group access permissions) on
an encrypted file. You need to have a valid DAC permission to change the mode bits. You do not
need to be in a secure session to perform this operation.
Changing the file owner/group
You must be in a secure session to change the owner/group on an encrypted file. Only the owner
of the file can change the owner/group permissions of an encrypted file. EFS enabled chown
command can be used on encrypted files for changing owner/group permissions.
File encryption attributes
An Encrypted File System (EFS) can contain both encrypted and cleartext (not encrypted) files. By
default, encryption is not enabled on an EFS.
You can use the evfsfile command to manage the encrypted files and directory, as follows:
•
Enable a directory or file sysem for encryption
•
Disable a directory or file system for encryption
•
List file or directory encryption attributes
•
Perform file conversion operations
A directory in an EFS can be enabled or disabled for encryption. When a directory is enabled for
encryption, all of the new files created under that directory are encrypted. EVFS supports only
encryption of regular files.
For more information, see evfsfile(1).
Enabling a directory or a file system for encryption
When an EFS is first created and mounted on a directory, any new files created are not encrypted
by default. You can enable the file encryption at two different levels:
•
The directory level
•
The file system (FS) level ( or mount point)
Use the evfsfile command to enable the file encryption. You can also use the evfsfile
command to change the encryption parameters on an EFS directory, but directories themselves
can never be encrypted.
When a directory is enabled and configured for encryption, all new files and directories created
in that directory use the encryption parameters defined for that directory. Encryption parameters
for all existing files, directories, and sub-directories are not changed.
When a FS (mount point) is enabled and configured for encryption, all new files and directories
created in this FS use the encryption parameters from the mount point, unless it is overridden by
the encryption parameters in the current directory. Encryption parameters for all existing files,
directories, and sub-directories are not changed.
You can enable the directory for encryption as follows:
# evfsfile set [-c cipher] directory
The default cipher to create encrypted files on PA is aes-128-cfb and on IA it is aes-128-cbc,
as specified in the evfs.conf file. When the cipher value is not specified, the default value is
used.
The valid cipher values are aes-128-cfb, aes-192-cfb, and aes-256-cfb. On IA,
aes-128-cbc, aes-192-cbc, and aes-256-cbc, are also valid.
110
Using EFS
Enabling encryption at the FS level
Encryption can be enabled at FS level by setting encryption parameters at the EFS mount point.
All the new files and directories created use the encryption parameters at the mount point. All the
existing files are still in cleartext and have no impact because of this operation.
In this example, an EFS is created and mounted on the /efsmnt directory. The encryption is not
enabled and the FS contains the file1 file and dir1 directory:
# ls /efsmnt
-rwxr-x--- efs_user efs_group file1
drwxr-x--- efs_user efs_group dir1
# evfsfile
list
/efsmnt/file1
evfsfile: list error: "/efsmnt/file1" is not an encrypted file.
# evfsfile
list
/efsmnt/dir1
evfsfile: list error: "/efsmnt/dir1" is not enabled for encryption.
NOTE: The ls command is not EVFS aware. Therefore, it does not show whether the file or
directory is enabled for encryption. You must use the evfsfile list sub-command to list the
encryption parameters on an EFS directory or file.
The /efsmnt directory is enabled for encryption and the cipher is set to aes-256-cfb, as follows:
# evfsfile
set
-c aes-256-cfb /efsmnt
EFS configuration parameters has been successfully set
# mkdir
/efsmnt/dir2
# touch
/efsmnt/dir1/file2
# evfsfile list /efsmnt/file1
evfsfile: list error: "/efsmnt/file1" is not an encrypted file.
# evfsfile list /efsmnt/dir1
evfsfile: list error: "/efsmnt/dir1" is not enabled for encryption.
# evfsfile
list /efsmnt/dir2
EFS directory information:
Data Encryption Cipher: aes-256-cfb
# evfsfile list /efsmnt/dir1/file2
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-256-cfb
Owner Key ID:
efsuser.efsuser
Group Key ID:
efsgroup.efsgroup
Enabling encryption at the directory level
When a directory is enabled for encryption, all new files and directories created in this directory
use the properties from this directory. The existing directories and files are not changed.
In this example, the EFS is created and mounted on the /efsmnt directory. Before enabling for
encryption, the /efsmnt/dir1 and /efsmnt/dir2 directories exist:
# evfsfile
list
/efsmnt/dir1
evfsfile: list error: "/efsmnt/dir1" is not enabled for encryption.
c# evfsfile
list /efsmnt/dir2
evfsfile: list error: "/efsmnt/dir2" is not enabled for encryption.
# evfsfile set /efsmnt/dir2
EFS configuration parameters has been successfully set
# touch /efsmnt/dir1/file1
# touch /efsmnt/dir2/file2
# mkdir /efsmnt/dir2/dir3
# evfsfile
list
/efsmnt/dir1
evfsfile: list error: "/efsmnt/dir1" is not enabled for encryption.
File encryption attributes
111
# evfsfile list /efsmnt/dir1/file1
evfsfile: list error: "/efsmnt/dir1/file1" is not an encrypted file.
# evfsfile
list /efsmnt/dir2
EFS directory information:
Data Encryption Cipher: aes-128-cbc
# evfsfile
list /efsmnt/dir2/dir3
EFS directory information:
Data Encryption Cipher: aes-128-cbc
Enabling encryption at the FS and directory level
If encryption is enabled at the FS (mount point) level and on an underlying directory level with a
different cipher, the files created under the directory use the cipher specified at the directory level
rather than at the FS level.
Consider the previous example where encryption is enabled at the FS level. The /efsmnt/dir2
directory uses the cipher information from /efsmnt. If you change the cipher on the
/efsmnt/dir2 directory and create a new file in that directory, you will enable encryption at
the FS level as well as the directory level, as follows:
# evfsfile
list /efsmnt
EFS directory information:
Data Encryption Cipher: aes-256-cfb
# evfsfile
list /efsmnt/dir2
EFS directory information:
Data Encryption Cipher: aes-256-cfb
# evfsfile
set
-c aes-192-cfb /efsmnt/dir2
# touch /efsmnt/dir2/file4
# evfsfile
list
/efsmnt/dir2
EFS directory information:
Data Encryption Cipher: aes-192-cfb
# evfsfile list /efsmnt/dir2/file4
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-192-cfb
Owner Key ID:
efsuser.efsuser
Group Key ID:
efsgroup.efsgroup
Disabling a directory or FS for encryption
Similar to enabling the encryption, to disable an encrypted FS or directory that is enabled for
encryption, use the evfsfile command. The syntax for disabling encryption is as follows:
# evfsfile set
efs_dir
-d
efs_dir
Specifies an efs directory that is enabled for encryption. It can be a mount point to
disable encryption on a FS level, or an underlying directory to explicitly disable
encryption.
Disabling encryption at the FS level
In this example, the EFS is mounted on the /efsmnt directory and enabled for encryption.
Directories /efsmnt/dir1 and /efsmnt/dir2 are created after enabling the /efsmnt directory
for encryption. Note that the directories /efsmnt/dir1 and /efsmnt/dir2 still contain
encryption parameters after the FS is disabled for encryption. Existing files (encrypted or
unencrypted) do not change when encryption is enabled or disabled.
# evfsfile
list
/efsmnt
EFS directory information: Data Encryption Cipher:
# evfsfile
list
/efsmnt/dir1
EFS directory information: Data Encryption Cipher:
# evfsfile
list
/efsmnt/dir2
EFS directory information: Data Encryption Cipher:
Disable the encryption at the FS level as follows:
112
Using EFS
aes-192-cfb
aes-192-cfb
aes-192-cfb
# evfsfile
set -d /efsmnt
# evfsfile
list
/efsmnt
evfsfile: list error: "/efsmnt" is not enabled for encryption.
# evfsfile
list
/efsmnt/dir1
EFS directory information:
Data Encryption Cipher: aes-192-cfb
# evfsfile
list
/efsmnt/dir2
EFS directory information:
Data Encryption Cipher: aes-192-cfb
Disabling encryption at the directory level
In this example, assume that /efsmnt/dir2 is enabled for encryption. The directory
/efsmnt/dir2/dir3 is then created with encryption parameters inherited from /efsmnt/dir2.
The disabling of encryption on /efsmnt/dir2 does not change /efsmnt/dir2/dir3.
# evfsfile
list
/efsmnt/dir2
EFS directory information:
Data Encryption Cipher: aes-128-cbc
# evfsfile
list
/efsmnt/dir1
EFS directory information:
Data Encryption Cipher: aes-128-cbc
# mkdir
/efsmnt/dir2/dir3
Disable encryption on the /efsmnt/dir2 directory as follows:
# efsfile
set -d /efsmnt/dir2
# evfsfile
list
/efsmnt/dir2
evfsfile: list error: "/efsmnt/dir2" is not enabled for encryption.
# evfsfile
list
/efsmnt/dir2/dir3
EFS directory information:
Data Encryption Cipher: aes-128-cbc
Listing file encryption attributes
The evfsfile list subcommand is used to display encryption attributes on a given file or
directory. The syntax for evfsfile list sub-command is as follows:
# evfsfile
list <file or directory>
If the given file or directory is a valid encryption object, this command displays the encryption
attributes associated with that file or directory. Otherwise it prints an error message.
Display encryption attributes on a directory enabled for encryption as follows:
# evfsfile
list
/efsmnt/dir1
EFS directory information:
Data Encryption Cipher: aes-192-cfb
Display encryption attributes on an encrypted file as follows:
# evfsfile list /efsmnt/dir1/file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-192-cfb
Owner Key ID:
efsuser.efsuser
Group Key ID:
efsgroup.efsgroup
A user with valid UNIX DAC permissions can list the encryption attributes on a given directory. To
list encryption attributes on files, the EFS checks will be performed on top of DAC checks. Therefore,
only the owner of the file from a valid secure session can list the encrypted attributes on a given
encryption file.
Sharing encrypted files via groups and group keys
For an encrypted file or a directory, a user with valid UNIX DAC permissions can list the encryption
attributes.
Sharing encrypted files via groups and group keys
113
EVFS supports only the user's primary group key. After a key pair is created for a group configured
in the system, the group access is implicitly added to the key records of the users who have this
group as their primary group (for example, the group ID is configured in the user account entry in
the /etc/passwd directory or in the remote data repository such as NIS or LDAP).
If a user has access to the primary group key (that is the group access key has been added to the
user's key record), the file encryption key is encrypted with the user's public key and the primary
group public key. As a result, other users who also have access to the same primary group key
will be able to decrypt the file encryption key with the group's private key, thus decrypt the file.
Creating a group
When a group is created, in order for its group members to share encrypted files, the key manager
has to create a group key for this group. The group access key which grants members to access
the group key is automatically added to the group members that have this group as their primary
group and have a user key. See “Creating a group key” (page 139).
Adding a group member
If a user does not have a user key when their primary group key is created, or if the user is newly
added after their primary group key is created, the key manager has to explicitly grant the user
access to the group key by running the evfspkey add command. See “Key manager operations”
(page 142).
Deleting a group
When a group is deleted, its group key must be deleted so that group members no longer share
encrypted files. If the system administrator uses the EFS version of groupdel (in /opt/evfs/bin)
to delete the group, the group key is automatically deleted. Otherwise, after deleting a group, the
key manager has to run evfspkey delete to delete the group key. The group access key is
implicitly removed from all of the group members’ key records. See “Deleting a group key”
(page 141).
Removing a group member
If a user is no longer a group member, the key manager can explicitly remove the group access
key from the user's key record by running the evfspkey delete –u <username> -g
<groupname> command. See “Key manager operations” (page 142).
Changing group
When a user logs into EFS, if the group key exists, the key of the primary group configured in the
user's account is loaded. The newgrp command does not cause any changes.
File conversion operations
This section describes the conversion of an existing cleartext file to encrypted file, the conversion
of an encrypted file to a cleartext file, and how to change the file encryption key of an encrypted
file.
EVFS v2.1 supports only offline data conversion, meaning that the file to be converted should not
be accessed during the process, until the conversion is complete. In the case that the conversion
is interrupted (or suspended), the process cannot be completed. In that case, the conversion process
must be restarted from the beginning by invoking the command once more.
This operation requires that the file system should have enough free space (each original file
requires an additional 4K bytes, where 4K is the file Encryption Meta Data size).
Converting a cleartext file to an encrypted file
The syntax for converting a cleartext file to an encrypted file is as follows:
114
Using EFS
# evfsfile encrypt [-c cipher] file
The parameters are as follows:
cipher The symmetric key algorithm name and key length. Valid values are aes-128-cfb,
aes-192-cfb, and aes-256-cfb. On IA, aes-128-cbc, aes-192-cbc and
aes-256-cbc are also valid. Using this option creates the encryption key with specified
cipher. Otherwise, the cipher information is extracted using the "cipher precedence"
rules described in Section (page 117).
file
Encrypted file name.
This example converts a cleartext file to an encrypted file, as follows:
Create an encrypted file system and mount it on the /efsmnt directory using the procedure
described in Chapter 10 (page 105).
Convert the /efsmnt/file1 cleartext file to an encrypted file as follows:
1. List the encryption attributes on the /efsmnt/file1 file to make sure it is not encrypted.
# evfsfile list /efsmnt/file1
evfsfile: list error: "/efsmnt/file1" is not an encrypted file.
2.
3.
4.
Turn off all the applications that use the /efsmnt/file1 file. For data consistency, stop all
applications from accessing the data. You can use the fuser –cu command to determine
the processes accessing files, and the fuser -cku command to terminate the processes. For
more information, see fuser(1M).
Make sure that you are in a secure session. If not, enter into a secure session by using the
evfsauth login command.
Use the evfsfile encrypt command to convert the cleartext file to an encrypted file (using
the default cipher):
# evfsfile
encrypt /efsmnt/file1
Successfully encrypted the file
5.
List the encryption attributes on the /efsmnt/file1 file:
# evfsfile list /efsmnt/file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
root.root
Group Key ID:
sys.sys
Recovery Key ID:
evfs.efs
6.
Convert the file using a different cipher:
$ evfsfile encrypt -c aes-256-cfb /efsmnt/file1
Successfully encrypted the file
7.
List encryption attributes on the /efsmnt/file1 file:
$ evfsfile list /efsmnt/file1
EFS file information:
EMD Size (Kbytes): 4
Data Encryption Cipher: aes-256-cfb
Owner Key ID: root.root
Group Key ID: sys.sys
Recovery Key ID: evfs.efs
If you do not have the group key and recovery key configured, you will not see the Group Key
ID and Recovery Key ID as shown above.
Converting an encrypted file to a cleartext file
To convert an encrypted file to a cleartext file, follow these steps:
Create an encrypted file system and mount it on the /efsmnt directory. Convert the
/efsmnt/file1 encrypted file to a cleartext file as follows:
File conversion operations
115
1.
List the encryption attributes on the /efsmnt/file1 file:
# evfsfile list /efsmnt/file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
root.root
Group Key ID:
sys.sys
2.
3.
4.
Turn off all the applications that use the /efsmnt/file1 file. For data consistency, stop all
applications that are accessing the data. You can use the fuser –cu command to determine
the processes accessing files, and the fuser -cku command to terminate the processes. For
more information, see fuser(1M).
Make sure that you are in a secure session. If not, enter into a secure session by using the
evfsauth command.
Use the evfsfile decrypt command to convert the encrypted file to a cleartext file:
# evfsfile
decrypt /efsmnt/file1
Successfully decrypted the file
5.
List the encryption attributes on the /efsmnt/file1 file to make sure that the file is converted
(decrypted):
# evfsfile
list
/efsmnt/file1
evfsfile: list error: "/efsmnt/file1" is not an encrypted file.
Changing the file encryption key (rekey)
The syntax for rekey is as follows:
# evfsfile
rekey
[-c cipher]
file
The parameters are as follows:
cipher The symmetric key algorithm name and key length. Valid values are aes-128-cfb,
aes-192-cfb, and aes-256-cfb. On IA, aes-128-cbc, aes-192-cbcand
aes-256-cbc are also valid.Using this option creates the new encryption key with
the specified cipher. Otherwise, the cipher information is extracted using the "cipher
precedence" rules described in “Cipher precedence” (page 117).
file
Encrypted file name.
In this example, the encrypted file system is created and mounted on the /efsmnt directory. The
/efsmnt/file1 file is an encrypted file and its encryption key needs to be changed, as follows:
1. List the encryption attributes on the /efsmnt/file1 file:
# evfsfile list /efsmnt/file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
root.root
Group Key ID:
sys.sys
Recovery Key ID:
evfs.efs
2.
3.
Turn off all the applications that are using the /efsmnt/file1 file. For data consistency,
stop all applications that are accessing the data. You can use the fuser –cu command to
determine the processes accessing files, and the fuser -cku command to terminate the
processes. For more information, see fuser(1M).
Make sure that you are in a secure session. If not, enter into a secure session by using the
evfsauth login command. This operation changes the encryption key with the same cipher
(if cipher is not specified with the –c option):
# evfsfile
rekey /efsmnt/file1
Successfully changed the file encryption key
4.
116
Using EFS
List the encryption attributes on the /efsmnt/file1 file:
# evfsfile list /efsmnt/file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
root.root
Group Key ID:
sys.sys
Recovery Key ID:
evfs.efs
5.
Change the encryption key with a different cipher:
# evfsfile
rekey -c aes-256-cfb /efsmnt/file1
Successfully changed the file encryption key
6.
List the encryption attributes on the /efsmnt/file1 file:
# evfsfile list /efsmnt/file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-256-cfb
Owner Key ID:
root.root
Group Key ID:
sys.sys
Recovery Key ID:
evfs.efs
Cipher precedence
For the evfsfile encrypt and the evfsfile rekey commands, if the cipher option (-c) is
not specified, the order in which to find the cipher is as follows:
1. If encryption is enabled for the directory, the command uses the cipher specified for the
directory.
2. If encryption is enabled for the mount point directory, the command uses the cipher that is set
at the mount point.
3. Otherwise, the command uses the default file_cipher parameter in the
/etc/evfs/evfs.conf file.
Using the evfsxfr command
CAUTION: The evfsxfr command must be used with caution. It exposes the encrypted file in
its raw form and any changes, intentional or unintentional, can corrupt the file and make it
unreadable.
For example, if the following command was issued in an encrypted directory:
# evfsxfr ls -l > OUT
The OUT result file is a corrupted file with an output of ls –l imbedded in the EMD. This command
must always be used in read-only or while restoring the backup data.
The evfsxfr command is mainly used for the following functions:
•
Transfer encrypted files, such as backup and restore
•
Display the actual size of a file
•
Bypass encrypted file restrictions (see “The EVFS wrapper commands” (page 120))
If the encrypted file is already open for normal access, evfsxfr cannot be used to access the
open encrypted file. Conversely, if the encrypted file is already open with evfsxfr access, normal
access to the file is denied.
Examples
The following command backs up the DIR directory in encrypted form:
# evfsxfr tar cvf DIR.tar DIR
The evfsxfr command can be used to display the actual size of the file:
Using the evfsxfr command
117
# evfsfile list ME
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
dlin.dlin
# ls -l
total 10
-rw-r--r--
1 dlin
users
15 Jul 31 12:26 ME
Without evfsxfr, the size of ME is displayed as 15 bytes. But with evfsxfr, the EMD of size
4K is included:
# evfsxfr ls -l
total 10
-rw-r--r-1 dlin
users
4111 Jul 31 12:26 ME
The following command allows the root user to run the chown command for an encrypted file:
# evfsxfr chown dlin /encrypted_dir/encrypted_file
The following command allows a user to copy an encrypted file to /tmp directory in a non-secure
session.
# evfsxfr cp /encrypted_dir/encrypted_file /tmp
EFS backup and restore
If you are in a secure session backing up the file that you have access to (for example, the encrypted
file whose file encryption key is protected with your user key or primary group key), the content is
stored in cleartext. To leave the contents in encrypted form, there are three ways to backup and
restore encrypted files and file systems:
1. Back up and restore using the evfsxfr command.
You can use the evfsxfr command with other commands such as tar and cpio to store
data in encrypted form. The evfsxfr command is used to view the encrypted content. Note
that evfsxfr cannot be used if the files are currently being accessed. You must use the
evfsxfr command to restore the data otherwise, the content maybe be encrypted twice and
result in lost files.
To view if a file is encrypted, use the evfsxfr command as follows:
# evfsfile list AG/secret.c
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
dlin.dlin
Group Key ID:
users.users
Recovery Key ID:
evfs.efs
# cat AG/secret.c
this is a SECRET file
Using the tar command without the evfsxfr command saves the content in cleartext form:
# tar cvf AG-clear.tar AG
a AG/secret.c 1 bloc
# strings AG-clear.tar | grep SECRET
this is a SECRET file
# rm -fr AG; tar xvf AG.tar
x AG/secret.c, 22 bytes, 1 tape blocks
# evfsfile list AG/secret.c
evfsfile: list error: "AG/secret.c" is not an encrypted file.
Using the tar command with the evfsxfr command, the encrypted file remains intact:
# evfsxfr tar cvf AG.tar AG
a AG/secret.c 9 blocks
# rm -fr AG; tar xvf AG.tar
118
Using EFS
# evfsfile list AG/secret.c
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
dlin.dlin
Group Key ID:
users.users
Recovery Key ID:
evfs.efs
Note that if you do not use the evfsxfr command when restoring into an encrypted directory,
the encryption is done twice:
# evfsfile list AG
EFS directory information:
Data Encryption Cipher: aes-128-cbc
# tar xvf AG.tar
x AG/ME, 4111 bytes, 9 tape blocks
# evfsxfr ls -l AG/ME
-rw-r--r-1 dlin
users
8207 Jul 24 16:19 AG/ME
The file should be 4111 bytes in size, but now it is 8207 bytes with unintelligible content.
2.
Backup and restore using an off-line EFS volume.
If the EFS volume can be taken off-line, a simple way to backup the volume is to mount it as
read-only without EFS stacking. For example, if you have an EFS volume /dev/vg00/lvol9,
it is usually mounted as follows:
# mount -o stackfs=sefs /dev/vg00/lvol9 /test
To mount it for backup, you remount it as follows:
# mount -r /dev/vg00/lvol9 /test
At this point, any standard procedures or tools used for backup and restore can be used on
this volume.
3.
Backup and restore using the VxFS snapshot or checkpoint
You can use the snapshot and checkpoint of the Veritas file system to backup encrypted files
and file systems on-line (see Veritas™ File System 5.0 Administrator's Guide HP-UX 11i v3).
Assuming there is an EFS file system mounted on /test:
# mount -F vxfs -o stackfs=sefs /dev/vg00/lvol9 /test
Create a snapshot mount file system on /snap with volume /dev/vg00/lvol10 for backup,
as follows:
# mount -F vxfs -o snapof=/test /dev/vg00/lvol10 /snap
See mount_vxfs(1M) for information on the snapshot mount file system.
View the cleartext content of the encrypted files on this snapshot directory, as follows:
# mount -F vxfs -o stackfs=sefs,snapof=/test /dev/vg00/lvol10 /snap
Create a checkpoint file system on the same /test EFS volume, as follows:
# fsckptadm create test /test fsckptadm list
Mount the checkpoint file system on /ckpt as read-only for encrypted backup, as follows:
# mount -F vxfs -o ckpt=test /dev/vg00/lvol9:test /ckpt
At this point, any standard procedures or tools used for backup and restore can be used on
this volume. This checkpoint can also be used as a regular EFS volume, as follows:
# mount -F vxfs -o stackfs=sefs,rw,ckpt=test /dev/vg00/lvol9:test /ckpt
To remove this checkpoint:
# fsckptadm remove test /test
EFS backup and restore
119
The EVFS wrapper commands
EVFS provides wrapper commands to facilitate user/group encrypted data access and prevent
unintended decryption of encrypted files. These wrapper commands exhibit similar behaviors as
the corresponding HP-UX commands, except for the restrictions described in this section.
EVFS wrapper commands are located at /opt/evfs/bin. When you enter a secure session with
evfsauth (See “Using a secure session” (page 108)), this path is automatically added to the
beginning of the PATH shell variable. As a result, you can issue these commands without using
the full path.
The cp command
The cp wrapper command prevents unintended decryption of encrypted files. It copies a file within
a directory, within a file system, or across different file systems with some restrictions. The cp
wrapper command does not support the -r and -R options. Therefore, the source cannot be a
directory.
When you are in a secure session, the cp wrapper command succeeds if the destination directory
is configured for encryption (if the source file is clear, the target file becomes encrypted). This
command fails if the source file is an encrypted file and the destination directory is not configured
for encryption. Using the evfsxfr command with this wrapper bypasses this restriction (See
“Using the evfsxfr command” (page 117)). When you run the evfsxfr command with the cp
wrapper, the file is copied as is without any data transformation.
•
If the source file is already encrypted, the encrypted form of the file will be copied to the
destination. As a result, unless the target file is in an EFS file system and you are in a secure
session, you cannot access the file.
•
If the source is a clear file, the clear form of the file is copied to the destination whether the
directory is enabled for encryption or not. You can create a clear file in an EFS-enabled
directory.
The following table shows the restrictions for the cp wrapper command:
Session
evfsxfr
Source
Destination Directory Encryption:
Configured
All
With
Secure
session
All
Encrypted file
Not Configured
Allowed
Allowed
Clear file
No
Allowed
Without
Non-secure
session
Encrypted file
Clear file
No
No
Allowed
Example 1
In this example, user jsmith enters a secure session and successfully copies an encrypted file to
a directory configured for encryption, but fails to copy the encrypted file to a regular directory (for
example, it is not configured for encryption):
# evfsauth login
Enter your key passphrase:
You are entering in a secure session. Use "exit" to end the session.
# which cp
/opt/evfs/bin/cp
# echo “this is a test” > file1
# evfsfile list file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
120 Using EFS
# cp file1 /efs/encdir
# ll /efs/encdir/file1
-rw-rw-rw1 jsmith
users
6 Jul 29 10:33 /efs/encdir/file1
# cp file1 /efs/cleardir
cp: file1: is encrypted, but /efs/cleardir is not configured for encryption:
Permission denied
Example 2
In this example, user jsmith who is in a secure session, copies an encrypted file to a regular
directory using the evfsxfr cp. The target file is still encrypted. If the target directory is in the
EFS file system (for example, the file system is mounted to the EFS mapped volume), the user can
access the file as long as the user is in a secure session. If the target directory is not in the EFS file
system, the file becomes inaccessible:
# evfsxfr cp file1 /efs/cleardir
# evfsfile list /efs/cleardir/file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
# more file1
this is a test
# evfsxfr cp file1 /tmp
# more /tmp/file1
M-^PM-zJbM-DM-_M-^?
^A^A^Ao^A-^PM-h1M-^G^Pe^^7M-<Vl$^Q^G=4M-\^D
Example 3
In this example, user jsmith who is in a secure session, copies a clear file into the directory
configured for encryption. The target file becomes encrypted:
# cd /efs/cleardir
# evfsfile list .
evfsfile: list error: "." is not enabled for encryption.
# echo "this is another test" > filea
# evfsfile list filea
evfsfile: list error: "filea" is not an encrypted file.
# cd /efs/jsmith
# evfsfile list .
EFS directory information:
Data Encryption Cipher: aes-128-cbc
# cp /efs/cleardir/filea filea
# evfsfile list filea
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
# more filea
this is another test
Example 4
After exiting from a secure session, user jsmith is not allowed to copy a clear file into a directory
configured for encryption:
# evfsauth display
User key:
Key name: jsmith.jsmith
# exit
# which cp
/usr/bin/cp
# cd /efs/cleardir
# echo "this is 3rd test" > fileb
# cd /efs/jsmith
# cp /efs/cleardir/fileb .
cp: cannot create ./fileb: Permission denied
The EVFS wrapper commands
121
Example 5
When not in a secure session, user jsmith uses the evfsxfr cp command to copy a clear file
into a directory configured for encryption. The target file remains clear:
# pwd
/efs/jsmith
# evfsfile list .
EFS directory information:
Data Encryption Cipher: aes-128-cbc
# evfsxfr cp /efs/cleardir/fileb .
# evfsfile list fileb
evfsfile: list error: "fileb" is not an encrypted file.
# more fileb
this is 3rd test
The chown and chgrp commands
The chown wrapper command changes the owner ID of each encrypted file to the specified owner
and, optionally, the group ID of each encrypted file to the specified group. The chgrp wrapper
command changes the group ID of each encrypted file to the specified group. These wrapper
commands do not support the -R and –h options.
Only the owner of the encrypted files can use these commands to change the owner or group
permissions. To run these commands, the user should be in a secure session and new owner/group
keys should be available. the root user can run these commands with the evfsxfr command
to change the owner or group permissions.
The chown and chgrp wrapper commands change both DAC permissions and EVFS permissions
of encrypted files. Other users are not allowed to change the EVFS file permissions using these
wrapper commands.
The following table shows the restrictions for the chown and chgrp wrapper commands:
Session
root
(Super User)
evfsxfr
File Owner
With
Allowed
No
Without
No
Allowed
With
Allowed
No
Without
No
No
Secure Session
Non-secure Session
Example 1
User jsmith enters a secure session and changes the file owner of an encrypted file to another
user who has a key:
# evfsauth login
Enter your key passphrase:
You are entering in a secure session. Use "exit" to end the session.
# ll filea
-rw-rw-rw1 jsmith
users
15 Jul 30 15:40 filea
# evfsfile list filea
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
# which chown
/opt/evfs/bin/chown
# chown usera filea
# evfsfile list filea
EFS file information:
EMD Size (Kbytes):
4
122
Using EFS
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
usera.usera
Example 2
If the new owner does not have a key, the chown wrapper command fails to change the owner
of an encrypted file:
# ll filea
-rw-rw-rw1 usera
users
15 Jul 30 15:40 filea
# evfspkey lookup -u userb
evfspkey: lookup error: user key pair "userb.userb" does not exist.
# chown userb filea
chown: error: cannot retrieve public key "userb.userb", key loading failure
Example 3
User jsmith changes the group of an encrypted file using the chgrp wrapper command:
# ll file1
-rw-rw-rw1 jsmith
users
5 Jul 30 17:09 file1
# evfsfile list file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
Group Key ID:
users.users
# evfspkey lookup -g newgrp
Key ID: newgrp.newgrp
Key Cipher: rsa-1536
Key Fingerprint: f3:8b:15:c2:15:b8:d7:e1:b6:04:1d: \
db:54:ad:93:61:53:f1:f1:ed
# chgrp newgrp file1
# ll file1
-rw-rw-rw1 jsmith
newgrp
5 Jul 30 17:09 file1
# evfsfile list file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
Group Key ID:
newgrp.newgrp
Example 4
The chgrp wrapper command fails to change the group of an encrypted file if the new group
does not have a key pair:
# evfspkey lookup -g grp1
evfspkey: lookup error: group key pair "grp1.grp1" does not exist.
# chgrp grp1 file1
chgrp: error: cannot retrieve public key "grp1.grp1", key loading failure
The mv command
The mv wrapper command prevents unintended decryption of encrypted files. You can use this
wrapper command to rename a file or a directory within a directory or to relocate a file within a
file system or across different file systems with some restrictions.
An encrypted file cannot be moved to a directory which is not configured for encryption and a
cleartext file cannot be moved to a directory which is configured for encryption. Using the evfsxfr
command with the mv wrapper command bypasses this restriction. However, you can move an
encrypted file to a directory which is not configured for encryption or vice versa.
Renaming a cleartext file or an encrypted file (for example, moving within the same directory) is
allowed. When in a secure session, the root user or the file owner can move an encrypted file
across different file systems.
The EVFS wrapper commands
123
The following table shows the restrictions for the mv wrapper command:
Destination Directory Encryption:
Session
evfsxfr
Source
Configured
Not Configured
Configured
Across Different File Systems
All
Not Configured
Within the Same File System
With
All
Allowed
Without
Encrypted File
Note 1
No
Allowed
Note 2
Cleartext File
No
Allowed
Note 2
Allowed
Encrypted File
No
No
Allowed
Note 2
Cleartext File
No
Allowed
Note 2
Allowed
Secure Session
Non-secure
Session
Note 1: Only root or the owner of the file can move the encrypted files across file systems.
Note 2: Only moves within the same directory (rename) are allowed.
Example 1
User jsmith enters a secure session and renames an encrypted file:
# id
uid=114(jsmith) gid=20(users)
# evfsauth login
Enter your key passphrase:
You are entering in a secure session. Use "exit" to end the session.
# evfsauth display
User key:
Key name: jsmith.jsmith
# which mv
/opt/evfs/bin/mv
# evfsfile list file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
# mv file1 file1.new
# evfsfile list file1.new
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
Example 2
User jsmith is not allowed to move an encrypted file to the directory which is not enabled for
encryption:
# mv file1.new /efs/cleardir
mv: file1.new: is encrypted, but /efs/cleardir is not configured for encryption:
Permission denied
Example 3
User jsmith is allowed to rename an encrypted file in a directory not configured for encryption:
# evfsfile list .
evfsfile: list error: "." is not enabled for encryption.
# evfsfile list filex
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
124
Using EFS
# mv filex filey
# evfsfile list filey
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
Example 4
The root user in a secure session is allowed to move an encrypted file across different file systems:
# id
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail)
# evfsauth login
Enter your key passphrase:
You are entering in a secure session. Use "exit" to end the session.
# evfsfile list /efs/jsmith/file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
# evfsfile list /efstest
EFS directory information:
Data Encryption Cipher: aes-128-cbc
# mv /efs/jsmith/file1 /efstest
# evfsfile list /efstest/file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
# exit
Example 5
When not in a secure session, root is not allowed to move an encrypted file across different file
systems:
# evfsauth display
User key:
Key name: root.root
# exit
# mv /efstest/file1 /efs/jsmith
mv: /efstest/file1: cannot read: Permission denied
The usermod and groupmod commands
The usermod wrapper command modifies the user information in the system by executing the
HP-UX usermod command and updating the EVFS key storage associated with the user.
The user key storage is created based on the login name of the user. Once it is created, it cannot
change. Therefore, if the user already has valid keys, the wrapper usermod command does not
support the–l option to change the user’s login name. If the HP-UX usermod command, which
has no knowledge of user keys, is used to change the login name, the user key and all encrypted
files associated with the user key will become inaccessible, and there will be no user key associated
with the new login name.
NOTE:
Do not change the user’s login name once the user has keys.
If the –g option is specified to change the primary group membership of this user and the user key
contains the access information of the primary group, the usermod wrapper command will remove
the group access information from the user key. As a result, the user no longer has access to the
encrypted files belonging to the group. The access information of the new group is not automatically
added to the user key. The key manager must run the evfspkey add –u <username> -g
<groupname> command to add the access information (See Section (page 142)).
The groupmod wrapper command modifies the group from the system by executing the HP-UX
groupmod command. The -n option is not supported if the group has valid keys. If HP-UX
The EVFS wrapper commands
125
groupmod command is issued to modify the group name while the group already has a key, the
old group key becomes inaccessible and there will be no group key for the new group name.
NOTE:
Do not change the group name once the group has a key.
If you are not in a secure session to issue these wrapper commands, you must do one of the
following:
•
Change the shell variable PATH to add /opt/evfs/bin in order to override /usr/sbin.
•
Refer to the full path /opt/evfs/bin/<wrapper_cmd>.
Example 1
User jsmith has a key pair. The system administrator attempts to change the login name of
jsmith using the usermod wrapper command with the -l option:
# id
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail)
# evfspkey lookup -u jsmith
Key ID: jsmith.jsmith
Key Cipher: rsa-2048
Key Fingerprint: d6:00:1f:2a:df:05:18:3e:9d:da:28:6c:4e:d8:1c:dc:50:d5:5b:63
Private Key : evfs-pbe1
Group access: users
Reset passphrase required: yes
Allow passphrase reset by key manger: no
Stored passphrase: no
# /opt/evfs/bin/usermod -l newuser jsmith
EVFS usermod error: cannot use "-l" option. Since "jsmith" has a key pair,
you cannot change the login name.
Example 2
User jsmith has access to encrypted files that belong to jsmith's primary group users. The
system administrator uses the usermod wrapper command to change jsmith's primary group:
# /opt/evfs/bin/usermod -g newgrp jsmith
The "users" group access key has been successfully removed from the user "jsmith” key record.
Example 3
The system administrator attempts to change the users group name while the group already has
a key:
# id
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail)
# evfspkey lookup -g users
Key ID: users.users
Key Cipher: rsa-2048
Key Fingerprint: 4c:50:8b:d7:87:c6:4d:71:b6:c6:70:d0:59:04:af:16:3b:b0:3d:f0
# /opt/evfs/bin/groupmod -n newgrp users
EVFS groupmod error: group key exists, cannot modify group name.
The userdel and groupdel commands
The userdel wrapper command deletes the user from the system by executing the HP-UX userdel
command and deletes all keys associated with this user. Once the keys are deleted, the encrypted
files protected by those keys become inaccessible.
If the HP-UX userdel command is used to delete the user account, the user's user keys remain in
the system, but the keys and encrypted files associated with the user become inaccessible. Therefore,
before deleting a user account that already has keys and encrypted files, you need to make sure
that there are no more encrypted files to access with these keys. To delete the user key while the
user account is already deleted from the system, the system administrator or key manager can run
the evfspkey delete –u <username> command.
The groupdel wrapper command deletes a group from the system by executing the HP-UX
groupdel command and deletes the group key and the group access key from its members' key
126
Using EFS
storage if it is the primary group. If the HP-UX groupdel command is used to delete the group,
the group key and the group access information is not deleted. In that case, the key manager can
delete them using the evfspkey delete –g < group> command.
Example 1
User jsmith has a key pair. The system administrator uses the /opt/evfs/bin/userdel
command to delete the user account and jsmith's user keys:
# id
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),)
# /opt/evfs/bin/userdel jsmith
Public/Private key pair(s) for user "jsmith" has been successfully deleted.
Example 2
The system administrator deletes the user account jsmith using the HP-UX userdel command
which leaves the user key behind. The user key can be deleted with the evfspkey delete –u
<username> command:
# id
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),)
# userdel jsmith
# evfspkey delete -u jsmith
evfspkey: delete warning: user "jsmith" is not found on the system.
Caution: Are you sure you want to delete the "jsmith.jsmith" public/private key pair?
Continuing with this operation will make your data permanently irrecoverable.
Answer [yes/no]:yes
Public/Private key pair "jsmith.jsmith" has been successfully deleted.
Example 3
The group users has a key pair and the group members usera and userb have group access
information to the group users. The system administrator uses the /opt/evfs/bin/groupdel
command to delete the group key and group access information from the key record of its members:
# /opt/evfs/bin/groupdel users
users:
Group access key has been removed from user "usera" key record.
Group access key has been removed from user "userb" key record.
Public/Private key pair for group "users" has been successfully deleted.
Example 4
The system administrator deletes the group using the HP-UX groupmod command that leaves the
group key and access information in its members’ key records. The key manager runs the evfspkey
delete –g <groupname> command to clean up this group’s key information:
# id
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail)
# groupdel users
# id
uid=112(keymgr) gid=20(qa)
# evfspkey delete -g users
evfspkey: delete warning: group "users" is not found on the system.
Caution: Are you sure you want to delete the "users.users" public/private key pair?
If you proceed with this operation, the files for the group members will not be sharable.
Answer [yes/no]:yes
users:
Group access key has been removed from user "usera" key record.
Group access key has been removed from user "userb" key record.
Public/Private key pair "users.users" has been successfully deleted.
Using the evfsrun command
The evfsrun command allows the root user to enter another user's secure session to execute
certain applications or commands. Only root can use this command and it requires the user's
stored passphrase.
Using the evfsrun command
127
To start the Oracle database during system boot, typically the Oracle's startup script has the
following entry. This starts the Oracle database during system boot automatically as user $ORACLE:
# su $ORACLE -c "$ORACLE_HOME/bin/dbstart $ORACLE_HOME"
If the database files are encrypted using EVFS (configured in EFS mode), the Oracle database must
be started with the evfsrun command in order to access the database file created by user
$ORACLE in clear. This requires that the $ORACLE user's stored passphrase exist:
# evfsrun su $ORACLE -c "$ORACLE_HOME/bin/dbstart $ORACLE_HOME"
The EFS recovery key
The recovery key for EFS is optional and is not enabled by default. To configure the recovery key
in EFS, the system administrator must configure the recovery key and create the recovery key.
To configure the recovery key, uncomment the line #efs_recovery_keyname =
efs_recovery_key_name in the /etc/evfs/evfs.conf file and set the recovery key name
to the efs_recovery_keyname configuration parameter. The EFS recovery key is loaded into
kernel during the EVFS subsystem start (through the evfsadm start command), or it can be
loaded through the evfspkey loadkey -r command if EVFS is already started. Once the
recovery key is loaded into the kernel, all newly created encrypted files will have the EFS recovery
key information.
For an encrypted file, in the case that the user key (or group key) is lost or corrupted, the recovery
key can be used along with the evfsfile assign command to assign a new user key in the
EMD for the file so that user can use a new key to access file data in cleartext.
Only the owner of an encrypted file can add or replace the recovery key from the encrypted file.
Example 1
You can create or load a recovery key, as follows:
# id
uid=0(root) gid=3(sys) groups=0(root)
# evfspkey keygen -r -k efs
Enter recovery passphrase:
Re-enter recovery passphrase:
Public/Private key pair "evfs.efs" has been successfully generated.
/* uncomment the line in /etc/evfs/evfs.conf and set recovery key name */
efs_recovery_keyname = efs
/* load key when efs_recovery_keyname specified in evfs.conf file */
# evfspkey loadkey -r
Recovery key "evfs.efs" has been loaded into the kernel successfully.
/* All the newly created encrypted files from this point will have recovery key. */
Example 2
In this example, the root user adds the recovery key evfs.efs to the encrypted file file1 that
was created before the recovery key is loaded:
# ll file1
-rw-rw-rw-
1 jsmith
users
44 Aug
3 07:48 file1
/* An encrypted file file1 does not have any recovery key as it was created before */
/* the recovery key is loaded into the kernel. */
# evfsfile list file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
/*User jsmith is in a secure session with an EFS recovery key.*/
# evfsauth display
User key:
Key name: jsmith.jsmith
128
Using EFS
Recovery key:
Key name: evfs.efs
/* The following command adds the EFS recovery key evfs.efs to encrypted file file1.*/
# evfsfile add -r file1
Successfully added the recovery key to encrypted file "file1"
/* The recovery key is added to the encrypted file */
# evfsfile list file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
Recovery Key ID:
evfs.efs
Example 3
In this example, the root user replaces the recovery key efs with the newkey key for the encrypted
file file1:
/* root user logged in to configure a new EFS recovery key.*/
# id
uid=0(root) gid=3(sys) groups=0(root)
# evfspkey keygen -r -k newkey
Enter recovery passphrase:
Re-enter recovery passphrase:
Public/Private key pair "evfs.newkey" has been successfully generated.
/* key newkey.priv will be created at local directory */
/* change key name in /etc/evfs/evfs.conf */
efs_recovery_keyname = newkey
# evfspkey loadkey -r
Recovery key "evfs.newkey" has been loaded into the kernel successfully.
/* User jsmith is logged into a secure session and wants to replace the old recovery key */
/* of an encrypted file evfs.efs with a new recovery key evfs.newkey. */
# id
uid=114(jsmith) gid=20(users)
/* Original key name is
# evfsfile list file1
EFS file information:
EMD Size (Kbytes):
Data Encryption Cipher:
Owner Key ID:
Recovery Key ID:
"efs" */
4
aes-128-cbc
jsmith.jsmith
evfs.efs
# evfsfile add -r file1
Are you sure you want to replace the recovery key "evfs.efs"?
Continuing with this operation will remove the existing recovery key!
Answer [yes/no]:yes
Successfully added the recovery key to encrypted file "file1"
/* recovery key has been changed */
# evfsfile list file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
Recovery Key ID:
evfs.newkey
Example 4
In this example, the user recovers the user key for the encrypted file file1:
/* The original owner of the file is "jsmith" */
# evfsfile list file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
jsmith.jsmith
Recovery Key ID:
evfs.newkey
/* user key in /etc/evfs/pkey/users/jsmith is accidentally removed and user */
/* jsmith is not in the secure session */
# id
uid=114(jsmith) gid=20(users)
The EFS recovery key
129
# evfsauth display
You are not in a secure session.# id
# more file1
file1: Permission denied
/* root user who is in the secure session but cannot read the file */
/* because root is not the owner */
# id
uid=0(root) gid=3(sys) groups=0(root)
# evfsauth display
User key:
Key name: root.root
Recovery key:
Key name: evfs.newkey
# more file1
File1: Permission denied
/* Assign encrypted file to root user */
# evfsfile assign -r /test1/newkey.priv -u root file1
Enter recovery passphrase:
Encrypted file "file1" owner has been successfully changed to "root.root"
/* The user can read the file after the new user key is assigned */
# more file1
this is an encrypted file
/* The owner of the file is now "root" */
# evfsfile list file1
EFS file information:
EMD Size (Kbytes):
4
Data Encryption Cipher: aes-128-cbc
Owner Key ID:
root.root
Recovery Key ID:
evfs.newkey
Example 5
In this example, the root user disables the EFS recovery key and the EVFS subsystem must be
restarted:
/* comment out key name is /etc/evfs/evfs.conf */
# efs_recovery_keyname = newkey
# evfsadm stop
# evfsadm start
130 Using EFS
12 Managing keys
This chapter describes how to manage EFS keys as follows:
•
“Types of keys” (page 131)
•
“Key manager key” (page 131)
•
“Managing a user key” (page 132)
•
“Managing a group key” (page 138)
•
“Key manager operations” (page 142)
•
“Key file location” (page 144)
Types of keys
EFS includes the following types of keys:
Table 4 EFS keys
Key
Description
User
Allows user to access file content through owner and group key.
The user passphrase and user access key protect the user key. The user key protects the file encryption
key and group access key.
Group
Allows group access to a file. You must have a key manager key to use this key. The group access key
protects the group key. The group key protects the file encryption key.
This key is optional.
Key
Manager
Allows the key manager to reset a user passphrase without having the key owner's old passphrase and
perform group administration.
This key is optional.
Recovery
Recovers file encryption key.
This key is optional.
File
encryption
Retrieves encrypted file content.
Each key has its own life cycle, including how it is created, used and deleted.
Key manager key
The use of the key manager key is optional. The key manager key is required for these functions:
•
Reset a user's passphrase without having the user's old passphrase
•
Manage group keys
NOTE: If the key manager does not have a key, it is still possible for the key manager to reset
another user's passphrase, but that will require the key owner's old passphrase.
To use these features, a key manager key must be explicitly created using the evfspkey keygen
subcommand. The system administrator should not take on the role of key manager. Otherwise,
the system administrator could access the user's encrypted files by having access to the key manager
passphrase. The key manager's passphrase is requested during certain key management commands.
The key manager’s key plays a special role, which is used to protect group keys. Therefore, once
it is created, EFS does not allow a system administrator to delete it. If there are any reasons that
the key manager’s operations should be prohibited, the system administrator can disable the key
manager’s capability by removing its account configuration from the /etc/evfs/evfs.conf
Types of keys
131
file. The value of key_manager in the /etc/evfs/evfs.conf file must not change once the
key manager’s key pair is created, or all group keys which are associated with the key manager
will become inaccessible.
Since the key manager’s key is used to protect group keys and is possibly linked to user keys, there
are several limitations to use the key manager:
•
For security reasons, the key manager is not allowed to have a secure session (this voids using
the same key to encrypt files).
•
Ensure that the system administrator does not take the key manager’s role on behalf of the
key manager. The system administrator is not allowed to run the su command to become the
key manager and perform key functions.
To create the key manager key, the user designated as the key manager logs into the system
using the user account configured in key_manager in the /etc/evfs/evfs.conf file,
then creates a key pair by running the evfspkey keygen command.
Managing a user key
A user must have a key to use the EFS subsystem to encrypt or decrypt files. Although in previous
EVFS releases, a user is allowed to have multiple keys by specifying the –k <keyname> option
during key creation, only the user key with the default key name is recognized by EFS (the default
key name is the same as the user name).
Unlike in EFS, EVS allows the user to specify a different user key name with the –k <keyname>
option to manage volumes configured for encryption.
This section describes the following key operations:
•
“Creating a user key ” (page 132)
•
“Changing the passphrase” (page 134)
•
“Displaying user key information” (page 136)
•
“Exporting a user key” (page 136)
•
“Importing a user key” (page 137)
•
“Deleting a user key” (page 138)
Creating a user key
The keygen is the primary subcommand of the evfspkey command to create keys. A user key
can also be implicitly created when the user logs into the EFS subsystem for the first time. A user
key can be created by one of the following roles:
1. The user implicitly – for example, the key owner. HP recommends this method.
Without a key pair, a user is allowed to log into EFS. In that case, the user is prompted to
determine if the key pair should be created as part of the EFS login process. If the user decides
to have the key created, the user will be prompted to enter a passphrase to protect the key
pair, as follows:
# evfsauth login
You don't have a key pair to use EFS, do you want to create one?
Answer [yes/no]: yes
Enter passphrase:
Re-enter passphrase:
2.
The system administrator or the key manager.
The system administrator or the key manager is allowed to create a key pair for other users
by specifying the user name with the option –u. The command prompts for a passphrase to
protect the private key. When the user runs the evfsauth command to log into EFS, the user
132
Managing keys
is prompted to enter the aforementioned passphrase, and also requested to change the
passphrase.
The system administrator or key manager is allowed to create a key pair for other users by
specifying the user name with the -u <username> and -s options. When the -s option is
specified, keygen automatically generates a random passphrase to protect the private key,
and stores it in a designated file. There is no need for the system administrator or key manager
to share the passphrase with the user. When a user runs the evfsauth login command
to log into EFS, the user is forced to change the passphrase, the stored passphrase is read
from the file and then removed. This provides an easy way for the system administrator or key
manager to manage user keys. Alternatively, the user can change the passphrase using the
evfspkey passgen command.
Example 1
In this example, the system administrator creates a key pair for the testuser user using the
-s option:
# id
uid=0(root) gid=3(sys) groups=0(root)
# evfspkey keygen -s -u testuser
Public/Private key pair "testuser.testuser" has been successfully generated.
When the user logs into EFS, the user has to change the passphrase as follows:
# id
uid=110(testuesr) gid=20(users)
# evfsauth login
evfsauth: login warning: you have a stored passphrase.
You need to reset EFS passphrase.
Enter new pasphrase:
Re-enter new passphrase:
Do you still want to store the passphrase in a file?
Answer [yes/no]:no
[Passphrase store file is deleted.]
For security reasons, you should answer no unless the system administrator has to run
applications on your behalf and requires your passphrase. With a stored passphrase, the
root user can access your encrypted files.
Example 2
In this example, the system administrator creates a key pair for the testuser user:
# id
uid=0(root) gid=3(sys) groups=0(root)
# evfspkey keygen -u testuser
Enter passphrase:
Re-enter passphrase:
Public/Private key pair "testuser.testuser" has been successfully generated
3.
The user explicitly– for example, the key owner.
A user can create its own key pair before logging into EFS. The user will be prompted to enter
a passphrase to protect the key pair. The same passphrase will be requested whenever the
user needs to access the key pair (for example, when logging into EFS). For example:
# id
uid=110(testuser) gid=20(users)
# evfspkey keygen
Enter passphrase:
Re-enter passphrase:
Public/Private key pair "testuser.testuser" has been successfully generated
Exception
Since the key manager has a special role in EFS, the key manager's passphrase that is used to
protect the key pair should not be shared with the system administrator. The key manager is also
Managing a user key
133
not allowed to enter in an EFS secure session. To create a key manager key, the user configured
as the key manager (see key_manager in the /etc/evfs/evfs.conf file) must log into the
system and run the evfspkey keygen command.
The following options are allowed only by the system administrator or the key manager:
-u <username>
Specify the user name (for example, the key owner).
Specify recovery key.
-r
See evfspkey for detailed information on their usage.
The following options are allowed by the system administrator, the key manager, and regular
users:
-c
Specifies the type of key to generate.
-k <keyname>
Specifies the key name.
-p
Creates a passphrase and stores it in a file.
-s
Generates a random passphrase and stores it in a file.
-m <keywrap>
Specifies the keywrap algorithm to override the keywrap parameter in the
/etc/evfs/evfs.conf file.
By default, the key name is the same as the user name. Even though it is possible for a user to
create multiple keys with different key names, when the user logs into EFS using the evfsauth
login command, EFS always loads the key with the default key name. Therefore, to use EFS, a
user must have a key with the default key name (for example, creating a key without specifying
the –k <keyname> option that is same username).
Although a non-root user is allowed to store the passphrase in a file, the stored passphrase is not
used when the user logs into EFS. It is intended for system startup without manual intervention when
the passphrase is needed. The evfsauth login command always prompts for the passphrase,
whether the stored passphrase file exists or not.
Therefore, a user that intends to enter a secure session should not generate a key with the -s option
because with that option the system generates a random passphrase and the passphrase is unknown
to the user.
WARNING!
A user key is linked with the user’s login name. After the key is created successfully,
the system administrator should not modify the user’s login name with the usermod –l option. If
the EFS version of the usermod command (in /opt/evfs/bin) is executed, the -l option that
changes the login name is rejected. If the regular usermod –l option is executed mistakenly, the
user will lose its user key and can no longer log into EFS.
Changing the passphrase
A user key can be changed by one of the following roles:
1. The system administrator or the key manager – by entering the key owner’s passphrase
The system administrator or the key manager is allowed to change another user’s passphrase
by specifying the user name with the -u option. However, they will be prompted to enter the
user’s old passphrase. For example:
# id
uid=0(root) gid=3(sys) groups=0(root)
# evfspkey passgen -u testuser
Enter old passphrase:
Enter new passphrase:
134
Managing keys
Re-enter new passphrase:
Passphrase for key "testuser.testuser" has been successfully generated
2.
The key manager – by entering the key manager’s passphrase
The key manager can change a user's key passphrase by entering its own passphrase when
the following conditions are true:
•
The key_manager account has been configured in the /etc/evfs/evfs.conf file.
•
The key manager has created his key pair.
•
The parameter keymgr_reset_passphrase is yes.
•
During key creation, the key owner chose to allow the key manager to reset its passphrase
(for example, answer yes to the prompt Do you want to allow key manager
to reset your passphrase without your old passphrase? from the
evfspkey keygen or evfsauth login command). Or the key owner has run the
evfspkey passgen –e command to allow the key manager to reset the user's
passphrase using the their passphrase.
You can check that all the above conditions are true by displaying the key information, as
follows:
# evfspkey lookup -u testuser
Key ID: testusr.ltestuser
Key Cipher: rsa-2048
Key Fingerprint: 1c:61:a0:13:9e:d1:82:1b:ca:73:d9:ac:f7:3e:f9:15:1b:b8:69:9e
Private Key Keywrap: evfs-pbe1
Reset passphrase required: yes
Allow passphrase reset by key manger: yes
Stored passphrase: no
If Allow passphrase reset by key manager is set to yes, the key manager is able
to reset the passphrase without the user's old passphrase.
For example:
# id
uid=100(keymgr) gid=200(evfs)
# evfspkey passgen -u testuser
Enter key manager's passphrase:
Enter new passphrase:
Re-enter new passphrase:
Passphrase for key "testuser.testuser" has been successfully generated
3.
The key owner
A key owner can change its own passphrase as follows:
# id
uid=110(testuser) gid=20(users)
# evfspkey passgen
Enter old passphrase:
Enter new passphrase:
Re-enter new passphrase:
Passphrase for key "testuser.testuser" has been successfully generated
When the system administrator or the key manager changes a user’s passphrase, such as in the
previous examples 1 and 2, if the -s option is specified with the –u <username> option, passgen
automatically generates a random passphrase to protect the private key, and stores it in a designated
file. There is no need for the system administrator or the key manager to share the passphrase with
the user.
Managing a user key
135
Displaying user key information
The system administrator or the key manager can display any user’s key information using the
evfspkey lookup command with the -u option. A key owner can also display its own key
information. For example:
# id
uid=110(luser1) gid=20(users)
# evfspkey lookup
Key ID: luser1.luser1
Key Cipher: rsa-2048
Key Fingerprint: 1c:61:a0:13:9e:d1:82:1b:ca:73:d9:ac:f7:3e:f9:15:1b:b8:69:9e
Private Key Keywrap: evfs-pbe1
Reset passphrase required: yes
Allow passphrase reset by key manger: yes
Stored passphrase: no
When displaying another user’s key information using the -u option, a non-root user can only
see the partial key information. For example:
# id
uid=110(luser1) gid=20(users)
# evfspkey lookup -u luser2
Key ID: luser2.luser2
Key Cipher: rsa-2048
Key Fingerprint: 39:81:4d:2b:3b:61:70:bb:d2:08:d1:4f:66:a7:a3:d1:1f:f6:dc:d6
Exporting a user key
A user key can be exported by the key manager or the key owner. The key passphrase is required
to access the private key. If the key is exported by the key manager and the key manager has the
capability to reset the user’s passphrase without the user's old passphrase, the key manager’s
passphrase will be required to access the private key. Otherwise, the key owner’s passphrase is
required.
The user key can be exported into two different formats: PKCS12 and PEM. By default, the
evfspkey export command converts the key to the PKCS12 format and stored it in a file
specified in the command line. The file will be protected with a required passphrase. If the –F
pem option is specified, the key will be exported to the PEM format.
The exported keys can be used on other systems that have EVFS.
The following options are valid only by the key manager:
-u <username>
Specifies the user name.
-r <recovery_file>
Specifies the recovery key file path.
The following options are valid for the key manager and the regular users:
-k <keyname>
Specifies the key name to export.
-f <filename>
Specifies the file that contains the exported key.
This option is mandatory.
-F {pkc12|pem}
Specifies the format in which the key is exported. Default is pkcs12.
Examples
If the key manager is not configured, the key owner will be the only one able to export its own
key. The system administrator is not allowed to export a user key.
# id
uid=110(testuser) gid=20(users)
# evfspkey export -f keyout
Enter passphrase:
Enter passphrase to protect file “keyout”:
Re-enter passphrase to protect file “keyout”:
Export key pair “testuser.testuser” to “keyout” successfully
136
Managing keys
The exported key stored in standard PKCS12 or PEM format can be shared with other applications
which recognize the format. For example:
# openssl pkcs12 -in keyout -nodes
Enter Import Password:
MAC verified OK
Bag Attributes
localKeyID: 74 BD C2 F7 DD CA EC A2 D0 17 D2 C4 30 15 97 3C E9 FE 40 FF
subject=/C=US/ST=dummyState/O=dummyOrg/CN=dummyUrl
issuer=/C=US/ST=dummyState/O=dummyOrg/CN=dummyUrl
-----BEGIN CERTIFICATE----MIICbDCCAZUCAQAwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMxCzAJBgNV
BAgTAkNBMQ0wCwYDVQQKEwRmYWtlMRUwEwYDVQQDEwx3d3cuZmFrZS5jb20wHhcN
MDgwNzExMTcwODE3WhcNMDgwNzEyMTcwODE3WjBAMQswCQYDVQQGEwJVUzELMAkG
A1UECBMCQ0ExDTALBgNVBAoTBGZha2UxFTATBgNVBAMTDHd3dy5mYWtlLmNvbTCB
3DANBgkqhkiG9w0BAQEFAAOBygAwgcYCgcAjoBAAB2hNNwQ002P/6bfSntgi8puj
0ZZKyGBr9C05w3X4mGfdsheUhRwSLgKl/S7PZa3xIdYozw1Zhi5WXQAa6HApgfVX
OjGMMreMURyNGJUnV675d+gSaQR6O5+ySjH+6KYjHlRsQxhabS9tAeGMyOKRjj90
mdFDn22TAgRNKNSEkKWTcotbGXuF4gX6LsVkJQKss7XNOG0HIjzh+6XCMXu+PEoR
onb8JISXY40DKKotBLPkvi7tE/0CuWbYhi8CAREwDQYJKoZIhvcNAQEFBQADgcEA
D1Twd03Qm9WtCttAl3WDS1rjIRRZ0nm6GwjUIlOJFBImhCYCWwL9j5g89cb8kBZg
ukZVrnx5ktoSe/3jFAgKn2OxDrIT16BolYASLcDUZWLc8Prb1iKfPC1oXsidqBw8
XP2ZW2U2ax7xkzE4BNJCql83l6RZd6mhdFwRm4fL5GzsjOnd/alUTEj0OBlX3w2O
hxp/4FRpvJc2ioifEg7uRxKADX/NUkILZwzz3JzZ/XrN1fwdXS2b+7vdFzjbnliH
-----END CERTIFICATE----Bag Attributes
localKeyID: 74 BD C2 F7 DD CA EC A2 D0 17 D2 C4 30 15 97 3C E9 FE 40 FF
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY----MIIDdgIBAAKBwCOgEAAHaE03BDTTY//pt9Ke2CLym6PRlkrIYGv0LTnDdfiYZ92y
F5SFHBIuAqX9Ls9lrfEh1ijPDVmGLlZdABrocCmB9Vc6MYwyt4xRHI0YlSdXrvl3
6BJpBHo7n7JKMf7opiMeVGxDGFptL20B4YzI4pGOP3SZ0UOfbZMCBE0o1ISQpZNy
i1sZe4XiBfouxWQlAqyztc04bQciPOH7pcIxe748ShGidvwkhJdjjQMoqi0Es+S+
Lu0T/QK5ZtiGLwIBEQKBwA6rUeHk7rZh8qxXCw8F4keq0XfNTyVWTPGdzVmgx1QF
MJOKDKaUoEw2z1LHprzRqdztofngwZhVQbtzfH3qDxojeXqAzm82FGbntP2Kz4Vk
eabJwITXBTTB1KrNQcHiUINxFanDtdByKN2lQuJMB5NtsTpFkTXIeDpGVJ4FCkDo
qCN4n1uzOj0kKwJvR1FXk41MDwuA+UJLlXB5jdCIz++oTev0MWGWQIJb14QDuCLt
eWk4pdPqt2sPpAGpdguZGQJgV7ERdNFmGUw5zEHurBGQwgt3cD2MKCwT+tyk5cSd
CCUopeSM0hnJ9d5E2xYwO70Dw0PG8ok9hN4u7/FFw4fB4Ua2EUvuxYAnExBnxSUZ
wFNWUxgjhir4NxrEesrKn0C9AmBoAGASA+uh4Z/hmed2yfVAILy4XpvJ0AcEYR+/
w3LwhYE/YpW+EzP1URdbvZZCCskAljvCzK05oq6YUufa3n0tLXYmw+NfIyD1oshI
fo+AS3Yjh4/uNJ3WihfxnDRmP1sCYEg3d8mdYyPka9VjeUJo0ZC+JiAyr6icxSjx
8TWw+cp49Exh3WG64o4+kw7G+ouMma/ddqmeMqmn6ms/KmTKJzH9/1mJ07G01OKF
+xrTQmImg1N9Sm59vVqOg7BqxPueuQJgMPEeJphu4sSHeTld3Yw3LTyVC3fQ13D0
PkvStJg2FtVp/7XsHTY2kY+ShYZk08jXD1XBxRUGOT1/Vr2aSOEr2QZVt+O2SuNa
zfJAIh1wtNg3mD/LQuuVkiLeF1iRIQ7BAmAKA9lp5mnyrPDPRP+RgkPrnXRSdkz+
qjurW7EUEj3nV0hNgNVnv2ab75UGGwiaA5/Zi29odGISLfYCA9YzlmzE5UjFm96u
pwutExRHtqDjf72MhkyL2vB7s5HoTlTuzKI=
-----END RSA PRIVATE KEY-----
Importing a user key
The key manager or the key owner can import a user key from a file. This is the opposite operation
to exporting a user key. Therefore, the passphrase which protects the file is requested first, then
the passphrase to protect the private key is requested. The file must contain the key in PKCS12 or
PEM format. By default, the evfspkey import command assumes the key file is in PKCS12
format. If it is in PEM format, you need to specify the -F pem option in the command line.
The following options are valid only for the key manager:
-u <username>
Specifies the user name.
-r
Specifies that it is a recovery key.
The following options are valid for the key manager and the regular users:
-k <keyname>
Specifies the key name to import.
Managing a user key
137
-p
Prompts and stores the passphrase in a file.
-s
Generates a random passphrase and stores it in a file.
-m <keywrap>
Specifies the keywrap to override in the /etc/evfs.conf file.
-f <filename>
Specifies the file name to import the key from.
This option is mandatory.
Specify the key format in the file. Default is pkcs12.
-F {pkcs12|pem}
If the user key is imported by the key manager, the user will have to change its passphrase upon
the next logging into EFS when the user runs the evfsauth command. Otherwise, the user can
change the passphrase using the evfspkey passgen command beforehand. If the key manager
is not configured, the key owner will be the only one who can import the key. The system
administrator is not allowed to import a user key.
# evfspkey import -f keyout
Enter passphrase which protects file “keyout”:
Enter passphrase:
Re-enter passphrase:
Import key pair “testuser.testuser” from “keyout” successfully
To transfer a user key from system A to system B, the key owner can export the key in system A,
then ftp the key file to system B, and import it.
Deleting a user key
The system administrator, the key manager, or the key owner can delete a user key. Once the user
key is deleted, all the files encrypted with the file key protected by this user key become irrecoverable
(unless you have a primary group key or a recovery key in place). Therefore, a confirmation is
required before the key is deleted, as follows:
# evfspkey delete -u testuser
Caution: Are you sure you want to delete the "testuser.testuser" public/private key pair?
Continuing with this operation will make your data permanently irrecoverable.
Answer [yes/no]:yes
Public/Private key pair "testuser.testuser" has been successfully deleted
Exception
Once created, the key manager key cannot be deleted.
The following options are valid only for the system administrator or the key manager:
-u <username>
Specifies the username.
-r
Specifies the recovery key.
The following options are valid for the system administrator, the key manager, and regular users:
-k <keyname>
Specifies the key name.
-p
Indicates the passphrase file to be deleted.
When a user account is deleted from the system, the user's key should also be deleted. If the EFS
version of userdel (in /opt/evfs/bin) is used to delete the account, all user keys owned by
the user will also be deleted. If the regular userdel command is used, the system administrator
must run the evfspkey delete command to delete the user's keys.
Managing a group key
The group key is designed to share encrypted files among group members. Unlike a user key which
is protected by a passphrase, the group key is protected by an AES key (also called an access
key). The access key then in turn is protected by the key manager's key and the group members'
keys (if this group is their primary group). When a user logs into the EFS subsystem, the user primary
group key is loaded into the kernel. As a result, the user is able to access files that belong to the
group based on the UNIX access control.
138
Managing keys
Creating a group key
Only the key manager can create a group key. Therefore, the key manager’s key must be created
before any group keys can be created. Unlike user keys where a user can have multiple keys
(specified with –k <keyname>), each group is allowed only one key and the key name is always
the same as the group name. Therefore, the option –k is not valid to create a group key.
Example 1
By default, after the group key is created successfully, the evfspkey keygen command implicitly
copies the group access key into all of the users’ key files whose primary group is the one in
process. As a result, when those users log into EFS with the evfsauth login command, the
group key is accessible and loaded into the kernel.
# id
uid=100(keymgr) gid=200(evfs)
# evfspkey keygen -g testgrp
Enter key manager's passphrase:
Public/Private key pair "testgrp.testgrp" has been successfully generated
Example 2
In this example, the luser1 and luser2 users have the lgrp1 group as their primary group,
and they already have a user key:
# grget -n lgrp1
lgrp1::200:luser2,lusera,userx
<- group ID is 200
# grep 200 /etc/passwd
luser1:DgFcvrjtiHEUw,z.cT:200:200::/home/luser1:/sbin/sh
luser2:wkU5.agVOyRH2:201:200::/home/luser2:/sbin/sh
# evfspkey keygen -g lgrp1
Enter key manager's passphrase:
Public/Private key pair "lgrp1.lgrp1" has been successfully generated
lgrp1:
group access key has been added into user "luser1" key record.
group access key has been added into user "luser2" key record.
If you display those users’ keys, you can see the group access information:
# evfspkey lookup -u luser1
Key ID: luser1.luser1
Key Cipher: rsa-2048
Key Fingerprint: 1c:61:a0:13:9e:d1:82:1b:ca:73:d9:ac:f7:3e:f9:15:1b:b8:69:9e
Private Key Keywrap: evfs-pbe1
Group access: lgrp1
Reset passphrase required: yes
Allow passphrase reset by key manger: yes
Stored passphrase: no
If the -n option is specified with the evfspkey keygen –g group command, the group access
key is copied into its members, and the evfsauth login command will not load the group key
for the members.
If a user key is created after the user's primary group key, the group access key has to be added
into the new user’s key file manually by the key manager using the evfspkey add command for
which the key manager’s passphrase is required (see “Key manager operations” (page 142)).
After a group key is created successfully, the system administrator should not modify the group
name using the groupmod –n command. If the EFS version of the groupmod command (in
/opt/evfs/bin) is executed, the -n option to change the group name will be rejected. If the
regular groupmod –n command is executed mistakenly, the users can no longer load the group
key and as a result, they will fail to access files belonging to this group.
It is possible that the key manager needs to create many groups for the system. To make this task
easier, the –f <filename> option can be specified to create multiple group keys by just entering
Managing a group key
139
the key manager’s passphrase once. The file contains all the groups to be created; the group names
are specified one group per line.
Example
In this example, the grpfile file contains the following:
# more grpfile
lgrp1
lgrp2
testgrp
The key manager can create all those groups as follows:
# evfspkey keygen -f grpfile
Enter key manager's passphrase:
Public/Private key pair "lgrp1.lgrp1" has been successfully generated.
lgrp1:
group access key has been added into user "luser1" key record.
group access key has been added into user "luser3" key record.
group access key has been added into user "luser2" key record.
Public/Private key pair "lgrp2.lgrp2" has been successfully generated.
lgrp2:
group access key has been added into user "luser4" key record.
group access key has been added into user "luser5" key record.
group access key has been added into user "lusera" key record.
Public/Private key pair "testgrp.testgrp" has been successfully generated.
The following options are to be used by the key manager to create the group keys:
-g <groupname>
Specifies the group name.
-c <cipher>
Specifies the type of key.
-f <filename>
Specifies a file that contains all the groups to be created – one group per
line.
-n
Does not add the group access key to its members.
Displaying group key information
Unlike user keys, group keys have less information to display. Anyone can display any group key
information using the evfspkey lookup command with the -g option, as follows:
# id
uid=100(evfs) gid=200(evfs)
# evfspkey lookup -g lgrp1
Key ID: lgrp1.lgrp1
Key Cipher: rsa-2048
Key Fingerprint: 56:b5:ef:d6:b4:b4:fe:c5:3f:39:fc:82:08:11:03:df:01:42:3e:65
The only valid option to display group key information is -g <groupname> . If the -g option is
not specified, the default is to display the user key information.
Exporting group key information
Only the key manager can export a group key. Similar to exporting a user key, the key manager’s
passphrase is required to access the group key. The evfspkey export command then required
a passphrase to protect the file, as follows:
# id
uid=100(keymgr) gid=20(users)
# evfspkey export -f keyout -g testgrp
Enter key manager's passphrase:
Enter passphrase to protect file “keyout”:
Re-enter passphrase to protect file “keyout”:
Export key pair “testgrp.testgrp” to “keyout” successfully
140 Managing keys
By default, the exported key is stored in the PKCS12 format. To store keys in the PEM format,
specify the –F pem option. The key can be shared with any applications that understand the
format.
To export a group key, use the following options:
-g <groupname>
Specifies the group name.
-f <filename>
Specifies the file to store exported key.
-F {pkcs12|pem}
Specifies the exported key file format. Default is pkcs12.
Importing group key information
Only the key manager is allowed to import a group key from a file containing the key in either
PKCS12 or PEM format. To import a group key, the key manager is initially prompted to enter its
passphrase which protects the file. Then the key manager must enter its passphrase to protect the
private key. By default, the evfspkey import command assumes that the key is in PKCS12
format. If the key is in a PEM file format, you must specify the –F pem option.
For example:
# id
uid=100(evfs) gid=200(evfs)
# evfspkey import -f keyout -g testgrp
Enter passphrase which protects file “keyout”:
Enter key manager's passphrase:
Import key pair “testgrp.testgrp” from “keyout” successfully.
After a group key is imported successfully, the group access key is automatically added to all group
members that already have a user key.
For any new group member added after the group key is imported, the key manager must manually
add the group access key to the user with the evfspkey grpchk -f command.
To import a group key, use the following options:
-g <groupname>
Specifies the group name. If the group name is not specified, the user key
will be assumed.
-f <filename>
Specifies the file which contains the key in PKCS12 or PEM format. This
option is mandatory.
-F {pkcs12|pem}
Specifies the exported key format in a file. Default is pkcs12.
Deleting a group key
Only the key manager is allowed to delete a group key. Before deleting a group key, the group
access key is deleted from all the users’ key files, whose primary group is the one in process.
For example:
# evfspkey delete -g lgrp1
Caution: Are you sure you want to delete the "lgrp1.lgrp1"
public/private key pair? If you proceed with this operation, the files for the group members
will not be sharable.
Answer [yes/no]:yes
lgrp1:
group access key has been removed from user "luser1" key record successfully.
group access key has been removed from user "luser2" key record successfully.
Public/Private key pair "lgrp1.lgrp1" has been successfully deleted.
When a group key is deleted, its group members can no longer access files owned by other group
members.
To delete a group from the system, the system administrator should use the EFS version of the
groupdel command (in /opt/evfs/bin). This command removes the group from the system,
deletes the group key, and removes the access key from the members. If the regular groupdel
command is used mistakenly, the group key and associated information in the members’ key files
will be left in the system. In that case, the key manager can still use the evfspkey delete
command to display and delete the key.
Managing a group key
141
Key manager operations
The following operations require the key manager to log into the system. The system administrator
cannot perform these operations when running the su command as the key manager.
•
“Changing the passphrase” (page 134)
•
“Managing a group key” (page 138)
•
“Granting a member access to a group key” (page 142)
•
“Removing a member from a group key” (page 143)
•
“Check or synchronize users and groups” (page 144)
Granting a member access to a group key
When a group key is created, its access information is implicitly added to existing user key records
of those members whose primary group is the one under process. As a result, those members are
automatically granted the access to the group key and therefore, the access to the encrypted files
belonging to the group.
If a user does not have a user key when its primary group key is created, or if the user is newly
added after its primary group key is created, the key manager must explicitly grant the user the
access to the group key by running the evfspkey add –u <username> —g <groupname>
command.
Examples
In this example, the users group is the primary group for the usera, userb, and jsmith users.
The usera and userb users have a key, but the jsmith user does not. The keymgr key manager
(configured in /etc/evfs/evfs.conf with key_manager) creates the group key for the users
group. Before the key manager creates the group key, the usera user does not have access to
the users group. After the key manager creates the group key, the usera user has access to the
users group as follows:
# id
uid=112(keymgr) gid=20(users)
# evfspkey lookup -u usera
Key ID: usera.usera
Key Cipher: rsa-2048
Key Fingerprint: f1:6d:ca:e3:b5:68:0f:d0:05:c1:45:a3:8a:4f:c1:f1:db:bd:6c:e8
Private Key Keywrap: evfs-pbe1
Reset passphrase required: yes
Allow passphrase reset by key manger: no
Stored passphrase: no
# evfspkey keygen -g users
Enter key manager's passphrase:
Public/Private key pair "users.users" has been successfully generated.
users:
Group access key has been added into user "usera" key record.
Group access key has been added into user "userb" key record.
# evfspkey lookup -u usera
Key ID: usera.usera
Key Cipher: rsa-2048
Key Fingerprint: f1:6d:ca:e3:b5:68:0f:d0:05:c1:45:a3:8a:4f:c1:f1:db:bd:6c:e8
Private Key Keywrap: evfs-pbe1
Group access: users
Reset passphrase required: yes
Allow passphrase reset by key manger: no
Stored passphrase: no
In the following example, the key manager creates a user key for the jsmith user. The key manager
then explicitly grants the group access to jsmith, as follows:
# evfspkey keygen -u jsmith
Enter passphrase:
Re-enter passphrase:
Public/Private key pair "jsmith.jsmith" has been successfully generated.
142
Managing keys
# evfspkey add -u jsmith -g users
Enter key manager's passphrase:
The "users" group access key was successfully added to the user "jsmith" key record.
# evfspkey lookup -u jsmith
Key ID: jsmith.jsmith
Key Cipher: rsa-2048
Key Fingerprint: 6c:a8:6a:5f:77:d1:d5:9c:b9:c3:11:1c:86:0e:a5:e1:e3:79:de:94
Private Key Keywrap: evfs-pbe1
Group access: users
Reset passphrase required: yes
Allow passphrase reset by key manger: no
Stored passphrase: no
Because the users group is not the primary group of the userc user, the key manager is not
allowed to grant to userc the access to the group users:
# evfspkey keygen -u userc
Enter passphrase:
Re-enter passphrase:
Public/Private key pair "userc.userc" has been successfully generated.
# evfspkey add -u userc -g users
evfspkey: add error: user userc's primary group does not exist (gid = 120).
Removing a member from a group key
When a group key is deleted, the group access key is automatically removed from the key records
of its members. Without deleting the group key, the key manager can run the evfspkey delete
-u <username> -g <groupname> command to remove the group access key from its members.
For this specific operation, both -u and -g options must be specified with the evfspkey delete
command. If only the -u option is specified, the command will delete the entire user key. If only
the -g option is specified, the entire group key will be deleted. A user may have multiple keys.
The user key with the default key name (for example, key ID = username.username) is the one
for which we remove the group access information.
Examples
In this example, the key manager deletes the group key of the users group, the group access key
is also deleted from the key records of its members, as follows:
# evfspkey delete -g users
Caution: Are you sure you want to delete the "users.users" public/private key pair?
If you proceed with this operation, the files for the group members will not be sharable.
Answer [yes/no]:yes
users:
Group access key has been removed from user "usera" key record.
Group access key has been removed from user "userb" key record.
Group access key has been removed from user "jsmith" key record.
Public/Private key pair "users.users" has been successfully deleted.
The newgrp group is the primary group of the userd user. The key manager removes the group
access from userd, as follows:
# evfspkey lookup -u userd
Key ID: userd.userd
Key Cipher: rsa-2048
Key Fingerprint: 61:ab:ee:8c:80:9c:bc:f0:68:48:08:af:0b:43:86:0c:ba:20:64:74
Private Key Keywrap: evfs-pbe1
Group access: newgrp
Reset passphrase required: yes
Allow passphrase reset by key manger: no
Stored passphrase: no
# evfspkey delete -u userd -g newgrp
Enter key manager's passphrase:
The "newgrp" group access key was successfully removed from the user "userd" key record.
# evfspkey lookup -u userd
Key ID: userd.userd
Key Cipher: rsa-2048
Key Fingerprint: 61:ab:ee:8c:80:9c:bc:f0:68:48:08:af:0b:43:86:0c:ba:20:64:74
Private Key Keywrap: evfs-pbe1
Reset passphrase required: yes
Allow passphrase reset by key manger: no
Stored passphrase: no
Key manager operations
143
Check or synchronize users and groups
The key manager uses the evfspkey chkgrp command to verify if the EFS users and groups
key information are synchronized. For example, if the primary group access keys are in the user
key records for all members.
There are three levels of verification:
1. Verification for the user
The evfspkey grpchk –u <username> command checks if the user has a group access
key to its primary group:
# evfspkey grpchk -u luser1 -g lgrp1
lgrp1:
group access key is already in user "luser1" key record.
.
If the user does not have a group access key and that the -f option is specified, the group
access key is added to the user’s key record.
2.
Verification for a group
The evfspkey gprchk –g <groupname> command checks for one specific group and
reports group members who have this group as their primary group, already have a user key,
but do not have any group access key. If the -f option is specified, the group access key is
added into those members’ key record. For those members configured in /etc/group, if the
group is just a supplementary group for them, nothing will be done:
# evfspkey grpchk -g lgrp1
lgrp1:
group access key is not in user "luser1" key record.
group access key is not in user "luser2" key record.
# evfspkey grpchk -f -g lgrp1
Enter key manager's passphrase:
lgrp1:
group access key has been added into user "luser1" key record.
group access key has been added into user "luser2" key record.
The evfspkey grpchk command will not report the users that do not have a user key.
3.
Verification for the system
If the -a option is specified, all groups that have a group key will be checked and the access
information will be added to group members (if the -f option is specified). The groups that
still do not have a key pair will be skipped:
# evfspkey grpchk -f -a
Enter key manager's passphrase:
lgrp1:
group access key has been added
group access key has been added
lgrp2:
group access key has been added
group access key has been added
into user "luser1" key record.
into user "luser2" key record.
into user "lusera" key record.
into user "luserb" key record.
The evfspkey grpchk command does not report groups that do not have a group key.
Key file location
The user key data is by default stored locally under the /etc/evfs/pkey/users directory. The
group key data is stored under the /etc/evfs/pkey/groups directory. The administrator can
configure alternate local or remote storage directories for public keys, private keys, and stored
passphrases using the pub_key, priv_key, and pass_key directories in the file
/etc/evfs/evfs.conf. New keys will always be created in the first directory. If you have old
144 Managing keys
keys from previous releases in different directories, you still need to configure those directories into
priv_key, pub_key, and pass_key so that EVFS can successfully locate them.
EVFS creates a users subdirectory for all user keys, and a groups subdirectory for all group
keys, it then creates a subdirectory under users for each user that creates EVFS keys, using the
user name as the directory name. EVFS also creates a subdirectory under groups for each group
that creates EVFS keys, using the group name as the directory name. Therefore, when you configure
priv_key, pub_key, and pass_key, you should specify the directory paths without users and
groups.
For example, the first time user john generates an EVFS public/private key pair using the
evfspkey keygen command, EVFS creates the subdirectory /etc/evfs/pkey/users/john
to contain John's keys. By default, EVFS creates the files john.priv and john.pub in the john
subdirectory. They contain the private key and the public key respectively. The private key is
protected with a passphrase. If the key manager is allowed to reset John's passphrase by entering
its passphrase, or if John's primary group already has a key when John creates his key,
john.privext will be also created to contain additional key information.
Each group key has two files associated with it: one file contains the public key and one file contains
the private key. For example, when the key manager creates a group key pair for the group
mygroup using the evfspkey keygen -g mygroup command, EVFS creates the subdirectory
/etc/evfs/pkey/groups/mygroup to contain the mygroup key. By default, EVFS creates
the files mygroup.privext and mygroup.pub in the mygroup subdirectory. The
mygroup.privext file contains the mygroup private key which is protected by the key manager's
key. The mygroup.pub contains the mygroup public key.
Passphrases are created to allow reboots when a system includes encrypted volumes that require
activation without user intervention. It also allows the root user to access encrypted files on behalf
of a regular user. The passphrase file name has the form john.pass.machine_intrinsic_id.
That is, the passphrase file name is composed of keyname.pass, suffixed with a string unique
to a given hardware system.
CAUTION:
•
Do not edit the contents of the key or passphrase files. Use the evfspkey command to modify
these files.
•
Stored passphrases add convience, but are a security risk.
If you have a stored passphrase, it is possible for root to access your encrypted files.
Key file location
145
13 Support and other resources
Contacting HP
Before you contact HP
Be sure to have the following information available before you contact HP:
•
Technical support registration number (if applicable)
•
Product identification number
•
Applicable error message
•
Third-party hardware or software
•
Operating system type and revision level
HP contact information
For the name of the nearest HP authorized reseller:
•
See the Contact HP worldwide (in English) webpage (http://www.hp.com/country/us/en/
wwcontact.html).
For HP technical support:
•
•
In the United States, for contact options see the Contact HP United States webpage (http://
welcome.hp.com/country/us/en/contact_us.html). To contact HP by phone:
◦
Call 1-800-HP-INVENT (1-800-474-6836). This service is available 24 hours a day, 7
days a week. For continuous quality improvement, calls may be recorded or monitored.
◦
If you have purchased a Care Pack (service upgrade), call 1-800-633-3600. For more
information about Care Packs, refer to the HP website (http://h20558.www2.hp.com/
portal/site/cpc).
In other locations, see the Contact HP worldwide (in English) webpage (http://
welcome.hp.com/country/us/en/wwcontact.html).
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/country/us/en/contact_us.html
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Documentation feedback
HP welcomes your feedback. To make comments and suggestions about product documentation,
send a message to http://www.hp.com/bizsupport/feedback/ww/webfeedback.html. Include
the document title and manufacturing part number. All submissions become the property of HP.
HP is evaluating support for additional disk management and data storage products for subsequent
releases of EVFS. Contact your HP representative if you have specific requirements or enhancement
requests.
New and changed information in this edition
The following additions and changes have been made for this edition:
146
•
Information about EVFS integration with KCM is included.
•
Information about change in ciphers supported on IA is included.
Support and other resources
Related information
Documents
•
Encrypted Volume and File System v2.2 Release Notes
www.hp.com/go/hpux-security-docs
•
HP-UX System Administrator's Guide: Configuration Management
http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02281490/
c02281490.pdf
•
Managing Serviceguard
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02835426/
c02835426.pdf
•
Veritas™ File System 5.0.1 Administrator's Guide HP-UX 11i v3
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02622157/
c02622157.pdf
Websites
•
HP security products documentation website:
http://www.hp.com/go/hpux-security-docs
Typographic conventions
This document uses the following typographical conventions:
%, $, or #
A percent sign represents the C shell system prompt. A dollar sign
represents the system prompt for the Bourne, Korn, and POSIX
shells. A number sign represents the superuser prompt.
audit(5)
A manpage. The manpage name is audit, and it is located in
Section 5.
Command
A command name or qualified command phrase.
Computer output
Text displayed by the computer.
Ctrl+x
A key sequence. A sequence such as Ctrl+x indicates that you
must hold down the key labeled Ctrl while you press another key
or mouse button.
ENVIRONMENT VARIABLE
The name of an environment variable, for example, PATH.
ERROR NAME
The name of an error, usually returned in the errno variable.
Key
The name of a keyboard key. Return and Enter both refer to the
same key.
Term
The defined use of an important word or phrase.
User input
Commands and other text that you type.
Variable
The name of a placeholder in a command, function, or other
syntax display that you replace with an actual value.
[]
The contents are optional in syntax. If the contents are a list
separated by |, you must choose one of the items.
{}
The contents are required in syntax. If the contents are a list
separated by |, you must choose one of the items.
...
The preceding element can be repeated an arbitrary number of
times.
Related information
147
Indicates the continuation of a code example.
|
Separates items in a list of choices.
WARNING
WARNING! A warning calls attention to important information
that if not understood or followed will result in personal injury or
nonrecoverable system problems.
CAUTION
CAUTION: A caution calls attention to important information
that if not understood or followed will result in data loss, data
corruption, or damage to hardware or software.
IMPORTANT
NOTE
148
Support and other resources
IMPORTANT: An important alert provides essential information
to explain a concept or to complete a task.
NOTE: A note contains additional information to emphasize or
supplement important points of the main text.
A Troubleshooting EVFS
This appendix contains information about troubleshooting the HP-UX Encrypted Volume and File
System (EVFS) product. This chapter addresses the following topics:
•
“Troubleshooting tools overview” (page 149)
•
“Displaying EVFS volume information” (page 149)
•
“Verifying the EMD (evfsvol check)” (page 152)
•
“Verifying user keys (evfspkey lookup)” (page 152)
•
“Problem scenarios” (page 153)
•
“Reporting problems” (page 157)
Troubleshooting tools overview
EVFS provides troubleshooting tools to perform the following tasks:
•
Display EVFS volume information
•
Verify the encryption metadata (EMD)
•
Verify user key pairs
The tasks and commands used to perform them are listed in Table 5and are described in the
sections that follow.
Table 5 EVFS troubleshooting tasks and commands
Task
Command
Show all I/O and cryptography
statistics for each EVFS volume.
evfsadm stat -a
Show the total number of data
evfsadm stat -s
blocks, read, written, decrypted,
and encrypted by EVFS.
Reset EVFS statistic values to
zero.
evfsadm stat -z
Display key IDs, underlying
volume, and operating
parameters for EVFS volumes.
evfsvol display -a|evfs_volume_path
Verify the integrity of the EMD
area of a volume.
evfsvol check -a|evfs_volume_path
Verify and display information
about user key pairs.
evfspkey lookup [-u user|-r] [-k keyname]
Displaying EVFS volume information
You can display the following information about EVFS volumes:
•
I/O and encryption statistics, using the evfsadm stat command.
•
Keys configured for an EVFS volume, using the evfsvol display command. This command
also displays operating parameters for the EVFS volume, including the underlying LVM, VxVM,
or physical volume device file name and the volume encryption algorithm.
Displaying I/O and encryption statistics (evfsadm stat)
The evfsadm stat command queries the EVFS kernel modules and displays I/O and encryption
statistics. This command is similar to the iostat command.
Troubleshooting tools overview
149
Syntax
evfsadm stat [-a|-s|-z]
where:
-a Displays all available information about EVFS. Displays the number of EVFS volumes, the
EVFS subsystem status (up or down), and the number of kernel encryption threads. For each
EVFS volume, displays the state, as maintained by the EVFS kernel driver (enabled, disabled,
or raw) and I/O and cryptography statistics.
-s Displays EVFS encryption and decryption statistics. The evfsadm utility displays the total
number of decrypted blocks and the total number of encrypted blocks for the EVFS subsystem.
-z Resets all statistic values to zero.
Examples
The following listing shows output from the evfsadm stat -a command:
# evfadm stat -a
----- EVFS statistics ----Total EVFS Volumes:
1
EVFS Subsystem Status:
up
Active Encryption Threads:
2
---- EVFS Volume Name ----|--- State ---|---------------- Queues -------------|
orr
owr
odr
oer
/dev/evfs/vg01/lvol5
enabled
0
0
0
0
---- EVFS Volume Name ----|--- State ---|-------------- Counters -------------|
bpr
bpw
bpd
bpe
/dev/evfs/vg01/lvol5
enabled
2074
52441
362
52345
---- EVFS Volume Name ----|--- State ---|---------------- Rates --------------|
kbpsr
kbpsw
dkbps
ekbps
/dev/evfs/vg01/lvol5
enabled
25
3
362
34
The meaning of each field is as follows:
150
Total EVFS Volumes
Number of EVFS volumes in the kernel registry.
EVFS Subsystem Status
Status of the EVFS kernel components (up or down).
Active Encryption Threads
Number of EVFS kernel threads for cryptography processing.
EVFS Volume Name
Name of the EVFS volume.
State
State of the EVFS volume (enabled or disabled).
orr
Number of queued (outstanding) read requests.
owr
Number of outstanding write requests.
odr
Number of outstanding decryption requests.
oer
Number of outstanding encryption requests.
bpr
Number of data blocks read.
bpw
Number of data blocks written.
bpd
Number of data blocks decrypted.
bpe
Number of data blocks encrypted.
kbpsr
Read rate in kilobytes per second (kb/s). This statistic is based on the time it
takes the EVFS pseudo-driver to complete a read request. This statistic includes
the time it takes to read data from the physical disk and the underlying LVM or
VxVM volume (if applicable), and to decrypt the data.
kbpsw
Write rate in kilobytes per second (kb/s). This statistic is based on the time it
takes the EVFS pseudo-driver to complete a write request. This statistic includes
the time it takes to encrypt the data, and write the data to the underlying LVM
or VxVM volume (if applicable) and the physical disk.
Troubleshooting EVFS
dkbps
Decryption rate in kilobytes per second (kb/s).
ekbps
Encryption rate in kilobytes per second (kb/s).
The following listing shows output from the evfsadm stat -s command:
# evfsadm stat -s
Total EVFS Volumes: 2
364 blocks decrypted
52398 blocks encrypted
2076 blocks read
52494 blocks written
Displaying EVFS volume keys and operating parameters (evfsvol display)
Use the evfsvol display command to display information about the EVFS volume, including
the following items:
•
Key IDs of the owner, recovery, and authorized user keys configured for the EVFS volume
•
Name of the underlying LVM, VxVM, or physical volume device file
•
Encryption algorithm used to encrypt the volume data
Syntax
evfsvol display [-a|evfs_volume_path]
where:
-a
evfs_volume_path
Displays the EMD information for all enabled EVFS volumes.
Specifies the absolute pathname for the EVFS volume device file, such
as /dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05,
or /dev/evfs/dsk/c2t0d1. The evfsvol utility displays the EMD
information for the volume.
Example
The output for the evfsvol display evfs_volume_path is similar to the following:
# evfsvol display /dev/evfs/vg01/lvol5
EVFS Volume Name:
/dev/evfs/vg01/lvol5
Mapped Volume Name:
/dev/vg01/lvol5
EVFS Volume State:
enabled
EMD Size (Kbytes):
520
Max User Envelopes:
1024
Data Encryption Cipher:
aes-128-cbc
Digest:
sha2
Owner Key ID:
root.rootkey1
Recovery Agent Key IDs:
evfs.evfs
Total Recovery Agent Keys:
1
User Key IDs:
user1.user1key
Total User Keys:
1
The meaning of each field is as follows:
EVFS Volume Name
Name of the EVFS volume.
Mapped Volume Name
Device file name of the underlying LVM, VxVM, or physical volume.
EMD Size
Size of the encrypted metadata (EMD) area, in kilobytes.
EVFS Volume State
State of the EVFS volume, as maintained by the EVFS kernel driver.
Max User Envelopes
Maximum number of key records (user envelopes) allowed in the EMD. Each key
record contains the volume encryption key, encrypted by a user's public key.
Data Encryption Cipher
The encryption algorithm used to encrypt the volume data.
Displaying EVFS volume information
151
Digest
The algorithm used to create a message digest value for the EMD, such as Secure
Hash Algorithm 1 (SHA-1/SHA-2). EVFS uses the message digest value and other
information to verify the contents of the EMD.
Owner Key ID
Owner key ID for the volume, in the format user_name.key_name.
Recovery Agent Key IDs
Recovery keys configured for the volume, in the format user_name.key_name.
Total Recovery Agent Keys
Total number of recovery key pairs configured for the volume. The maximum is
2.
User Key IDs
User keys configured for the volume, in the format user_name.key_name.
Total User Keys
Total number of user key pairs configured.
Verifying the EMD (evfsvol check)
The evfsvol check command verifies the integrity of the EMD for an encrypted volume. You
must disable the EVFS volumes you want to check before executing the evfsvol check command.
If the verification fails, you can use the evfsvol restore command to restore the previous
version of the EMD. For more information, see “Recovering from EMD corruption” (page 71).
Syntax
evfsvol check -a|evfs_volume_path
where:
-a
evfs_volume_path
Checks the EMD for all EVFS volumes in the /etc/evfs/evfstab
file.
Specifies the absolute pathname for the EVFS volume device file, such
as /dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05,
or /dev/evfs/dsk/c2t0d1. The evfsvol utility verifies the EMD
for the volume. EVFS must be disabled for the volume.
Example
In the following example, the user verifies the EMD for the /dev/evfs/vg01/lvol5 volume:
# evfsvol check /dev/evfs/vg01/lvol5
Encrypted volume "/dev/evfs/vg01/lvol5" status: OK
Encrypted volume "lvol5" has been successfully checked.
Verifying user keys (evfspkey lookup)
The evfspkey lookup command retrieves key pairs from the key storage data base and displays
information about the keys, such as the encryption algorithm.
Syntax
evfspkey lookup [-u user|-r] [-k keyname]
where:
-u user
-r
-k keyname
Specifies the user name of the key owner. If you do not specify -u user,
evfspkey uses your user name as the key owner. You must have superuser or
the appropriate privileges to look up a key pair for another user.
Causes evfspkey to display information about the recovery user key pair.
Specifies the key name. If you do not specify -k keyname, evfspkey uses the
user name as the key name.
Example
In the following example, the user verifies that the key rootkey exists for the root user.
# evfspkey lookup -u root -k rootkey1
Key ID: root.rootkey1
Key Cipher: rsa-2048
152
Troubleshooting EVFS
Key Fingerprint: c1ff371f6d1b15260d2acdefa2d0c4eb593e99e2
Private Key Keywrap: evfs-pbe1
Reset passphrase required: no
Allow passphrase reset by key manger: no
Stored passphrase: no
Problem scenarios
This section describes the following problem scenarios and solutions for the scenarios:
•
“evfspkey cannot generate key pairs” (page 153)
•
“evfspkey cannot store keys” (page 153)
•
“evfsvol cannot retrieve private key” (page 154)
•
“evfsvol create fails, EVFS device file not found in evfstab file” (page 154)
•
“evfsvol create fails, valid EMD already exists” (page 154)
•
“evfsvol disable fails, EVFS volume is busy” (page 155)
•
“evfsadm map fails, invalid device” (page 155)
•
“EMD Is dirty” (page 155)
•
“evfsvol enable fails, EMD backup not found” (page 156)
•
“evfsvol cannot create an EVFS volume” (page 157)
evfspkey cannot generate key pairs
Symptom
The evfspkey keygen command fails and evfspkey displays a message similar to the following:
evfspkey: keygen error: cannot generate key pair
Description
The evfspkey utility cannot generate a key pair because no cryptography threads are running.
Solution
Use the evfsadm start command to start the EVFS subsystem and kernel cryptography threads.
evfspkey cannot store keys
Symptom
The evfspkey keygen command fails and evfspkey displays a message similar to the following:
evfspkey: keygen error: cannot store public key "user_name.key_name",
key loading failure
Description
The evfspkey utility cannot store a public key file in the EVFS key database.
Solution
Verify that the account exists for the owner of the key pair. If you are creating a recovery key pair,
verify that the EVFS pseudo-user account exists. The user name for the EVFS pseudo-user is set using
the evfs_user attribute in the file /etc/evfs/evfs.conf. The default name is evfs.
Determine the directories used for the key database by checking the pub_key attribute statement
in the /etc/evfs/evfs.conf file. By default, EVFS stores the user key database in subdirectories
below the /etc/evfs/pkey/users directory. Verify that the attribute statement contains no line
breaks. Verify the file permissions, owner and group for the directories, as described in the section,
“Restoring user keys” (page 67).
Problem scenarios
153
evfsvol cannot retrieve private key
Symptom
An evfsvol command fails, and evfsvol displays a message similar to the following:
# evfsvol disable /dev/evfs/vg01/lvol5
evfsvol: disable error: cannot retrieve private key "root.root", key loading failure
Description
The evfsvol utility cannot retrieve a user's private key to perform an operation on an EVFS
volume.
Solution
If you do not specify a key name using the -k keyname option, evfsvol uses the default key
name, which is the user's account name. In the previous output, the root user entered the evfsvol
command, so evfsvol searched for the private key owned by root with the key name root
(root.root). If you are using an alternate key name, use the -k keyname option to specify the
key name.
If you specified the correct key name, determine the directories used for the key database by
checking the priv_key and pass_key attribute statements in the /etc/evfs/evfs.conf file.
By default, EVFS stores the user key database in subdirectories below the /etc/evfs/pkey/
users directory. Verify that the attribute statement contains no line breaks. Verify the file
permissions, owner and group for the key database directories, as described in the section,
“Restoring user keys” (page 67).
evfsvol create fails, EVFS device file not found in evfstab file
Symptom
The evfsvol create command fails and evfsvol displays a message similar to the following:
# evfsvol create /dev/evfs/vg01/lvol5
evfsvol: create error: /dev/evfs/vg01/lvol5 not found in evfstab file
Description
The evfsvol create command fails if you do not have an entry for the EVFS volume in the
/etc/evfs/evfstab file.
Solution
Add an entry for the EVFS volume to the /etc/evfs/evfstab file. The syntax for each entry is
as follows:
v volume_path /dev/evfs/evfs_volume_path [user_name.key_name] [options]
For more information, see the evfstab(4) man page.
evfsvol create fails, valid EMD already exists
Symptom
The evfsvol create command fails and evfsvol displays a message similar to the following:
# evfsvol create /dev/evfs/vg01/lvol5
evfsvol: create error: a valid EMD already exists in "/dev/evfs/vg01/lvol5",
use the -f option to override it
Description
The evfsvol create command fails if an EMD already exists on the volume. This can occur if
you reuse an EVFS volume without destroying the previous EMD.
154 Troubleshooting EVFS
Solution
If you are reusing an EVFS volume and do not want to recover the existing data, re-enter the
evfsvol create command with the -f option. The evfsvol create command generates a
new volume encryption key and new EMD. Any existing data is irrecoverable.
If you want to retrieve data from an existing EVFS volume and have problems with the existing
EMD, use the procedure described in “Recovering from EMD corruption” (page 71).
evfsvol disable fails, EVFS volume is busy
Symptom
The evfsvol disable command returns the following error:
evfsvol: disable error: cannot disable encrypted volume
“evfs_volume_path”, evol is busy
Description
EVFS does not disable an EVFS volume if the volume is in use.
Solution
Terminate any processes that are accessing the volume. You can use the fuser -cu command
to determine the processes accessing files, and the fuser -cku command to terminate the
processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level with the shutdown utility. For more information, see
shutdown(1M).
If the volume has a file system mounted, unmount the file system. For more information, see
umount(1M).
evfsadm map fails, invalid device
Symptom
The evfsadm map command returns the following error:
evfsadm: map error: invalid volume block device “filename”
For example:
evfsadm: map error: invalid volume block device “/dev/vg01/rlvol5”
Description
The command evfsadm map requires the name of a volume block device file as input. The
evfsadm utility maps the volume block device file to EVFS and automatically maps the
corresponding volume character (raw) device file to EVFS.
Solution
Specify a valid volume block device file. In the previous example, the user must replace /dev/
vg00/rlvol5 with /dev/vg00/lvol5.
EMD Is dirty
Symptom
The evfsvol enable or evfsvol check command fails. The output from the evfsvol
enable command includes the text EMD is dirty and is similar to the following:
evfsvol: enable error: cannot enable encrypted volume "/dev/evfs/vg01/lvol5", EMD is dirty
evfsvol: enable error: failed to enable encrypted volume /dev/evfs/vg01/lvol5
Problem scenarios
155
The output from the evfsvol check command includes the text EMD is dirty and is similar
to the following:
evfsvol: check error: cannot check encrypted volume "ev1", EMD is dirty
Description
If the system terminates without executing the system shutdown scripts, EVFS volumes will have a
"dirty bit" set in the EMD areas. If you try to enable an EVFS volume with the dirty bit set, EVFS
displays the message EMD is dirty. If this dirty EVFS volume contains a file system, a file system
consistency check is also required (see fsck(1M)).
Solution
Use the following evfsvol check -r command to reset the dirty bit.
evfsvol check -r -a|evfs_volume_path
where:
-r
Resets the dirty bit for the specified volume.
-a
Resets the dirty bit for all volumes in the /etc/evfs/evfstab file.
evfs_volume_path
Specifies the absolute pathname for the EVFS volume device file, such
as /dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05,
or /dev/evfs/dsk/c2t0d1.
evfsvol enable fails, EMD backup not found
Symptom
The evfsvol enable command fails. The output from the evfsvol enable command includes
the text cannot back up EVFS volume and is similar to the following:
evfsvol: enable error: cannot back up EVFS volume "/dev/evfs/vg01/lvol5"
EMD
Description
When an EVFS volume is enabled on an IA system, if the algorithm used to create the message
digest value for the EMD is SHA1, EMD and its backup is updated with the digest value which is
re-computed using SHA2. If you are trying to enable an EVFS volume on a system, which is different
from what is created, the back up of the EVFS volume EMD might not exist in the directory configured
for emd_backup in the EVFS configuration file /etc/evfs/evfs.conf.
Solution
Copy the back up of the EVFS volume EMD from the system on which it is created to the directory
configured for emd_backup in /etc/evfs/evfs.conf file on the system where it is enabled.
EVFS is not starting on system boot
Make sure that the EVFS_ENABLED variable in /etc/rc.config.d/evfs is set to 1:
EVFS_ENABLED = 1
Verify that the /etc/inittab file has the following entry:
evs1::bootwait:/sbin/init.d/evfs_local start </dev/console>/dev/console 2>&1 ## evfs
Error on evfsadm stat output
The evfsadm stat –a command returns the following error:
evfsadm: stat error: cannot retrieve "/dev/evfs/vg00/lvol14" state,
unkown failure: errno = 594
156
Troubleshooting EVFS
Solution
This error occurs when the mapping is not initialized correctly. Make sure that there is no problem
with the volumes and use the evfsadm map –a command to restore the mapping.
Error on mounting file system
Make sure that you run fsck as follows after you reset the dirty bit of an EMD, or if the EMD is
corrupted and you recover it from the EMD backup file by doing evfsvol restore
evfs_volume_path:
fsck [-F file_sys_type]
raw_evfs_volume_path
Without running fsck, you may not be able to mount the file system on the EVS volume successfully.
evfsvol cannot create an EVFS volume
Symptom
The evfsvol create command fails and evfsvol displays a message similar to the following:
evfsvol: create error: unsupported digest "sha1"
Description
The evfsvol utility cannot create an EVFS volume because SHA1 is no more supported for
calculating EMD digest.
Solution
Check the value of emd_digest in the EVFS configuration file /etc/evfs/evfs.conf.
If the value is SHA1, replace this with SHA2.
Reporting problems
If you are unable to resolve a problem with EVFS, complete the following steps:
1. Read the EVFS product release notes to see if the problem is a known problem. If it is, follow
the documented solution.
2. Determine if you have a valid warranty or support contract for your HP-UX system. Your
operations manager can supply you with the necessary information.
3. Go to the HP Support Center website at the following URL:
http://www.hp.com/go/hpsc
Search the technical knowledge databases to determine if the problem you are experiencing
has already been reported. The type of documentation and resources you have access to
depend on your level of entitlement.
4.
If this is a new problem or if you need additional help, log your problem with the HP Support
Center, either on line through the support case manager at http://www.hp.com/go/hpsc, or
by calling HP Support.
If your warranty has expired or if you do not have a valid support contract for your product,
you can still obtain support services for a fee, based on the amount of time and materials
required to solve your problem.
Collecting data
Collect and submit the following data when reporting a problem:
•
A description of your environment, including the HP-UX and EVFS version numbers.
•
A description of the problem, including what works and what does not work. If an EVFS
command failed, include the run string and error message.
Reporting problems
157
•
If the system failed, the system dump files and a description of the system activities at the time
of the failure.
•
Output from the following commands:
lsdev | grep evfs
ls -l /dev/evfs/*
ls -l /usr/lib/evfs/*
cat /etc/evfs/evfstab
cat /etc/evfs/evfs.conf
evfsadm stat -a
evfsvol display -a
evfspkey lookup keyname
158
Troubleshooting EVFS
B Product specifications
This appendix contains product specification information, including file names.
User files
EVFS uses the following directories and files for configuration and other runtime data:
•
/etc/evfs/emd: Default directory for storing backup EMD data.
•
/etc/evfs/evfs.conf: Configuration file for global EVFS parameters, such as the recovery
user name, encryption algorithm for volume data encryption, and directories for the user key
database.
•
/etc/evfs/evfs_cryptx.conf: Configuration file for encryption libraries. Do not modify
this file.
•
/etc/evfs/evfstab: File containing information about EVFS volumes. The evfsadm
utility adds and deletes entries for EVFS volumes in this file. Administrators need to modify this
file only when configuring the autostart feature.
•
/etc/evfs/pkey/users: Default parent directory for the user key database.
•
/etc/evfs/pkey/groups: Default parent directory for the group key database.
•
/etc/evfs/pkey/users/evfs: Default parent directory for recovery user public keys.
•
/etc/rc.config.d/evfs: Global EVFS configuration file read at system startup.
Commands and tools
EVFS provides the following commands:
•
Equivalent HP-UX commands: These commands are wrappers for regular HP-UX commands
to enforce encrypted file semantics. These commands are located in /opt/evfs/bin. The
evfsauth and evfsrun commands prepend this path to the PATH environment variable.
•
Encrypted file operation evfsfile: Displays and sets parameters for files and directories
encryption.
•
Secure session evfsauth: Loads, unloads, and lists user keys.
•
Access raw encrypted content evfsxfr: This command is used to access and transfer
encrypted files as is. The examples are backup/restore and ftp.
•
Non-interactive secure session evfsrun: Creates an EFS secure session, mostly for auto-boot.
Only the root user can use this command and the user passphrase must to be stored.
•
/usr/sbin/evfsadm: Utility for administering EVFS (starting and stopping EVFS), mapping
volumes to EVFS (creating EVFS volume device files), mapping files to EVFS (and load recovery
key), and other administrative tasks.
•
/usr/sbin/evfspkey: Utility for creating and managing user keys, group keys, key
manager, and passphrases.
•
/usr/sbin/evfsvol: Utility for creating and enabling EVFS file and volumes, displaying
information about EVFS file and volumes, adding user keys to EVFS file and volumes, and
other file and volume management tasks.
EVFS provides the following startup and shutdown scripts:
•
/sbin/init.d/evfs_local: Startup and shutdown script for enabling and disabling EVFS
volumes that have key information stored on the root disk of the local system.
•
/sbin/init.d/evfs_local2: Startup and shutdown script for enabling and disabling
EVFS volumes that have key information stored on a nonroot disk of the local system.
•
/sbin/init.d/evfs_remote: Startup and shutdown script for enabling and disabling
EVFS volumes that have key information stored on a remote system.
User files
159
•
/sbin/rc0.d/K898evfs_local2: Link to /sbin/init.d/evfs_local2 for shutdown.
•
/sbin/rc0.d/K901evfs_local: Link to /sbin/init.d/evfs_local for shutdown.
•
/sbin/rc0.d/K501evfs_remote: Link to /sbin/init.d/evfs_remote for shutdown.
•
/sbin/rc0.d/S099evfs_local: Link to /sbin/init.d/evfs_local for startup.
•
/sbin/rc0.d/S102evfs_local2: Link to /sbin/init.d/evfs_local2 for startup.
•
/sbin/rc0.d/S499evfs_remote: Link to /sbin/init.d/evfs_remote for startup.
EVFS provides the following files for use with HP Serviceguard:
•
/etc/evfs/opt/cmcluster/evfs_sg.sh: High-Availability (HA) EVFS control script.
•
/etc/evfs/opt/cmcluster/evfssgconv: Utility for converting existing package control
scripts to make them execute the HA EVFS control script.
•
/etc/evfs/opt/cmcluster/evfs.1 SG Attribute Definition File for EVFS
•
/etc/evfs/opt/cmcluster/evfs.sh SG Modular script for EVFS
EVFS commands
EVFS provides the following commands to configure and manage EVFS:
•
evfsadm
The evfsadm utility manages the EVFS subsystem and creates device files for EVFS volumes.
•
evfspkey
The evfspkey utility creates, stores, and manages EVFS user keys.
•
evfsvol
The evfsvol utility configures and manages the EVS volumes.
•
evfsfile
The evfsfile command is used to manage the EFS volumes.
160 Product specifications
C EVFS quick reference
This appendix contains reference information about EVFS.
Preparing EVFS
This section briefly describes the steps in the EVFS preparation procedure. For more information,
refer to Chapter 4 (page 28).
1. At installation, EVFS attempts to create the evfs user account and group for the EVFS
pseudo-user. If you cannot use evfs as the user and group name for the EVFS pseudo-user,
set the evfs_user attribute in the /etc/evfs/evfs.conf file to a different user name.
Create a new group and user account for the EVFS pseudo-user:
# groupadd my_evfs_group
# useradd -g evfs -c "EVFS pseudo-user" \
-d /home/evfs -s /usr/bin/false my_evfs_user
2.
3.
4.
5.
(Optional) Configure alternative directories for key storage using the pub_key, priv_key,
and pass_key attribute statements in the file /etc/evfs/evfs.conf.
(Optional) Modify EVFS global parameters. Edit the file /etc/evfs/evfs.conf.
Start the EVFS subsystem:
# evfsadm start [-n number_threads]
Create user key pairs for EVS mode.
a. Create keys for EVS volume owners:
# evfspkey keygen [-p] [-c cipher] [-u user] [-k keyname] [-m
keywrap]
b.
(Optional, but recommended) Create recovery keys:
# evfspkey keygen -c rsa-2048 -r [-k keyname] [-m keywrap]
EVFS creates the recovery user's private key in the current directory, with the file name
key_name.priv. Store this file off line.
c.
(Optional) Create keys for authorized users:
# evfspkey keygen [-p|-s] [-c cipher ] [-u user] [-k keyname]
[-m keywrap]
Configuring EVS
This section briefly describes the steps in the EVFS procedure. After preparing EVFS, you can use
Option 1 or Option 2 to configure an EVS volume. For more information about selecting the
appropriate option, see Chapter 6 (page 45).
Preparing EVFS
161
Option 1: Creating a new EVS volume
1.
Configure the EVS volume:
a. Create an LVM or VxVM volume if you are not creating the EVS volume directly above
a whole physical volume:
# lvcreate -L lv_size [options]vgfile (LVM)
# vxassist -g group make volume_name size (VxVM)
b.
Create the EVFS device files:
CAUTION: Any data on the underlying LVM, VxVM, or physical volume will be
overwritten in subsequent steps, so HP recommends that you specify an empty volume.
# evfsadm map volume_path
c.
Create the EMD and assign an owner for the volume:
# evfsvol create -k keyname [-c cipher]evfs_volume_path
d.
(Optional) Add recovery and authorized user keys to the volume:
# evfsvol add -r [-k keyname]evfs_volume_path
# evfsvol add -u user [-k keyname]evfs_volume_path
e.
2.
Enable encryption and decryption access for the EVS volume:
# evfsvol enable [-k keyname]evfs_volume_path
Create and mount a new file system on the EVS volume:
a. Use the newfs command to create a new file system on the raw EVFS volume device
file:
# newfs [-F file_sys_type ] /dev/evfs/raw_evfs_volume_path
b.
(Optional) Use the fsck command to check the integrity of the file system:
# fsck [-F file_sys_type] raw_evfs_volume_path
3.
4.
5.
162
c.
Use the mkdir command to create the mount point:
# mkdir mount_point
d.
Mount the file system on the EVS volume:
# mount [-F file_sys_type] evfs_volume_path mount_point
e.
Add an entry to the /etc/fstab file for the encrypted volume. The syntax for the entry
is as follows:
evfs_volume_path mount_point file_sys_type [options]
Verify EVS operation. Use the following commands:
•
evfsadm stat -a
•
evfsvol display evfs_volume_path
(Optional) Migrate existing data to the EVFS volume by copying data from a non-EVFS volume
to an EVFS volume. For more information, see “Step 4: (Optional) Migrating existing data to
an EVS volume” (page 54)
(Optional) Configure the EVFS autostart feature. The autostart feature enables you to enable
EVFS encryption and mount file systems on EVS volumes at system startup without manual
intervention. You must have stored passphrases to use the autostart feature.
To configure the autostart feature, edit the /etc/rc.config.d/evfs file to contain the
following entry:
EVFS_ENABLED = 1
You must also edit the /etc/evfs/evfstab file. The syntax for each entry is as follows:
v volume_path evfs_volume_path user_name.key_name options
The options field must contain the keyword boot_local, boot_local2, or boot_remote.
EVFS quick reference
For more information, see “Step 6: (Optional) Configuring the autostart feature” (page 34).
6.
Back up your configuration. Back up all files in the /etc/evfs directory and all subdirectories
below it.
Option 2: Converting an existing volume into an EVS volume (inline encryption)
1.
Prepare the file system and data.
1. Verify the file systems or volumes you want to secure with EVFS are suitable for encryption.
2. For data consistency, stop all applications accessing the data.
3. Back up the data on the volume.
4. Unmount the file system:
# umount file_system
5.
6.
2.
3.
Extend the volume if there is no spare disk space at the end of the volume. Inline encryption
requires 3MB of spare disk space.
Map the volume to an EVFS volume:
# evfsadm map volume_name
Perform inline encryption.
1. Start inline encryption:
# evfsvol iencrypt [-f] [-k keyname] [-c cipher] evfs_volume_path
2.
Enable the EVS volume:
# evfsvol enable evfs_volume_path
3.
Mount the file system to the EVS volume:
# mount evfs_volume_path file_system
Verify EVS operation. Use the following commands:
•
evfsadm stat -a
•
evfsvol display evfs_volume_path
4.
(Optional) Configure the EVFS autostart feature. The autostart feature enables you to enable
EVFS encryption and mount file systems on EVS volumes at system startup without manual
intervention. You must have stored passphrases to use the autostart feature.
To configure the autostart feature, edit the /etc/rc.config.d/evfs file to contain the
following entry:
EVFS_ENABLED = 1
You must also edit the /etc/evfs/evfstab file. The syntax for each entry is as follows:
v volume_path evfs_volume_path user_name.key_name options
The options field must contain the keyword boot_local, boot_local2, or boot_remote.
For more information, see “Step 6: (Optional) Configuring the autostart feature” (page 34).
5.
Back up your configuration. Back up all files in the /etc/evfs directory and all subdirectories
below it.
Configuring EVS
163
EFS quick start
HP-UX EVFS includes the following EFS commands, typically used in the following order:
Command
Description
evfsadm
Starts and manages the EVFS subsystem. Maps LVM, VxVM, or physical volumes to the EVFS
subsystem. See evfsadm(1M).
evfsauth
Enters a user secure session. A secure session contains the needed credentials to access encrypted
files pertaining to that particular user. The command also allows users to display their current
secure session information. See evfsauth(1).
evfsfile
Manages EFS encrypted files and directories. See evfsfile(1).
Creating an EFS volume
As the root user, create the EFS volumes as follows:
1. Start the EVFS subsystem using the evfsadm start command. See evfsadm(1M).
2. If you are using LVM or VxVM (you are not directly accessing the physical disk as a physical
volume), use the appropriate LVM or VxVM commands (such as lvcreate or vxassist) to create
a new LVM or VxVM volume to use for the EVFS volume. See lvcreate(1M) or vxassist(1M).
3. Associate the underlying LVM, VxVM, or physical volume to an EFS volume in file-level
encryption mode using the evfsadm map -f command. This command also creates block
and character ("raw") device special files for the EFS volume and adds them to the kernel
registry.
4. Create a file system on the EFS volume, create one on the character (raw) EFS volume device
file using the newfs command. See newfs(1M).
5. If you want to mount the file system on the EFS volume, add an entry to the /etc/fstab file
that references the EFS volume special file with the stackfs=sefs option. See evfsadm(1M).
6. Mount the encrypted file system using the mount command with the -o stackfs=sefs
option. See mount(1M).
7. Verify the EVFS operation using the evfsadm stat -a and evfsvol display commands.
See evfsadm(1M).
To use EFS as an EFS user, follow these additional steps:
1. Enter a secure session with evfsauth login command. If the user’s credential does not
exist, the user will be prompted to create it. This credential is inherited to all the children for
the process. The command evfsauth display can be used to display the user’s credential.
Exiting the process (if in a shell, usually with the exit command) will terminate the secure
session. See evfsauth(1).
2. The command evfsfile is used to enable and disable files and directories for encryption.
The command can also be used to display file and directory encryption status. See evfsfile(1).
3. A set of wrapper commands is provided with EVFS. These wrapper commands facilitate
encryption access information and to prevent unintended decryption of files. See
evfs_wrapper(1).
Configuring volumes in EFS mode
The following steps show how a root user can configure volumes in EFS mode:
1. Start the EVFS subsystem:
% evfsadm start
2.
Map the LVM volume /dev/vg01/lvol6 to EVFS with option -f. Note that unlike the EVS
mode, existing data on /dev/vg01/lvol6 will be not be touched:
# evfsadm map -f /dev/vg01/lvo16
3.
If needed, create a new file system on the EVFS volume character (raw) device file:
# newfs -F vxfs /dev/evfs/vg01/rlvol6
164 EVFS quick reference
4.
Run fsck (if necessary):
# fsck -F vxfs /dev/evfs/vg01/rlvol6
5.
Modify /etc/fstab to include the EVFS volume:
# /dev/evfs/vg01/lvol6 /opt/my_data vxfs stackfs=sefs,delaylog 0 2
Unlike volume-level encryption, if you want the system to automatically mount this file system
at system startup time, you do not need to modify the /etc/evfs/evfstab file.
6.
Mount the encrypted file system:
# mount -F vxfs -o stackfs=sefs /dev/evfs/vg01/lvol6 /opt/my_data
7.
Enter a secure session:
# evfsauth login
8.
Enable encryption for a directory:
# cd /opt/my_data; evfsfile set .
9.
Create an encrypted file:
# echo "this is an encrypted file" > my_file
The content of my_file is now encrypted.
10. Check if the file my_file is encrypted:
# evfsfile list my_file
EVFS tasks and commands
The following tables provide the command syntax for common EVFS administrative tasks.
Table 6 Starting and stopping EVFS
Task
Command
Start the EVFS subsystem.
evfsadm start [-n number_threads]
Stop the EVFS subsystem.
evfsadm stop
Table 7 Managing EVS volumes
Task
Command
Map an LVM, VxVM, or physical
volume to EVFS and create EVFS
device files.
evfsadm map volume_path
Unmap an EVS volume.
evfsadm unmap evfs_volume_path
Create an EVS volume (generates a
volume encryption key and creates
the EMD).
evfsvol create [-k keyname] [-f] evfs_volume_path
Destroy an EVS volume (you must be evfsvol destroy [-f] evfs_volume_path
the volume owner, and the data will
be irrecoverable).
Enable an EVS volume without a
stored passphrase.
evfsvol enable [-k keyname] evfs_volume_path
Enable an EVS volume with a stored evfsvol enable -p evfs_volume_path
passphrase and key ID in /etc/
evfs/evfstab.
Enable all EVS volumes with key IDs evfsvol enable -a
in /etc/evfs/evfstab.
Disable an EVFS volume without a
stored passphrase.
evfsvol disable [-k keyname] evfs_volume_path
EVFS tasks and commands
165
Table 7 Managing EVS volumes (continued)
Task
Command
Disable an EVS volume with a stored evfsvol disable -p evfs_volume_path
passphrase and key ID in /etc/
evfs/evfstab.
Disable all EVS volumes with key IDs evfsvol disable -a
in /etc/evfs/evfstab.
Inline Encrypt data on an existing
volume
evfsvol iencrypt [-f] [-k keyname] [-c cipher]
evfs_volume_path
Open raw access for an EVS volume evfsvol raw [-k keyname] evfs_volume_path
.
CAUTION: HP recommends that
you use this operation only when
creating encrypted backup media or
restoring encrypted backup media,
as described in “Backing up EVS
volumes” (page 78).
Close raw access for an EVS volume. evfsvol close [-k keyname] evfs_volume_path
Table 8 Managing EVFS keys and users/groups
Task
Command
Change the owner of an EVFS
volume.
evfsvol assign -u newowner [-r recovery_key.priv] [-k keyname]
evfs_volume_path
Recover from problems with
owner keys.
evfsvol assign -u newowner[-r recovkeyfile] [-k
keyname]evfs_volume_path
Remove keys from an EVFS
volume.
evfsvol delete [-u user] [-k keyname] evfs_volume_path
Create a user or recovery agent
key pair.
# evfspkey keygen [-r | [-p [-u user] | -s [-u user]] [-c cipher] [-k
keyname] [-m keywrap]
Changes the passphrase for a
key
evfspkey passgen [-r recovkey_file |
-f [-u user] [-k keyname] |
-p [-u user] [-k keyname] [-m keywrap] |
-s [-u user] [-k keyname] [-m keywrap]
Deletes a user or recovery agent # evfspkey delete [-u user | -r] [-p] [-k keyname]
key pair.
Table 9 Troubleshooting EVFS
Task
Command
Show all I/O and cryptography
statistics for each EVFS volume.
evfsadm stat -a
Show the total number of data
evfsadm stat -s
blocks, read, written, decrypted,
and encrypted by EVFS.
Reset EVFS statistic values to
zero.
evfsadm stat -z
Display key IDs, underlying
volume, and operating
parameters for EVFS volumes.
evfsvol display -a|evfs_volume_path]
166 EVFS quick reference
Table 9 Troubleshooting EVFS (continued)
Task
Command
Verify the integrity of the EMD
area of a volume.
evfsvol check -a|evfs_volume_path
Verify and display information
about user key pairs.
evfspkey lookup [-u user|-r] [-k keyname]
EVFS tasks and commands
167
D Using EVFS with HP Serviceguard
This chapter describes how to use EVFS with the HP Serviceguard product.
This chapter addresses the following topics:
•
“EVFS and HP Serviceguard overview” (page 168)
•
“Configuration overview” (page 169)
•
“Step 1: Installing EVFS” (page 169)
•
“Step 2: Creating the HP Serviceguard storage infrastructure” (page 169)
•
“Step 3 (EVS only): Configuring EVS on the configuration node” (page 171)
•
“Step 3 (EFS only): Configuring EFS on the configuration node” (page 172)
•
“Step 4 (EVS only): Configuring EVS Volumes on the adoptive nodes” (page 173)
•
“Step 4 (EFS only): Configuring EFS volumes on the adoptive nodes” (page 175)
•
“Step 5: Configuring HP Serviceguard using modular packages” (page 176)
•
“Step 6: Configuring HP Serviceguard using legacy packages” (page 180)
EVFS and HP Serviceguard overview
A Serviceguard cluster is a networked group of HP 9000 or Integrity servers (host systems known
as nodes) with redundant hardware and software so that a single point of failure does not
significantly disrupt service. Application packages (individual HP-UX processes) can be grouped
together in failover packages. A failover package runs on a single node at a time. The node on
which the package initially runs is the primary node. If a single service, node, network or other
resource fails, Serviceguard can automatically transfer, or fail over, control of the package to
another node within the cluster, referred to as the adoptive node.
Serviceguard supports special storage infrastructures for clusters, including cluster aware LVM and
VxVM volume groups. A cluster aware LVM volume group can be activated by nodes in exclusive
mode only. A cluster aware volume group is typically configured on a disk that is physically
connected to multiple nodes. This enables the volume group to be physically accessible from multiple
nodes but activated for exclusive write access by only one node at a time. When used with failover
packages, the volume group is activated for exclusive write access on the node on which the
package is running.
Serviceguard A.11.18 and later has a simpler package configuration method which allows smaller
modules to be built into packages. This eliminates the use of a separate package control script
and needing to manually distribute it. These packages are referred to as modular packages.
Packages produced by older versions of Serviceguard (versions A.11.16 or A.11.17) are referred
to as legacy packages.
You can use EVFS volumes with Serviceguard failover packages as follows:
•
Serviceguard failover package services or applications can use EVFS volumes or file systems
mounted on EVFS volumes. You can modify a Serviceguard package control script (for a
legacy package), or a Serviceguard package configuration file (for a modular package) to
enable EVFS volumes and mount file systems on EVFS volumes when a package starts.
•
A cluster lock disk can co-exist on an LVM or VxVM volume group with volumes used by EVFS.
Requirements
To use EVFS with Serviceguard, the system must meet the following conditions:
•
HP Serviceguard version A.11.16, A.11.17, A.11.18 or A.11.19 is installed.
•
The EVFS volumes used by the package must be built on cluster aware LVM volume groups
or VxVM disk groups.
168 Using EVFS with HP Serviceguard
Restrictions
HP does not support EVFS with Serviceguard in the following configurations:
•
EVFS volumes are not supported with Serviceguard multi-node or system multi-node packages.
The only package type supported with EVFS volumes is FAILOVER.
•
EVFS is not supported with the Veritas Cluster File System (CFS).
•
EVFS is not supported with SG/SGeRAC shared activation.
The following features on ServiceGuard version A.11.19 are not supported by EVFS:
◦
Online package configuration
◦
Partial-startup maintenance mode
Configuration overview
EVFS includes the following files for operation with Serviceguard:
•
/etc/evfs/opt/cmcluster/evfs_sg.sh
EVFS control script
The following script is required for legacy packages only:
•
/etc/evfs/opt/cmcluster/evfssgconv
Utility for converting existing package control scripts to make them execute the EVFS control
script
The following two scripts are required for modular packages only:
•
/etc/evfs/opt/cmcluster/evfs.1
EVFS Attribute Definition File (ADF)
•
/etc/evfs/opt/cmcluster/evfs.sh
EVFS module script
Use the following procedure to configure EVFS volumes in a Serviceguard failover package:
1. Install EVFS on all nodes in the cluster that will use the EVFS volumes. For more detail on this
step, see “Step 1: Installing EVFS” (page 169).
2. Create new LVM or VxVM volumes for the EVFS volumes. For more detail on this step, see
“Step 2: Creating the HP Serviceguard storage infrastructure” (page 169).
3. Configure EVFS on the configuration node. For more detail on this step, see “Step 3 (EVS
only): Configuring EVS on the configuration node” (page 171). or “Step 3 (EFS only):
Configuring EFS on the configuration node” (page 172)
4. Configure EVFS on the adoptive nodes. For more detail on this step, see “Step 4 (EVS only):
Configuring EVS Volumes on the adoptive nodes” (page 173) or “Step 4 (EFS only): Configuring
EFS volumes on the adoptive nodes” (page 175)
5. Configure Serviceguard to use EVFS. For more detail on this step using modular packages,
see “Step 5: Configuring HP Serviceguard using modular packages” (page 176). For more
detail on this step using legacy packages, see “Step 6: Configuring HP Serviceguard using
legacy packages” (page 180).
Step 1: Installing EVFS
Install EVFS on all Serviceguard nodes that will use EVFS volumes. For more information, see
“Installing EVFS” (page 25).
Step 2: Creating the HP Serviceguard storage infrastructure
Before configuring EVFS, you must create a Serviceguard storage infrastructure for the cluster with
cluster-aware LVM volume groups or VxVM disk groups. This infrastructure must be accessible to
all nodes in the cluster. Select one node to be the configuration node. You will perform most of
Configuration overview
169
the configuration tasks on this node, then copy configuration data to the other nodes in the cluster.
The primary node is typically the configuration node.
This section summarizes the procedures for creating a Serviceguard storage infrastructure. For
more information, see the Serviceguard product documentation.
Creating an LVM HP Serviceguard storage infrastructure
This section summarizes the configuration procedures for an LVM Serviceguard storage infrastructure
on the configuration node and the adoptive nodes.
Configuration node
On
a.
b.
c.
d.
the configuration node:
Create the physical volume and volume group if necessary. Create the LVM volumes.
Deactivate the LVM volume group using the appropriate vgchange -a n command.
Use the vgexport command to create a map file.
Copy the LVM map file to the other nodes in the cluster.
CAUTION: You can create an EVFS volume on an existing LVM volume, but any existing data
on the volume will be unusable. If you have existing data that you want to protect with EVFS, use
inline encryption. For more information, see“Step 4: (Optional) Migrating existing data to an EVS
volume” (page 54).
Adoptive nodes
On the adoptive nodes, import the volume group and volumes as follows:
a. Use the appropriate mkdir and mknod commands to create the volume group directory and
control file.
b. Use the vgimport command to import the volume group data from the LVM map file created
on the configuration node.
c. To test the import operation, you can configure and mount temporary file systems on the LVM
volumes. When the configuration is complete, you will configure and mount file systems on
EVFS volumes, not on the LVM volumes.
Creating a VxVM HP Serviceguard storage structure
This section summarizes the configuration procedures for a VxVM Serviceguard storage infrastructure
on the configuration node and the adoptive nodes.
Configuration node
On the configuration node:
a. Create the VxVM volume. If necessary, initialize the VxVM disk using the appropriate VxVM
commands and create a disk group. For example, you can use the following sequence of
commands to create a VxVM volume:
i. Start the VxVM volume configuration daemon: vxdctl enable
ii. Initialize the disk: vxdisk [-f] init disk_volume
iii. Create the disk group: vxdg init dg_name disk_volume
iv. Create the VxVM volume: vxassist -g dg_name make vxvm_volume size
b. Use the vxdg deport dg_name command to deport the disk group and make it available
for use on the other systems.
Adoptive nodes
On the adoptive nodes, import and start the disk group and volumes as follows:
170
Using EVFS with HP Serviceguard
a.
b.
c.
Use the vxdg import dg_name command to import the disk group.
Use the vxvol -g dg_name startall command to initialize the disk group.
To test the import operation, you can configure and mount temporary file systems on the VxVM
volumes. When the configuration is complete, you will configure and mount file systems on
EVFS volumes, not on the VxVM volumes.
Step 3 (EVS only): Configuring EVS on the configuration node
On the configuration node, configure and verify EVFS using the procedures described in Chapter 4
(page 28). After you have verified EVFS operation, you must complete the following additional
tasks to use the EVFS volumes with a Serviceguard package:
a. Create a cluster key pair, an EVFS key pair that will be distributed and used on all nodes in
the cluster.
b. Add the cluster key pair to the EMD of the EVFS volumes used by the Serviceguard package.
c. Modify the entries in the /etc/evfs/evfstab file so that the package control script or
package configuration file in modular packages can enable the EVFS volumes when the
package starts.
d. Prepare the EVFS volumes for configuration on the adoptive nodes.
Step 3a: Creating a cluster key pair
A cluster key pair is an EVFS key pair that is distributed and used on all nodes in the cluster. EVFS
uses this key pair to enable the EVFS volumes from the package control script or the package
configuration file, so this key pair must exist and be the same on all nodes in the cluster. The key
pair must meet the following criteria:
•
The user account name and user ID for the key owner must exist and be the same on all nodes
in the cluster.
•
The user account for the key owner must have superuser privileges or the appropriate privileges
on all nodes in the cluster.
•
The key ID must be unique when compared to other key IDs on all cluster nodes. Do not create
a key with a key name that already exists for the key owner on a remote node.
•
Each node in the cluster must have a stored passphrase for the private key. EVFS uses the
stored passphrase to automatically enable the volume when the package fails over.
•
You must use the same passphrase on all nodes, but you must create a new stored passphrase
file on each node. Stored passphrase files are encrypted with system-specific data and are
unusable on remote systems.
You must know the passphrase for the private key.
IMPORTANT: Do not use the -s option when generating the key pair with the evfspkey
keygen command. When you use the -s option, EVFS generates and stores the passphrase
for you, and you cannot retrieve the passphrase.
Use the following evfspkey keygen syntax to create the cluster key pair:
evfspkey keygen -p [-c cipher] [-u user] [-k keyname]
Step 3b: Adding the cluster keys to the EMD
Add the cluster key pair to the EMD of the EVFS volumes used by the package. Use the following
evfsvol add command:
evfsvol add -u user [-k keyname] evfs_volume_path
The user and keyname are the user name and key name for the cluster key pair.
Step 3c: Modifying /etc/evfs/evfstab entries
You must modify entries in the /etc/evfs/evfstab file for EVFS volumes used by the
Serviceguard package so EVFS can enable the volumes when the package starts. The entries in
Step 3 (EVS only): Configuring EVS on the configuration node
171
/etc/evfs/evfstab must include the key ID and the noauto flag. EVFS uses the key ID to
enable the volumes without manual intervention when the package fails over. The noauto flag
stops EVFS from enabling the volumes at system startup.
Use the following syntax for the entries in the /etc/evfs/evfstab file:
v volume_path evfs_volume_path user_name.key_name noauto
where:
v
Indicates that the entry is for an EVFS volume.
volume_path
Specifies the path for the underlying LVM, VxVM, or physical device
file, such as /dev/vg01/lvol5, /dev/vx/dsk/rootdg/vol05,
or /dev/dsk/c2t0d1.
evfs_volume_path
Specifies the absolute pathname for the EVFS volume device file,
such as /dev/evfs/vg01/lvol5,
/dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/
c2t0d1.
user_name.key_name
Specifies the user name and key name pair to use when enabling
the volume.
You must also have a stored passphrase for the private key. For more
information, see “Creating keys for EVS volume owners” (page 42).
noauto
Causes EVFS to not automatically enable this volume at system
startup. EVFS will enable this volume when the command evfsvol
enable -p is executed within the EVFS HA package control script.
Step 3d: Preparing EVFS volumes for adoptive nodes
Use the following procedure to prepare the EVFS volumes so you can configure them on the adoptive
nodes:
i. Use the following command to disable encryption and decryption access to the target volume:
evfsvol disable [-k keyname] evfs_volume_path
For more information, see “Disabling encryption and decryption access to EVS volumes”
(page 64).
ii.
If you are using EVFS volumes created on LVM volumes, use the following vgchange command
to deactivate the LVM volume group on the configuration node:
# vgchange -a n lvolgroup_device_file
For example:
# vgchange -a n /dev/vg02
If you are using EVFS volumes created on VxVM volumes, use the following vxdg command
to deport the VxVM disk group on the configuration node:
# vxdg deport vxvm_group
For example:
# vxdg deport evfsdg
Step 3 (EFS only): Configuring EFS on the configuration node
On the configuration node, configure and verify EVFS using the procedures described in Chapter 4
(page 28). After you have verified EVFS operation, you must prepare EFS volumes for adoptive
nodes.Use the following procedure to prepare the EVFS volumes so you can configure them on
the adoptive nodes:
•
172
If you are using EVFS volumes created on LVM volumes, use the following vgchange command
to deactivate the LVM volume group on the configuration node:
# vgchange -a n lvolgroup_device_file
For example:
Using EVFS with HP Serviceguard
# vgchange -a n /dev/vg02
•
If you are using EVFS volumes created on VxVM volumes, use the following vxdg command
to deport the VxVM disk group on the configuration node:
# vxdg deport vxvm_group
For example:
# vxdg deport evfsdg
Step 4 (EVS only): Configuring EVS Volumes on the adoptive nodes
On each adoptive node, configure the EVFS volumes using the following procedure:
a. Configure the EVFS Volume EMD backup from emd_backup directory in the EVFS configuration
file /etc/evfs/evfs.conf.
b. Restore the cluster key pair files on the adoptive node.
c. Create a local passphrase file for the cluster private key.
d. Import and activate the LVM volume group or VxVM disk group on the adoptive node.
e. Map the LVM or VxVM volumes to EVFS on the adoptive node.
f. Modify entries in the /etc/evfstab file so Serviceguard can enable the EVFS volumes.
g. Verify that you can enable the EVFS volume using the cluster key pair.
h. Export or deport the LVM volume group or VxVM disk group so the group can be tested on
another adoptive node, or used on the configuration node.
i. Configure the autostart feature to ensure that the EVFS subsystem will be up when the
failover script runs.
Step 4a: Copying the EVFS configuration files and keys
Copy the following files and data from the configuration node:
•
The EVFS global configuration file, /etc/evfs/evfs.conf.
•
Cluster key pair files. Determine the directories used for the key database by checking the
priv_key and pass_key attribute statements in the /etc/evfs/evfs.conf file. By
default, EVFS stores user keys in the /etc/evfs/pkey directory, with a subdirectory for
each user. The file names use the following naming convention:
/etc/evfs/pkey/users/user/keyname.priv
/etc/evfs/pkey/users/user/keyname.pub
Step 4b: Restoring the cluster key pair files
Restore the cluster key pair files as follows using the procedure described in “Restoring user keys”
(page 67).
Step 4c: Creating a local passphrase file
Use the following evfspkey passgen command to create a stored passphrase file for the cluster
private key on the local system:
evfspkey passgen -f -u user -k keyname
The evfspkey utility will prompt you for the current passphrase.
Step 4d: Activating the LVM volume group or VxVM group on the adoptive node
Use the following procedures to activate the LVM Volume Group or VxVM Group on the adoptive
node.
LVM
If you are using EVFS volumes created on LVM volumes, use the following vgchange command
to activate the LVM volume group that contains the LVM volumes used for EVFS:
Step 4 (EVS only): Configuring EVS Volumes on the adoptive nodes
173
vgchange -a y lvolgroup_device_file
VxVM
If you are using EVFS volumes created on VxVM volumes, use the following VxVM commands to
import the disk group and start the volumes on the adoptive node:
vxdg import group_name
vxvol -g group_name startall
Step 4e: Mapping the LVM or VxVM volumes to EVFS
Start the EVFS subsystem using the evfsadm start command if you have not already done so.
Use the evfsadm map command to map the LVM or VxVM volumes to EVFS. (EVFS must add the
volumes to the kernel registry on the adoptive node.) The evfsadm map syntax is as follows:
evfsadm map volume_path
where:
volume_path
Specifies the absolute path of the block device file for the underlying LVM or
VxVM volume, such as /dev/vx/dsk/rootdg/vol01 or /dev/vg01/lvol5.
Step 4f: Modifying the /etc/evfs/evfstab file
You must modify entries in the /etc/evfs/evfstab file for EVFS volumes used by the
Serviceguard package so EVFS can enable the volumes when the package starts. Edit the entries
in /etc/evfs/evfstab to include the key ID and the noauto flag, as described in “Step 3c:
Modifying /etc/evfs/evfstab entries” (page 171).
Step 4g: Verifying EVFS
Use the evfsvol enable [-k keyname] evfs_volume_path command to verify you can
enable the EVFS volumes using the cluster key pair.
Step 4h: Deactivating the volumes
After you have verified that you can enable the EVFS volumes on the adoptive node, use the
following procedure to deactivate them so they can be tested on other adoptive nodes, or activated
on the configuration node:
i. For data consistency, stop all applications accessing the data. You can use the fuser -cu
command to determine the processes accessing files, and the fuser -cku command to
terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level by running the shutdown utility. For more information,
see shutdown(1M).
ii.
(Optional) Create a cleartext backup copy of the data, or copy the cleartext data from the
EVFS volume to another disk device using a utility such as fbackup, cp or tar.
iii. If you have a file system mounted on the EVFS volume, use the umount command to unmount
the file system. For more information, see umount(1M).
iv. Use the following command to disable encryption and decryption access to the target volume:
evfsvol disable [-k keyname] evfs_volume_path
For more information, see “Disabling encryption and decryption access to EVS volumes”
(page 64).
v.
174
If you are using EVFS volumes created on LVM volumes, use the following vgchange command
to deactivate the LVM volume group on the configuration node:
vgchange -a n lvolgroup_device_file
For example:
vgchange -a n /dev/vg02
Using EVFS with HP Serviceguard
If you are using EVFS volumes created on VxVM volumes, use the following vxdg command
to deport the VxVM disk group on the configuration node:
vxdg deport vxvm_group
For example:
vxdg deport evfsdg
Step 4i: Configuring the autostart feature
Configure the autostart feature to ensure that the EVFS subsystem is started when the adoptive node
starts. Enable EVFS in the /etc/rc.config.d/evfs file. Change the value for EVFS_ENABLED
to 1 as follows:
EVFS_ENABLED = 1
Step 4 (EFS only): Configuring EFS volumes on the adoptive nodes
On
a.
b.
c.
d.
each adoptive node, configure the EVFS volumes using the following procedure:
Copy the appropriate EVFS configuration files and keys from the configuration node.
Import and activate the LVM volume group or VxVM disk group on the adoptive node.
Map the LVM or VxVM volumes to EVFS on the adoptive node.
Export or deport the LVM volume group or VxVM disk group so the group can be tested on
another adoptive node, or used on the configuration node.
e. Configure the autostart feature to ensure that the EVFS subsystem will be up when the
failover script runs.
Step 4a: Copying the EVFS configuration files and keys
Copy the following files and data from the configuration node:
•
The EVFS global configuration file, /etc/evfs/evfs.conf.
•
Copy the key pairs for the users of the encrypted files created in EFS volumes.
Determine the directories used for the key database by checking the priv_key and pass_key
attribute statements in the /etc/evfs/evfs.conf file. By default, EVFS stores user keys in the
/etc/evfs/pkey directory, with a subdirectory for each user.
The filenames use the following naming convention:
/etc/evfs/pkey/users/user/keyname.priv
/etc/evfs/pkey/users/user/keyname.pub
Step 4b: Activating the LVM volume group or VxVM group on the adoptive node
Use the following procedures to activate the LVM Volume Group or VxVM Group on the adoptive
node.
LVM
If you are using EVFS volumes created on LVM volumes, use the following vgchange command
to activate the LVM volume group that contains the LVM volumes used for EVFS:
vgchange -a y lvolgroup_device_file
VxVM
If you are using EVFS volumes created on VxVM volumes, use the following VxVM commands to
import the disk group and start the volumes on the adoptive node. Use the -tfC option while
importing:
vxdg import –tfC group_name
vxvol -g group_name startall
Step 4 (EFS only): Configuring EFS volumes on the adoptive nodes
175
Step 4c: Mapping the LVM or VxVM volumes to EVFS
Start the EVFS subsystem using the evfsadm start command if you have not already done so.
Use the evfsadm map command with the -f option to map the LVM or VxVM volumes to EVFS
in EFS mode (EVFS must add the volumes to the kernel registry on the adoptive node). The evfsadm
map syntax is as follows:
evfsadm map -f volume_path
where:
-f
volume_path
Specifies the EFS mode. The EVS mode is used if this option is not specified.
Specifies the absolute path of the block device file for the underlying LVM or
VxVM volume, such as /dev/vx/dsk/rootdg/vol01 or /dev/vg01/lvol5.
Step 4d: Deactivating the volumes
After you have verified that you can enable the EVFS volumes configured properly on the adoptive
node, use the following procedure to deactivate them so they can be tested on other adoptive
nodes, or activated on the configuration node:
i. For data consistency, stop all applications accessing the data. You can use the fuser -cu
command to determine the processes accessing files, and the fuser -cku command to
terminate the processes. For more information, see fuser(1M).
If the data is used by system processes, you might need to terminate the processes by changing
the system runlevel to single-user level by running the shutdown utility. For more information,
see shutdown(1M).
ii.
(Optional) Create a cleartext backup copy of the data, or copy the cleartext data from the
EVFS volume to another disk device using a utility such as fbackup, cp or tar.
iii. If you have a file system mounted on the EVFS volume, use the umount command to unmount
the file system. For more information, see umount(1M).
iv. If you are using EVFS volumes created on LVM volumes, use the following vgchange command
to deactivate the LVM volume group on the configuration node:
vgchange -a n lvolgroup_device_file
For example:
vgchange -a n /dev/vg02
If you are using EVFS volumes created on VxVM volumes, use the following vxdg command
to deport the VxVM disk group on the configuration node:
vxdg deport vxvm_group
For example:
vxdg deport evfsdg
Step 4e: Configuring the autostart feature
Configure the autostart feature to ensure that the EVFS subsystem is started when the adoptive
node starts. Enable EVFS in the /etc/rc.config.d/evfs file. Change the value for
EVFS_ENABLED to 1 as follows:
EVFS_ENABLED = 1
Step 5: Configuring HP Serviceguard using modular packages
Use
a.
b.
c.
d.
e.
f.
176
the following procedure to modify or create Serviceguard package configuration files.
Halt the package if you want to reconfigure an existing package to use EVFS volumes.
Install EVFS Attribute definition file in the modules directory.
Copy the EVFS Control and Module Scripts.
Create a modular package configuration file if you do not already have one.
Migrate an existing legacy package configuration file if you have one.
Add the EVFS package to the modular configuration file
Using EVFS with HP Serviceguard
g.
h.
Modify the package configuration file to enable EVFS volumes and mount file systems on the
EVFS volumes.
Verify and distribute the package configuration.
Step 5a: Halting an existing package
You cannot re-configure an active package to use EVFS volumes. To re-configure an existing, active
package to use EVFS volumes, you must halt the package using the cmhaltpkg command. For
more information, see the Serviceguard product documentation.
Step 5b: Installing the EVFS attribute definition file
1.
Create a subdirectory evfs under the /etc/cmcluster/modules directory for the package
as follows:
# mkdir /etc/cmcluster/modules/evfs
2.
Change the evfs subdirectory permissions to write protect it as follows:
# chmod 555 /etc/cmcluster/modules/evfs
3.
Copy the EVFS Attribute definition file /etc/evfs/opt/cmcluster/evfs.1 to the evfs
subdirectory with appropriate permissions, as follows:
# cp /etc/evfs/opt/cmcluster/evfs.1 /etc/cmcluster/modules/evfs/evfs.1
# chmod 444 /etc/cmcluster/modules/evfs/evfs.1
# chown root:root /etc/cmcluster/modules/evfs/evfs.1
4.
Create a link to the ADF file as follows:
# umask 022
# ln -s /etc/cmcluster/modules/evfs/evfs.1
/etc/cmcluster/modules/evfs/evfs
# chown -h root:root /etc/cmcluster/modules/evfs/evfs
Step 5c: Copying the EVFS control and module scripts
1.
Create a subdirectory evfs under the /etc/cmcluster/scripts directory as follows:
# mkdir /etc/cmcluster/scripts/evfs
2.
Change the evfs subdirectory permissions to write protect it as follows:
# chmod 555 /etc/cmcluster/scripts/evfs
3.
Copy the EVFS control script /etc/evfs/opt/cmcluster/evfs_sg.sh to the evfs
subdirectory as follows:
# cp /etc/evfs/opt/cmcluster/evfs_sg.sh
/etc/cmcluster/scripts/evfs/evfs_sg.sh
4.
Copy the EVFS module script/etc/evfs/opt/cmcluster/evfs.sh to the evfs subdirectory
as follows:
# cp /etc/evfs/opt/cmcluster/evfs.sh
/etc/cmcluster/scripts/evfs/evfs.sh
Step 5d: Creating a modular package configuration file
Skip this step if you have an existing package configuration file.
If you do not already have a package configuration file, create a subdirectory evfs under the
/etc/cmcluster directory for the evfs package, and create the package configuration file using
the following cmmakepkg command:
# cmmakepkg -m evfs/evfs /etc/cmcluster/evfs/package_file_name.conf
For example, where new_evfs_pkg.conf is the ASCII file package created:
# cmmakepkg -m evfs/evfs /etc/cmcluster/evfs/new_evfs_pkg.conf
Step 5: Configuring HP Serviceguard using modular packages 177
IMPORTANT: Additional changes must be made to the new package configuration file before it
can be used. For more information, see the Serviceguard product documentation.
Continue to “Step 5g: Adding the EVFS volumes to the package configuration file” (page 179).
Step 5e: Migrating a legacy package configuration file
Skip this step if you have an existing modular package configuration file.
If you already have a package configuration file configured for legacy packages, migrate it to a
modular package configuration file.
IMPORTANT:
PHSS_37601
PHSS_37602
To use the cmmigratepkg tool, you must install the following patches:
For Serviceguard on 11i v2 Update 2
For Serviceguard on 11i v3
Use the cmmigratepkg command to migrate a legacy package configuration file to a modular
package configuration as follows:
# cmmigratepkg –p pkg_name –o outputfile.conf
where:
pkg_name
Specifies the package
outputfile.conf
Specifies the file that contains the modular package configuration for the
package.
For example, where evfs_pkg.conf is the new modular package configuration file created:
# cmmigratepkg –p evfs –o /etc/cmcluster/evfs/evfs_pkg.conf
For more information on the cmmigratepkg tool, see the Serviceguard product documentation.
Step 5f: Adding the EVFS package to the configuration file
Add the EVFS package to the modular package configuration file using the cmmakepkg command
as follows:
#cmmakepkg –i outputfile.conf –m evfs/evfs
/etc/cmcluster/pkg_name/new_outputfile.conf
where:
outputfile.conf
Specifies the existing modular package configuration file
new_outputfile.conf
Specifies the new package configuration file
For example, where my_mod_pkg.conf is the existing modular package configuration file, and
new_evfs_pkg.conf is the new modular package configuration file created:
# cmmakepkg –i /etc/cmcluster/evfs/my_mod_pkg.conf –m evfs/evfs
/etc/cmcluster/evfs/new_evfs_pkg.conf
178
Using EVFS with HP Serviceguard
Step 5g: Adding the EVFS volumes to the package configuration file
Edit the package configuration file to configure the EVFS volumes that you want Serviceguard to
enable when the package starts, and the file systems to be mounted on the EVFS volumes.
•
If the EVFS volumes are created on VxVM volumes, specify the VxVM disk groups in the
vxvm_dg parameter in the package configuration file.
•
For packages that need to be mounted on EVFS volumes mapped on LVM volumes to filesystems,
carry out the following tasks:
◦
Specify the LVM volume groups in the vg parameters to be activated
◦
Select the appropriate vgchange cmd
◦
Use the fs options in the FILESYSTEMS portion of the package configuration file to specify
the options for mounting and unmounting the filesystems.
Do not use the vxvm_dg parameters for LVM volume groups.
For more information, see the Serviceguard product documentation.
•
For EVFS volumes without a file system, use the EVFS attribute evfs_raw_vol.
If you started with an existing package configuration file, remove the appropriate LVM or VxVM
volumes from the fs_name and other fs_* entries, and replace them with EVFS volumes.
Serviceguard will enable the EVFS volumes when the package starts and disable the EVFS volumes
when the package fails over.
LVM and VxVM modular package example
This section offers LVM and VxVM modular package examples for EVS and EFS.
LVM for EVS
#
#
#
#
#
#
fs_name /dev/evfs/vg01/lvol1
fs_directory /evfs
fs_mount opt "-o rw"
fs_umount_opt "-s"
fs_fcsk_opt "-s"
fs_type "vxfs"
LVM for EFS
#
#
#
#
#
#
fs_name /dev/evfs/vg01/lvol1
fs_directory /evfs
fs_mount_opt "-o stackfs=sefs"
fs_umount_opt "-s"
fs_fcsk_opt "-s"
fs_type "vxfs"
VxVM for EVS
#
:
:
#
#
#
#
#
#
vxvm_dg evfs_dg
fs_name /dev/evfs/vx/dsk/evfs_dg/lvxvm_vol1
fs_directory /tst
fs_mount opt "-o rw"
fs_umount_opt "-s"
fs_fcsk_opt "-s"
fs_type "vxfs"
VxVM for EFS
# vxvm_dg evfs_dg
:
:
# fs_name /dev/evfs/vx/dsk/evfs_dg/lvxvm_vol1
Step 5: Configuring HP Serviceguard using modular packages
179
#
#
#
#
#
fs_directory /tst
fs_mount_opt "-o stackfs=sefs"
fs_umount_opt "-s"
fs_fcsk_opt "-s"
fs_type "vxfs"
LVM for EVS without file system
For ServiceGuard A.11.18:
# evfs_raw_vol /dev/evfs/vg01/lvol1
For ServiceGuard A.11.19:
# evfs/evfs/evfs_raw_vol /dev/evfs/vg01/lvol1
VxVM for EVS without file system
For ServiceGuard A.11.18
# vxvm_dg evfs_dg
:
# evfs_raw_vol /dev/evfs/vx/dsk/evfs_dg/lvxvm_vol1
For ServiceGuard A.11.19
# vxvm_dg evfs_dg
:
# evfs/evfs/evfs_raw_vol /dev/evfs/vx/dsk/evfs_dg/lvxvm_vol1
NOTE:
EVFS v2.1 does not support volumes without file systems in legacy packages.
Step 5h: Verifying the script
Verify the package configuration using the cmcheckconf command. Build and distribute the
cluster configuration as described in the Serviceguard product documentation.
Step 6: Configuring HP Serviceguard using legacy packages
Use the following procedure to modify or create package control scripts.
NOTE:
a.
b.
c.
d.
e.
f.
g.
EVFS volumes without a file system are only supported by modular packages.
Halt the package if you want to reconfigure an existing package to use EVFS volumes.
Create a package configuration file if you do not already have one.
Create a package control script if you do not already have one.
Convert a package control script to execute the EVFS control script.
Modify the package control script to enable EVFS volumes and mount file systems on the EVFS
volumes.
Install the EVFS control script in the package directory.
Verify and distribute the package configuration.
Step 6a: Halting an existing package
You cannot re-configure an active package to use EVFS volumes. To re-configure an existing, active
package to use EVFS volumes, you must halt the package using the cmhaltpkg command. For
more information, see the Serviceguard product documentation.
Step 6b: Creating the package configuration file
Skip this step if you already have an existing legacy package configuration file.
If you do not already have a package configuration file, create a subdirectory under the directory
/etc/cmcluster for the package, and create the package configuration file using the following
cmmakepkg command:
# cmmakepkg -p /etc/cmcluster/pkg_name/package_file_name.conf
For example:
180 Using EVFS with HP Serviceguard
# cmmakepkg -p /etc/cmcluster/evfs/my_pkg.conf
For more information, see the Serviceguard product documentation.
IMPORTANT: Additional changes must be made to the new package configuration file before it
can be used. For more information, see the Serviceguard product documentation.
Step 6c: Creating a package control script
Skip this step if you already have a package control script.
If you do not already have a package control script, use with the following syntax to create a new
package control script:
cmmakepkg -s output_file_name
For example:
#cmmakepkg -s /etc/cmcluster/my_pkg/my_pkg.sh
where /etc/cmcluster/my_pkg/my_pkg.sh is the new package control script.
For more information, see the Serviceguard product documentation.
Step 6d: Converting a package control script
Converting a package control script
You must convert the package control script to execute EVFS control script. Convert the package
control script using the evfssgconv utility. The syntax is:
/etc/evfs/opt/cmcluster/evfssgconv source_package > new_package
where:
source_package
Specifies the existing package control script file, such as /etc/
cmcluster/my_pkg/my_pkg.sh.
new_package
Specifies the name for the new package control script file, such as /etc/
cmcluster/my_pkg/my_pkg_evfs.sh.
Modifying the package configuration file
You must modify the RUN_SCRIPT and HALT_SCRIPT variables in the package configuration
file to use the converted package control script. For example:
RUN_SCRIPT /etc/cmcluster/my_pkg/my_pkg_evfs.sh
:
:
HALT_SCRIPT /etc/cmcluster/my_pkg/my_pkg_evfs.sh
Step 6e: Adding the EVFS volumes to the package control script
Edit the package control script to configure the EVFS volumes that you want Serviceguard to enable
when the package starts, and the file systems to be mounted on the EVFS volumes.
•
If the EVFS volumes are created on VxVM volumes, specify the VxVM disk groups in the
VXVM_DG[] parameters in the package control script.
•
Specify the EVFS volumes that you want Serviceguard to enable in the LV[] parameters
•
Specify the file systems you want Serviceguard to mount on the EVFS volumes in the FS[]
parameters
•
Specify the appropriate file system type in the FS_TYPE[] parameters
If you started with an existing package control script, remove the appropriate LVM or VxVM volumes
from the LV[] and FS[] entries and replace them with EVFS volumes.
Serviceguard will enable the EVFS volumes when the package starts and disable the EVFS volumes
when the package fails over.
The following are examples of LVM and VxVM legacy package examples for EVS and EFS:
Step 6: Configuring HP Serviceguard using legacy packages
181
LVM for EVS
LV[0]="/dev/evfs/vg02/lvol5"; FS[0]="/opt/crypto"; FS_MOUNT_OPT[0]=
"-o rw"
#FS_TYPE[0]="vxfs"
LVM for EFS
LV[0]="/dev/evfs/vg02/lvol5"; FS[0]="/opt/crypto"; FS_MOUNT_OPT[0]=
"-o stackfs=sefs"
#FS_TYPE[0]="vxfs"
VxVM for EVS
VXVM_DG[0]="evfsdg"
:
:
LV[0]="/dev/evfs/vx/dsk/evfsdg/vol5"; FS[0]="/opt/crypto"; FS_MOUNT_OPT[0]=
"-o rw"
#FS_TYPE[0]="vxfs"
VxVM for EFS
VXVM_DG[0]="evfsdg"
:
:
LV[0]="/dev/evfs/vx/dsk/evfsdg/vol5"; FS[0]="/opt/crypto"; FS_MOUNT_OPT[0]=
"-o stackfs=sefs"
#FS_TYPE[0]="vxfs"
Step 6f: Installing the EVFS control script
Create a copy of the EVFS control script /etc/evfs/opt/cmcluster/evfs_sg.sh, and place
the copy into the package sub-directory.
For example:
# cp /etc/evfs/opt/cmcluster/evfs_sg.sh /etc/cmcluster/my_pkg/evfs_sg.sh
Step 6g: Verifying the script
Verify the package configuration using the cmcheckconf command. Build and distribute the
cluster configuration as described in the Serviceguard product documentation.
182
Using EVFS with HP Serviceguard
Glossary
AES
Advanced Encryption Standard. AES uses a symmetric key block encryption. EVFS supports AES
with a 128-bit, 256-bit, or 292-bit key for encrypting volume data. AES is suitable for encrypting
large amounts of data.
authorized user
A user who is authorized to enable and disable an EVFS volume in EVS mode, and perform other
administrative operations on an EVS volume. If an authorized user has the appropriate file
permissions for the EVFS device file, he can perform nearly all the same EVFS operations as the
volume owner, including enabling and disabling encryption and decryption access to an EVFS
volume.
autostart
An EVFS feature that automatically enables EVFS volumes at system startup, without manual
intervention.
cleartext
Data that is not encrypted.
cluster key pair
An EVFS key pair used by multiple nodes in a Serviceguard cluster.
Data encryption
key (or) Symmetric
encryption key
Either EVS volume or encrypted file encryption key used to encrypt/decrypt the data.
EFS volume
EVFS volume configured in EFS mode.
EMD
Encryption metadata. The EMD contains EVFS operating parameters for an EVS volume or
encrypted file, including the encryption algorithm. The EMD also includes key records. Each key
record contains the volume or file encryption key, encrypted with a user's public key.
encryption
The process of converting data from a readable format to a nonreadable format for privacy.
Encryption functions usually take data and a cryptographic key (value or bit sequence) as input.
file encryption key
Symmetric key used by EVFS to encrypt file data.
file owner
Encrypted file owner (EFS).
group key
Keys associated with the HP-UX groups. Used only with encrypted files.
key record
An entry in the EMD of a EVS volume or encrypted file. The key record contains the volume
encryption key, encrypted with a user's public key. The user's private key is used to decrypt and
extract the volume or file encryption key for use. A key record is sometimes referred to as an
envelope.
owner
Volume owner or encrypted file owner.
passphrase
A text string that EVFS uses to encrypt a user's private key.
passphrase file
A file containing a passphrase, encrypted with system-specific information. The EVFS subsystem
can decrypt the passphrase file and extract a user's private key. EVFS can then use the user's
private key to extract the volume encryption key from a key record.
A passphrase file can be used to perform EVFS operations, such as enabling an EVFS volume,
without human intervention. A passphrase file is also a security risk.
private key
1. The key in a public/private key pair that is not distributed to other parties. Data encrypted
with the public key can be decrypted only with the private key.
2. Any encryption key that is distributed to restricted parties, including a symmetric key.
public key
cryptography
A cryptographic method using two mathematically related keys (k1 and k2) such that data
encrypted with k1 can be decrypted only using k2. In addition, most algorithms provide assurance
that only the holder of k1 can correctly encrypt data that can be decrypted by k2.
One key must be private (known only to the owner), but the second key can be widely known
(public), which makes key distribution easy to manage. Public key encryption is computationally
expensive, so it is impractical for bulk data encryption. Instead, public key cryptography is usually
used to authenticate data or to encrypt ("wrap") symmetric keys.
Also referred to as asymmetric key cryptography (the two keys are not the same) or public-private
key cryptography.
183
recovery key
A key pair that a user can use to change the owner of an EVS volume or encrypted file. A user
who has the private recovery key file can change the owner of an EVS volume or encrypted file.
In addition, the current owner of the EVS volume or encrypted file can change the ownership.
RSA
(Rivest-Shamir-Adelman) A public/private key cryptosystem that is used for privacy (encryption)
and authentication (signatures). For encryption, system A can send data encrypted with system
B's public key. Only system B's private key can decrypt the data.
EVFS uses RSA cryptography to secure volume encryption keys. EVFS supports 1024-bit, 1536-bit,
and 2048-bit RSA keys.
symmetric key
cryptography
A cryptographic method that uses the same key (bit string) to encrypt and decrypt the data.
user keys
The public/private key pairs that EVFS uses to securely store volume encryption keys or file
encryption keys. User keys can be used as owner keys, recovery keys, authorized user keys, or
group keys.
volume encryption
key
Symmetric key used by EVFS to encrypt volume data.
volume owner
EVS volume owner.
184 Glossary
Index
A
AES (Advanced Encryption Standard), 183
configuring for a volume , 47
configuring the default algorithm for files, 32
configuring the default algorithm for volumes , 32
supported key lengths , 16
assigning a new owner to a volume, 68
authorized user keys , 40
capabilities, 40
displaying the authorized user keys IDs for a volume,
151
autostart
configuring, 34
B
backing up EVFS volumes, 78, 80, 94
nonmirrored volumes, 94
online
with LVM mirrors, 80
with VxVM mirrors, 87
backup data
restoring, 97
boot disk
restrictions, 46, 55
boot_local flag, 35
boot_local2 flag, 35
boot_remote flag, 32, 35
bpd (number of data blocks decrypted), 150
bpe (number of data blocks encrypted), 150
bpr (data blocks read), 150
bpw (data blocks written), 150
C
changing owner keys, 68
cluster key pair
creating, 171
definition, 171
installing on adoptive nodes, 173
collecting data, 157
commands
EVFS, 160
D
data blocks read (bpr), 150
data blocks written (bpw), 150
decryption
statistics, 150
decryption throughput (dkbps), 151
device special files
for EVFS, 47
digest (message digest) algorithm
displaying, 152
dirty bit, 155
resetting, 81, 83, 85, 87, 89, 91
disabling
access to EVFS volumes, 64
displaying
volume information, 149
dkbps (decryption throughput), 151
E
ekbps (encryption throughput), 151
EMD
allocating space for, 46
creating, 47
definition, 21
destroying, 72, 165
displaying information about, 66
displaying the size of the EMD for a volume, 151
recovering, 71
verifying, 152
enabling EVFS for a volume, 49, 165
encryption
statistics, 150
verifying, 53, 58
encryption algorithm
configuring default for EVFS files, 32
configuring default for EVFS volumes, 32
configuring for a volume, 47
displaying, 151
encryption metadata see EMD
encryption throughput (ekbps), 151
envelopes see key records
error messages
cannot retrieve private key, 154
cannot store public key, 153
EMD is dirty, 155
evol busy, 155
key loading failure, 153, 154
map error, 155
not found in /etc/evfs/evfstab file, 154
valid EMD already exists, 154
/etc/evfs/evfs.conf file, 30, 32
/etc/evfs/evfstab, 34
/etc/evfs/pkey directory, 30
/etc/fstab file, 52
/etc/rc.config.d/evfs, 34
evfs
pseudo-user account, 29
EVFS commands, 160, 165–167
EVFS volumes
reporting the names of, 150
reporting the number of, 150
reporting the states of, 150
evfsadm
map command, 46, 165
start command, 33, 165
stat command, 52, 57, 149, 166
stop command, 65, 165
evfspkey, 41
delete command, 69
185
keygen command, 42
lookup command, 152, 167
evfssgconv, 181
evfsvol
add command, 48
assign command, 68, 166
check command, 152, 167
close command, 66, 82, 88, 166
create command, 47, 154, 165
delete command, 69, 166
destroy command, 72, 165
disable command, 64, 165
display command, 52, 58, 66, 151
enable command, 49, 64, 165
export command, 75
import command, 75
raw command, 65, 81, 88, 166
restore command, 71
evfsvol disable
error, 155
evol busy error, 155
exporting EVFS volumes, 73
F
file permissions, 67
file systems
creating, 50
resizing, 76
files for EVFS
/etc/evfs/evfs.conf, 32
/etc/evfs/opt/cmcluster/evfs_sg.sh, 182
/etc/evfs/opt/cmcluster/evfssgconv, 181
/etc/evfs/pkey/*, 23
permissions, 67
/etc/rc.config.d/evfs, 34, 175, 176
fsck command
using with EVFS, 51
L
limitations, 18, 46
lvcreate, 46
lvmerge command
use with EVFS, 82, 84, 85
lvsplit command
use with EVFS, 81, 83, 84
M
map error, 155
mapping volumes to EVFS, 46
message digest algorithm
displaying for a volume, 152
migrating existing data to EVFS, 54
mirrored volumes
backing up LVM, 80
backing up VxVM, 87
configuring LVM, 46
configuring VxVM, 46
N
NFS
compatibility, 15
using NFS directories for key storage, 24, 31, 32, 35
noauto flag, 172, 174
O
global parameters, 32
odr (outstanding decryption requests), 150
oer (outstanding encryption requests), 150
orr (outstanding read requests), 150
outstanding decryption requests (odr), 150
outstanding encryption requests (oer), 150
owner
changing the volume owner, 166
owner keys
capabilities, 40
changing, 166
creating, 42
displaying the owner key ID for a volume, 151, 152
owr (outstanding write requests), 150
I
P
importing EVFS volumes, 75
pass_key attribute, 30
passphrases, 16
changing, 70
configuring the directory for, 30
storing, 70
see also stored passphrases
priv_key attribute, 30
private keys
configuring the directory for, 30
file permissions, 67
product limitations, 18
pseudo-driver, 21
pseudo-user account, 29
pub_key attribute, 30
public key cryptography
definition, 183
public keys
G
K
kbpsr (read throughput), 150
kbpsw (write throughput), 150
key length
configuring default for EVFS files, 32
configuring default for EVFS volumes, 32
configuring for a volume, 47
key records, 22
keys
creating, 42
restoring, 67
keys (user) see user keys
file permissions, 67
186 Index
configuring the directory for, 30
file permissions, 67
public/private keys, 16
creating, 41
Q
quick reference for EVFS, 161
R
raw access
closing, 66, 166
opening, 65, 166
recovery keys
adding to a volume, 48
capabilities, 40
creating, 43
displaying the recovery key IDs for a volume, 151, 152
displaying the total number for a volume, 152
file permissions, 67
removing a volume from EVFS, 72
reporting problems, 157
reporting volume information, 149
resizing volumes and file systems, 76
restoring data to EVFS volumes, 97
restoring user keys, 67
restrictions, 18
root volume
restrictions, 19
RSA
configuring key length, 42, 44
cryptography, 184
S
script for creating EVFS volumes, 61
Serviceguard
cluster key pair, 171
creating, 171
installing on adoptive nodes, 173
using with EVFS, 168
start option for evfsadm, 33
starting EVFS, 33
status
reporting for EVFS subsystem, 150
stopping
access to EVFS volumes, 64
the EVFS subsystem, 65
stored passphrases
changing, 70
creating, 70
see also passphrases
directory names, 30
file names, 24
using, 165
using for evfsvol enable, 64
superuser
capabilities, 40
symmetric key, 184
T
threads
configuring for EVFS , 33
reporting the number of EVFS kernel, 150
throughput
decryption (dkbps), 151
encryption (ekbps), 151
read (kbpsr), 150
write (kbpsw), 150
troubleshooting, 149
displaying volume information, 149
displaying volume keys, 151
U
user keys
adding to a volume, 48
capabilities, 40
creating, 41, 42
deleting from a volume, 69
deleting from the database, 69
directory names, 30
displaying the authorized user keys IDs for a volume,
151
displaying the total number for a volume, 152
displaying the user keys IDs for a volume, 152
file names, 24
file permissions, 67
privileges, 40
removing from a volume, 166
restoring, 67
verifying, 152
user records
displaying the maximum number for a volume, 151
V
verifying
EVFS operation, 52, 57
verifying data encryption, 53, 58
verifying EVFS , 52, 57
vgexport
use with EVFS, 73
vgimport
use with EVFS, 75
volume encryption key, 184
volume encryption keys, 16
displaying, 151
generating, 48
volumes
reporting the names of, 150
reporting the number of, 150
reporting the state of, 150
resizing VxVM, 76
vxassist command, 46
vxplex att command
use with EVFS, 88
vxplex dis command
use with EVFS, 87
187

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz