Encrypted Volume and File System v1.
© Copyright 2008 Hewlett-Packard Development Company, L.P Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document.......................................................................................................15 Intended Audience................................................................................................................................15 Document Organization.......................................................................................................................15 Typographic Conventions.......................................................
Upgrading from EVFS v1.0 to EVFS v1.1.............................................................................................34 3 Preparing EVFS for Configuration..............................................................................35 Verifying for Preconfiguration..............................................................................................................35 Preparation Overview....................................................................................................
Example.................................................................................................................................57 Step 2d: Mount the File System on the EVFS Volume...............................................................57 Example.................................................................................................................................57 Step 2e: (Optional) Adding an Entry to /etc/fstab......................................................................
Exporting and Importing EVFS Volumes.............................................................................................91 Exporting an EVFS Volume.............................................................................................................91 Importing an EVFS Volume.............................................................................................................93 6 Managing Data on EVFS Volumes............................................................................
Example...............................................................................................................................122 Creating Encrypted Backup Media on a Second EVFS Volume Using a Block Device Utility (Nonmirrored Volumes)...........................................................................................................123 Example...............................................................................................................................
evfsadm map Fails, Invalid Device................................................................................................137 Symptom..................................................................................................................................137 Description...............................................................................................................................137 Solution........................................................................................
Step 5a: Halting an Existing Package.............................................................................................164 Step 5b: Installing the EVFS Attribute Definition File ..................................................................164 Step 5c: Copying the EVFS Control and Module Scripts .............................................................164 Step 5d: Creating a Modular Package Configuration File.............................................................
List of Figures 1-1 1-2 1-3 1-4 EVFS Data Flow.............................................................................................................................20 Encryption Metadata (EMD) and Volume Encryption Keys........................................................21 Enabling an EVFS Volume............................................................................................................23 Software Types..............................................................................
List of Tables 1-1 7-1 7-2 8-1 B-1 B-2 B-3 B-4 Key Types and User Capabilities..................................................................................................25 Backup Types with LVM or VxVM Mirrored Volumes...............................................................103 Backup Types with Nonmirrored Volumes.................................................................................104 EVFS Troubleshooting Tasks and Commands..........................................................
About This Document This document describes how to install, configure, and troubleshoot the Encrypted Volume and File System version 1.1 (EVFS v1.1) product. You can find the latest version of this on line at http://docs.hp.com/en/internet.html. Intended Audience This document is intended for system and network administrators responsible for installing, configuring, and managing EVFS. Administrators are expected to have knowledge of operating system concepts, commands, and configuration.
Ctrl+x ENVIRONMENT VARIABLE [ERROR NAME] Key Term User input Variable [] {} ... | WARNING CAUTION IMPORTANT NOTE A key sequence. A sequence such as Ctrl+x indicates that you must hold down the key labeled Ctrl while you press another key or mouse button. The name of an environment variable, for example, PATH. The name of an error, usually returned in the errno variable. The name of a keyboard key. Return and Enter both refer to the same key. The defined use of an important word or phrase.
1 EVFS Introduction This chapter provides introductory information about the Encrypted Volume and File System (EVFS) product. This chapter addresses the following topics: • “Features and Benefits” (page 17) • “EVFS Architecture” (page 19) • “Supported Software” (page 26) • “Product Limitations and Precautions” (page 27) • “Known Problems” (page 29) • “Feedback and Enhancement Requests” (page 30) Features and Benefits EVFS protects data by encrypting data volumes to protect data at rest – data on disks.
passphrase in a file, encrypted with system-specific data. At system startup, EVFS can automatically retrieve stored passphrases and use the passphrases to execute EVFS commands. CAUTION: • Stored passphrases provide convenience, but they are security risks. DLKM Support This version of EVFS is DLKM aware. The kernel module of EVFS can be loaded into the running kernel without needing to rebuild or reboot.
EVFS Architecture This section describes the following EVFS features: • • • • EVFS data flow Encryption metadata (EMD) EVFS encryption keys EVFS commands EVFS Architecture 19
EVFS Data Flow EVFS is implemented using a pseudo-driver that operates on the EVFS volumes. An EVFS volume is stacked between the underlying volume (a LVM, VxVM, or physical volume) and an upper layer. The upper layer can be a file system or an application that reads data from and writes data directly to the EVFS volume, such as a database application. When the upper layer file writes data, the EVFS pseudo-driver encrypts the data before writing it to the underlying volume.
Volume Encryption Keys EVFS uses symmetric keys to encrypt data, referred to as volume encryption keys. In symmetric key cryptography, the same key (bit string) is used to encrypt and decrypt the data. EVFS stores the volume encryption keys in the EMD area of a volume, as part of key records. Each key record contains the volume encryption key, encrypted with a user's public key. Because the volume encryption key is encrypted with a public key, this data is also referred to as a “digital envelope.
How EVFS Uses Keys EVFS uses symmetric volume encryption keys to encrypt the volume data. EVFS also uses public/private keys to encrypt the volume encryption keys, and it uses passphrases to encrypt private keys, as follows: • • • • The volume encryption key is stored in key records, or digital envelopes, in the EMD area of the EVFS volume. Each key record contains the volume encryption key, encrypted by a user's public key. User's public keys are stored in a local database, unencrypted.
Figure 1-3 Enabling an EVFS Volume 1 evfsvol enable my_evol Enter passphrase: my_passphrase 2 my_passphrase decrypts user 1’s private key 3 User 1’s private key decrypts the key record to extract the volume encryption key. 4 EVFS uses the volume encryption key to encrypt and decrypt the volume data as needed. Key Names and Key IDs Each public/private key pair has an owner and a key name. A user can have multiple public/private key pairs.
User Key Privileges EVFS defines the following types of user keys and restricts the execution of EVFS commands based on these keys and HP-UX user privileges: • • • EVFS volume owner keys Recovery keys Authorized user keys User Privileges and Permissions Some EVFS commands do not require user keys. Only users with the appropriate privileges can execute these commands. By default, the appropriate privilege required for these EVFS commands is superuser privilege.
Table 1-1 Key Types and User Capabilities Key Type/User Type Capabilities Superuser or appropriate privileges and file permissions Any user with superuser privileges or the appropriate for the device files privileges and file permissions can perform the following tasks (no EVFS key is required): • Start or stop the EVFS subsystem • Map volumes to EVFS (create EVFS device files) • Create EVFS volumes • Create user keys for other users • Display information about EVFS volumes • Restore an EVFS volume's EMD
Supported Software Software used with EVFS can be categorized into three types: • Type 1 Software: Applications without kernel components. EVFS supports Type 1 Software. Examples of Type 1 software include FTP, rcp, CIFS Server, and Oracle® Database 10g. (This list is not exhaustive and is included only to provide examples of Type 1 Software.) • Type 2 Software: Software with kernel modules that access the file system (Virtual File System, VFS, or HFS or VxFS). EVFS supports Type 2 Software.
Product Limitations and Precautions The EVFS product has the following limitations: • • • EVFS operates with LVM, VxVM and physical volumes only. Each EVFS volume is mapped to an underlying LVM, VxVM or physical volume. You enable EVFS encryption and decryption for an EVFS volume as a single unit.
• • • • • • • • 28 Ignite-UX will read these files in cleartext. If the output media is not an EVFS volume, such as a tape, Ignite-UX will store these files in cleartext. EVFS supports alternate links when used with LVM or VxVM. EVFS does not support alternate links when used with whole disk access. Executing the vxresize command with the -F option can cause lost or corrupted data. For more information and a workaround, see “vxresize –F Might Cause Data Loss or Corruption” (page 96).
Known Problems Possible Device File Collision (SR 8606459127) Executing the newfs or mkfs command for an EVFS volume can fail on systems with components that call alloc_fake_device(), such as systems that are NFS clients. This problem is caused by a defect in the alloc_fake_device() routine.
Feedback and Enhancement Requests HP is evaluating support for additional disk management and data storage products for subsequent releases of EVFS. Contact your HP representative if you have specific requirements or enhancement requests.
2 Installation This chapter describes how to install EVFS, including prerequisites, installation steps, and post-installation verification procedures.
Prerequisites The following are the minimum requirements to install and use EVFS. Hardware Requirements • • HP 9000 computers HP Integrity servers Disk Space Requirements The system must have at least 12 MB of disk space available. Operating System Requirements The operating system must be HP-UX 11i Version 2 Update 2 or HP-UX 11i Version 3. Patch Requirements and Recommendations Patch requirements and recommendations listed here are applicable to HP-UX 11i v2 Update 2 and HP-UX 11i v3 as indicated.
Installing EVFS Use the following procedure to install EVFS: 1. 2. 3. Review the “Prerequisites” (page 32). Log on to the target system as the root user. Download EVFS from the HP Software Depot at http://www.software.hp.com. Save the EVFS depot as a local file on the target system, for example: /tmp/.depot 4. Use the following command to verify the depot file on the target system: swlist -d @ /tmp/.
Upgrading from EVFS v1.0 to EVFS v1.1 Use the following procedure to upgrade from a previous version of EVFS: 1. 2. 3. Review the “Prerequisites” (page 32). Log on to the target system as the root user. Download EVFS from the HP Software Depot at http://www.software.hp.com. Save the EVFS depot as a local file on the target system, for example: /tmp/EVFS-depotname.depot 4. Stop the EVFS sub-system using the following command: evfsadm stop 5.
3 Preparing EVFS for Configuration This chapter describes how to prepare the HP-UX Encrypted Volume and File System (EVFS) product for configuration.
Preparation Overview Use the following procedure to prepare EVFS for configuration: 1. 2. 3. 4. 5. 36 Configure an alternate EVFS pseudo-user account. You can skip this step if you can use evfs as the user name and group name for the EVFS pseudo-user. See “Step 1: Configuring an Alternate EVFS Pseudo-User” (page 37). (Optional) Configure alternate directories for the key database. See “Step 2: (Optional) Configuring Alternate Key Database Directories” (page 39). (Optional) Modify EVFS global parameters.
Step 1: Configuring an Alternate EVFS Pseudo-User EVFS uses the pseudo-user evfs to own and control internal resources. When you install EVFS for the first time, the installation script attempts to add the user account evfs and the group evfs for the EVFS pseudo-user. If the evfs user account or evfs group already exists on the system when you initially install EVFS, you must configure a different user account and group for the EVFS pseudo-user.
# useradd -g my_evfs_group -c "EVFS pseudo-user" \ -d /tmp -s /usr/bin/false my_evfs_user 38 Preparing EVFS for Configuration
Step 2: (Optional) Configuring Alternate Key Database Directories EVFS stores user key data (public keys, private keys, and stored passphrases) in a key database. By default, EVFS stores this database in subdirectories and files under the /etc/evfs/pkey directory. You can modify the pub_key, priv_key, and pass_key attribute statements in the /etc/evfs/evfs.conf file to configure EVFS to store the key database in alternate directories.
/usr/lib/evfs/pa20_64/libevfs_pkey.sl (HP 9000 servers) [ key_directory Literal left square bracket. Specifies the fully qualified pathname of the base directory in which to store key data, such as /etc/evfs/pkey. See “Key Storage Directory Requirements” (page 40) for more information. If you want to use the autostart feature, the autostart option you specify in the /etc/evfs/evfstab file is determined by the location of the key_directory.
Example: Alternate Directory for Public Keys The following attribute statements configure EVFS to store public keys in the user-created directory /etc/evfs/mykeys and to store private keys and passphrase files in the directory /etc/evfs/pkey: pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/mykeys,onfail:stop] priv_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop] pass_key = /usr/lib/evfs/hpux64/libevfs_pkey.
Step 3: (Optional) Modifying EVFS Global Parameters Edit the /etc/evfs/evfs.conf file to modify EVFS global parameters. This step is optional, and you can use the default attribute values for most installations. Three attributes you might want to modify are: • data_cipher The data_cipher attribute specifies the default data encryption algorithm (the algorithm EVFS uses to encrypt volume data).
Step 4: Starting the EVFS Subsystem You must start the EVFS subsystem to create EVFS keys and volumes. Starting the EVFS subsystem does not enable encryption of the EVFS volume. You must still create the EVFS volumes and enable EVFS for each volume. To start the EVFS subsystem, enter the following command: evfsadm start [-n number_threads] where: -n number_threads Specifies the number of threads to create for EVFS encryption and decryption processing.
Step 5: Creating User Key Pairs Each user key pair has a key name. The default key name is name of the user for whom the key pair is created. This section addresses the following topics: • “Guidelines for Creating User Keys” (page 44) • “Creating Keys for EVFS Volume Owners” (page 44) • “Creating Recovery Keys” (page 45) • “Creating Keys for authorized users” (page 46) Guidelines for Creating User Keys Use the following guidelines to determine the number and types of user keys to create.
rsa-2048 (RSA 2048-bit keys) Default: rsa-1536 -u user -k keyname Specifies the user name of the key owner. If you do not specify -u user, evfspkey uses your user name as the key owner. You must have superuser privileges or the appropriate privileges to create a key pair for another user. Specifies the key name. If you do not specify -k keyname, evfspkey uses the user name as the key name. Valid value: An ASCII string, 1 to 255 characters long.
In the following example, the user creates a second recovery key. The evfspkey utility saves the private key in the current directory with the file name evfs2.priv. Store this file off line. # evfspkey keygen -c rsa-2048 -r -k evfs2 Creating Keys for authorized users Creating keys for authorized users is optional.
Examples This section contains preparation examples. User Session The following example lists the commands entered by the root user to create an encrypted volume. These commands correspond to steps 4 through 5 in this chapter. The user skips “Step 1: Configuring an Alternate EVFS Pseudo-User”, “Step 2: (Optional) Configuring Alternate Key Database Directories”, and “Step 3: (Optional) Modifying EVFS Global Parameters”, and uses the default EVFS pseudo-user and global parameters.
4 Configuring an EVFS Volume This chapter describes how to configure an EVFS Volume after preparing EVFS for configuration.
Option 1: Creating a New EVFS Volume This section describes how to create a new EVFS Volume.
Step 1: Configuring an EVFS Volume Use the following procedure to configure an EVFS volume. a. b. c. d. e. Create an LVM or VxVM volume for the EVFS volume if you are not using whole disk access. Create EVFS volume device files by mapping the LVM, VxVM, or physical volume to EVFS. Create the EMD area on the EVFS volume. (Optional) Add recovery keys and authorized user keys. Enable the EVFS volume.
CAUTION: Encrypting the boot disk makes the boot disk unusable and prevents you from booting the system. • Swap space (swap devices or file swap space). CAUTION: • Encrypting swap space can cause the system to panic. Dump devices. The syntax of the evfsadm map command is as follows: evfsadm map volume_path where: volume_path Specifies the absolute path of the block device file for the underlying LVM, VxVM, or physical volume, such as /dev/vx/dsk/rootdg/vol01, /dev/vg01/lvol5, or /dev/dsk/c2d0t0.
evfsvol create -k keyname [-c cipher]evfs_volume_path where: -k keyname -c cipher Specifies the key pair name. The evfsadm utility creates the EMD area with the keyname as the owner key. For information about user keys, see “Step 5: Creating User Key Pairs” (page 44). Specifies the cipher (cryptography) algorithm EVFS uses to encrypt the volume data.
—r -k keyname evfs_volume_path Specifies that the key pair is a recovery key pair. Specifies the name of the key pair to add. If you do not specify -k keyname, evfsvol uses the EVFS pseudo-user (evfs) as the key owner and key name. You can configure up to two recovery keys per EVFS volume. For information about user keys, see “Step 5: Creating User Key Pairs” (page 44).
-p -k keyname evfs_volume_path Specifies non-interactive mode. EVFS uses the key ID from the /etc/evfs/evfstab file and uses a stored passphrase. To use this option, you must add a key ID to the entry in the /etc/evfs/evfstab file for this volume and have a stored passphrase for the private key. If you do not specify this option, evfsvol prompts you for the passphrase for the private key. Specifies the name of the key pair to use.
Step 2: Creating and Mounting a File System on an EVFS Volume Use the following procedure to create and mount a file system on an EVFS volume. This procedure is the same as the one used to create and mount a file system on an LVM, VxVM, or physical volume except that you specify the EVFS character (raw) and block volume device files instead of the LVM, VxVM, or physical device files. a. Use the newfs command to create a new file system on the character (raw) EVFS volume. b.
# fsck /dev/evfs/vg01/rlvol5 Step 2c: Creating the Mount Point Use the mkdir command to create the mount point. For example: mkdir mount_point where: mount_point Specifies the path for the mount point.
Example The administrator adds the following entry for the new file system in the /etc/fstab file: /dev/evfs/vg01/lvol5 /opt/encrypted_data vxfs defaults 0 2 58 Configuring an EVFS Volume
Step 3: Verifying the Configuration Use the following commands to verify your EVFS configuration: • • evfsadm stat -a evfsvol display evfs_volume_path evfsadm stat -a After you access data or mount a file system on an EVFS volume that is correctly configured, the output for the evfsadm stat -a command shows nonzero values for the number of blocks read (bpr), written (bpw), decrypted (bpd), and encrypted (bpe).
3. reading from the EVFS volume. The EVFS subsystem will provide decrypted data to the strings utility, and strings will find and display the text string you wrote. Verify that applications that bypass EVFS receive encrypted data. To do this, you must disable EVFS on the volume. Use the following procedure to disable EVFS on the volume: a. For data consistency, stop all applications accessing the EVFS volume.
# strings /dev/vg01/lvol5 | grep "TOP SECRET" (The strings command does not find the string "TOP SECRET") # evfsvol close /dev/evfs/vg01/lvol5 # evfsvol enable /dev/evfs/vg01/lvol5 Enter user passphrase: (enter the passphrase) # mount -F vxfs /dev/evfs/vg01/lvol5 /opt/encrypted_data Step 4: (Optional) Migrating Existing Data to an EVFS Volume Use the following procedure to migrate an existing directory of data to the EVFS volume: a. For data consistency, stop all applications accessing the data.
Step 5: (Optional) Configuring the Autostart Feature The EVFS autostart feature allows you to enable and mount EVFS volumes automatically at system startup without manual intervention. You must use the autostart feature for EVFS volumes that have file systems mounted at system startup (file systems with entries in the /etc/fstab file). CAUTION: Using the autostart feature requires you to store passphrases, and stored passphrases are security risks.
enable the volume are located on a nonroot disk of the local system. If you specify the boot_local2 option, the system will be unable to automatically mount a file system on the EVFS volume as part of the system startup procedure and you must manually mount the file system. boot_remote Enable the EVFS volume after NFS and other networking subsystems are started. Use this flag if the private key or stored passphrase used to enable the volume is located on a remote system, such as an NFS directory.
Step 6: Backing Up Your Configuration After you have completed your configuration, back up the files and subdirectories under the /etc/evfs directory. You must back up the user key database. You cannot re-create lost or corrupt user keys or passphrases. Determine the directories used for the key database by checking the pkey attribute statement in the /etc/evfs/evfs.conf file. By default, EVFS stores the user key database in subdirectories below the /etc/evfs/pkey directory.
Option 2: Converting a Volume with Existing Data to an EVFS Volume (Inline Encryption) This section describes how to convert existing data on a volume into an EVFS Volume.
Step 1: Preparing the File System and Data a. Verify the file systems or volumes you want to secure with EVFS are suitable for encryption. You cannot use EVFS with the following objects: • Files or disk areas used during system boot. This includes the following objects: — the root disk (/) — the boot disk — the HP-UX kernel directory (/stand) — the /usr directory" EVFS cannot decrypt the kernel or other data before the system boots.
Step 2: Performing Inline Encryption a. Start inline encryption: # evfsvol iencrypt [-f] [-k keyname] [-c cipher] evfs_volume_path For more information about the evfsvol iencrypt command, see “iencrypt: Inline Encryption” (page 67). b. Enable the EVFS volume: # evfsvol enable evfs_volume_path c.
The –f and –c options are not valid for a resumed inline encryption. The volume owner key is needed to resume an operation, and you will be prompted for a passphrase.
Step 3: Verifying the Configuration Use the following commands to verify your EVFS configuration: • • evfsadm stat -a evfsvol display evfs_volume_path evfsadm stat -a After you access data or mount a file system on an EVFS volume that is correctly configured, the output for the evfsadm stat -a command shows nonzero values for the number of blocks read (bpr), written (bpw), decrypted (bpd), and encrypted (bpe).
3. reading from the EVFS volume. The EVFS subsystem will provide decrypted data to the strings utility, and strings will find and display the text string you wrote. Verify that applications that bypass EVFS receive encrypted data. To do this, you must disable EVFS on the volume. Use the following procedure to disable EVFS on the volume: a. For data consistency, stop all applications accessing the EVFS volume.
# strings /dev/vg01/lvol5 | grep "TOP SECRET" (The strings command does not find the string "TOP SECRET") # evfsvol close /dev/evfs/vg01/lvol5 # evfsvol enable /dev/evfs/vg01/lvol5 Enter user passphrase: (enter the passphrase) # mount -F vxfs /dev/evfs/vg01/lvol5 /opt/encrypted_data Option 2: Converting a Volume with Existing Data to an EVFS Volume (Inline Encryption) 71
Step 4: (Optional) Configuring the Autostart Feature The EVFS autostart feature allows you to enable and mount EVFS volumes automatically at system startup without manual intervention. You must use the autostart feature for EVFS volumes that have file systems mounted at system startup (file systems with entries in the /etc/fstab file). CAUTION: Using the autostart feature requires you to store passphrases, and stored passphrases are security risks.
enable the volume are located on a nonroot disk of the local system. If you specify the boot_local2 option, the system will be unable to automatically mount a file system on the EVFS volume as part of the system startup procedure and you must manually mount the file system. boot_remote Enable the EVFS volume after NFS and other networking subsystems are started. Use this flag if the private key or stored passphrase used to enable the volume is located on a remote system, such as an NFS directory.
Step 5: Backing Up Your Configuration After you have completed your configuration, back up the files and subdirectories under the /etc/evfs directory. You must back up the user key database. You cannot re-create lost or corrupt user keys or passphrases. Determine the directories used for the key database by checking the pkey attribute statement in the /etc/evfs/evfs.conf file. By default, EVFS stores the user key database in subdirectories below the /etc/evfs/pkey directory.
Examples This section contains configuration examples for “Option 1” (page 75) and “Option 2” (page 76). Option 1 Step 1a: Create an EVFS volume. If you are using LVM or VxVM, create a new LVM or VxVM volume to use as the underlying volume. If you reuse an existing LVM or VxVM volume as the underlying volume, you will lose all existing data. You can skip this step if you are using whole disk access.
Optionally, configure the autostart feature, as described in “Step 5: (Optional) Configuring the Autostart Feature” (page 62). Finally, backup your EVFS configuration and user keys, as described in “Step 6: Backing Up Your Configuration” (page 64). Korn Shell Script for Creating an EVFS Volume and File System The following Korn shell (ksh) script configures an EVFS volume and creates and mounts a file system on the volume.
# umount /home # vxdg -g rootdg free # vxassist -g rootdg growby vol10 4m (The existing size is 96 MB; we now extend it by 4 MB, to 100 MB) # evfsadm map /dev/vx/dsk/rootdg/vol10 # evfsvol iencrypt /dev/evfs/vx/dsk/rootdg/vol10 # evfsvol enable /dev/evfs/vx/dsk/rootdg/vol10 # mount /dev/evfs/vx/dsk/rootdg/vol10 /home # evfsadm stat –a # evfsvol display /dev/evfs/vx/dsk/rootdg/vol10 Optionally, configure the autostart feature, as described in “Step 4: (Optional) Configuring the Autostart Feature” (page 72).
5 Administering EVFS This chapter describes how to perform the following EVFS administrative tasks: • Starting and stopping EVFS components.
Starting and Stopping EVFS This section describes the following procedures for enabling and disabling EVFS components: • • • • • • “Starting the EVFS Subsystem” (page 80) “Enabling Encryption and Decryption Access to EVFS Volumes” (page 80) “Disabling Encryption/Decryption Access to EVFS Volumes” (page 81) “Stopping the EVFS Subsystem” (page 82) “Opening Raw Access to EVFS Volumes” (page 83) “Closing Raw Access to EVFS Volumes” (page 83) Starting the EVFS Subsystem The following evfsadm start command star
-p -k keyname Causes EVFS to use a stored passphrase to enable encryption and decryption for the named EVFS volume. The /etc/evfs/evfstab file must contain an entry for this volume with a key ID field. Specifies the key name. If you do not specify -k keyname, evfspkey uses the user name as the key name. Valid value: An ASCII string, 1 to 255 characters long.
3. Use the evfsvol disable command to disable EVFS operation for the volume as follows: • To disable a single EVFS volume without a stored passphrase: evfsvol disable [-k keyname] evfs_volume_path You must be the volume owner or an authorized user for the volume to execute this command.
Opening Raw Access to EVFS Volumes Use the following evfsvol raw command to open an EVFS volume for raw access. When an EVFS volume is open for raw access, EVFS does not decrypt data read from the volume and does not encrypt data written to the volume. Entities reading data from the EVFS volume receive encrypted data. Entities writing data to the EVFS volume write directly to the underlying disk; EVFS does not encrypt the text.
Managing EVFS Keys and Users This section describes the following procedures for managing EVFS keys and users: • • • • • • • • “Displaying Key IDs for an EVFS Volume” (page 84) “Restoring User Keys” (page 84) “Changing Owner Keys for an EVFS Volume” (page 86) “Recovering from Problems with Owner Keys” (page 87) “Removing Keys from an EVFS Volume” (page 87) “Removing User Keys or Stored Passphrase from the EVFS Key Database” (page 87) “Changing the Passphrase for a Key” (page 87) “Creating or Changing a Sto
1. Verify the directory structure for the key database, and re-create it if necessary. By default, EVFS stores the user key database in subdirectories below the /etc/evfs/pkey directory, with a subdirectory for each user. The administrator can configure alternate database directory or directories using the pkey attribute in the /etc/evfs/evfs.conf file. HP recommends that the primary directory is writable only by superusers.
4. Restore the public and private key files and any passphrase files with the following name, owner, group, and permissions: • Public Key — File name: key_storage_directory/user_name/key_name.pub (/etc/evfs/pkey/user_name/key_name.
Specifies the key pair name for the new owner. If you do not specify this option or the -r option, evfsvol uses the owner's user name as the key pair name. Specifies the absolute pathname for the EVFS volume device file, such as /dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/c2t0d1.
The syntax for changing the passphrase for a volume owner or authorized user key is as follows: evfspkey passgen [-u username] [-k keyname] The syntax for changing the passphrase for a recovery key is as follows: evfspkey passgen -r recovkey_file where: -u username -k keyname -r recovkey_file Specifies the name of the user for the passphrase you want to delete. If you do not specify this argument, evfsvol uses your user name.
Recovering from EMD Corruption EVFS stores one backup image of the EMD for each EVFS volume. When you change the owner of an EVFS volume, or add or delete user keys for a volume, EVFS updates the EMD. Before EVFS updates the EMD, it stores a backup copy of the current EMD. The evfsvol restore command restores the backup copy of the EMD for an EVFS volume. Use the following procedure to restore a backup copy of an EMD: 1. For data consistency, stop all applications accessing the data.
Removing a Volume from the EVFS Subsystem Use the following procedure to deconfigure EVFS on a volume and remove it from the EVFS subsystem. 1. For data consistency, suspend or stop all applications accessing the data. You can use the fuser -cu command to determine the processes accessing files and the fuser -cku command to terminate the processes. See fuser(1M) for more information.
Exporting and Importing EVFS Volumes This section describes procedures for exporting and importing EVFS volumes. You can use these procedures to remove EVFS data from a system when moving (exporting) a volume and disk in from one system and installing (importing) the volume and disk on another system.
1. If you are moving the volume to another system, add an authorized user key pair for the administrator on the destination system. You will use this key pair on the destination system. a. Create a new key pair for the administrator on the destination system using the following criteria: • The user account for the key owner must exist on the destination system. • The key name must be unique for the owner on the destination system.
/etc/evfs/evfs.conf file. Using the default key storage directory, the key file names are: Public Key /etc/evfs/pkey/user_name/key_name.pub, where user_name is the key owner's name and key_name is the key name. Private Key /etc/evfs/pkey/user_name/key_name.priv, where user_name is the key owner's name and key_name is the key name. 3. For data consistency, stop all applications accessing the data.
4. If the EVFS volume had a file system, use the mount command to mount the file system to a mount point. Add an entry to the /etc/fstab file. See “Step 2: Creating and Mounting a File System on an EVFS Volume” (page 56) for more information.
6 Managing Data on EVFS Volumes This chapter contains information about managing volumes and files on systems with EVFS configured.
Limitations and Known Problems When Using EVFS with Volume Managers and File Systems The following limitations and known problems exist when using EVFS with volume managers (LVM and VxVM) and file systems. For a complete list of product limitations and known problems, see “Product Limitations and Precautions” (page 27) and “Known Problems” (page 29). Creating a New EVFS Volume Overwrites Existing Data EVFS does not automatically convert existing volume data to encrypted data.
Resizing EVFS Volumes and File Systems If you resize EVFS volumes and file systems created on EVFS volumes, HP recommends that you create a backup copy of the data before resizing an EVFS volume or file system above an EVFS volume. In addition, you must: • Allow 1 MB on the EVFS volume for the encryption metadata (EMD). Subtract 1 MB from the size of the underlying LVM, VxVM, or physical volume when calculating the number of bytes available for the file system.
# lvdisplay /dev/vg01/lvol5 --- Logical volumes --LV Name /dev/vg01/lvol5 VG Name /dev/vg01 : : LV Size (Mbytes) 112 : : # extendfs -F vxfs -s 48648 /dev/evfs/vg01/rlvol5 # mount -F vxfs /dev/evfs/vg01/lvol5 /test5 # bdf /test5 Filesystem kbytes used avail %used Mounted on /dev/evfs/vg01/lvol5 113664 1141 105498 1% /test5 Incorrect When calculating the number of Kbytes available for the file system, the user does not reserve space for the EVFS EMD. The LVM is 112 Mbytes = 114688 Kbytes.
# bdf /test1 bdf: /test1: I/O error VxVM Example: Increasing Volume and File System Sizes In the following sessions, the VxFS file system size is 66040 Kbytes, created on a 65-Mbyte (66560 Kbyte) VxVM volume (520 Kbytes is used for the EMD). The user increases the size of the VxVM volume to 112 Mbytes and wants to increase the corresponding file system size. Correct The user increases the VxVM volume size to 112 Mbytes (114688 Kbytes).
Incorrect The user does not reserve space for the EMD when calculating the number of Kbytes available for a file system on a 64-Mbyte VxVM volume. The user reduces the size of the file system to 65536 Kbytes, (64 * 1024 Mbytes = 65536 Kbytes), then reduces the size of the VxVM volume to 64 Mbytes. Although no file system error is returned, data might be lost corrupted.
7 Backing Up and Restoring Data on EVFS Volumes This chapter contains procedures for backing up and restoring data on EVFS volumes and addresses the following topics: • “Backing Up EVFS Volumes” (page 102) • “Backups Using LVM Mirrored Volumes” (page 105) • “Backups Using VxVM Mirrored Volumes” (page 112) • “Backups Using Nonmirrored Volumes” (page 121) • “Restoring Backup Media” (page 125) 101
Backing Up EVFS Volumes This section contains procedures for backing up data on EVFS volumes. The backup procedures differ depending on the following factors: • Use of mirrored volumes or nonmirrored volumes. The mirrored volumes can be LVM or VxVM. NOTE: You cannot perform online encrypted backups to a tape or other non-EVFS device unless you use mirrored volumes.
Table 7-1 Backup Types with LVM or VxVM Mirrored Volumes Media Format Target Device Encrypted Tape or other non-EVFS device Backup Utility Type Supported? Block device Yes utility, such as dd Source EVFS Volume State Raw Notes One volume in the mirror will be off line (unavailable to users). The remaining volume in the mirror is still available for user access.
Table 7-2 Backup Types with Nonmirrored Volumes Media Format Target Device Backup Utility Type Supported? Source EVFS Volume State Notes Encrypted Tape or other non-EVFS device Block device Yes utility, such as dd Raw Offline Backup. See “Creating Encrypted Backup Media to a Non-EVFS Device (Nonmirrored Volumes)” (page 121).
Backups Using LVM Mirrored Volumes If you have EVFS volumes configured on LVM mirrored volumes, you can back up the EVFS volumes on line, without disabling the EVFS volume or interrupting access to the data. To create LVM mirrored volumes, you must have the MirrorDisk/UX product installed.
5. Do not create an EMD area for the EVFS volume. The backup volume inherits a copy of the EMD from the original volume. However, because the backup volume inherits its EMD, the dirty bit is set even though the backup volume has not been enabled. You must reset the dirty bit in the EMD of the backup volume using the evfsvol check –r command. The syntax is as follows: evfsvol check -r evfs_volume_path Where evfs_volume_path is the absolute pathname for the EVFS volume device file.
Creating Encrypted Backup Media on a Second EVFS Volume Using a Block Device Utility (LVM Mirrored Volumes) If you have LVM mirrored volumes, use the following procedure to perform online encrypted backups to a second (target) EVFS volume using a block device backup utility, such as dd. To use this backup procedure, you must have the appropriate file permissions to access the EVFS volume device file and meet at least one of the following criteria: • • • You are the volume owner.
6. EVFS encryption and decryption must be enabled on the target volume also. Use the evfsadm stat -a or evfsvol display evfs_volume_path command to verify that EVFS is enabled on the target volume. In this example, /dev/evfs/vg01/lvol6 is a spare EVFS volume that will be used as the backup target device: # evfsvol display /dev/evfs/vg01/lvol6 7. Create encrypted backup media by using dd to copy the entire volume to a second EVFS volume that is also enabled.
Creating Encrypted Backup Media on a Second EVFS Volume Using a File Utility (LVM Mirrored Volumes) If you have LVM mirrored volumes, use the following procedure to perform online encrypted backups to a second (target) EVFS volume using a file-based backup utility, such as tar or cp. To use this backup procedure, you must have the appropriate file permissions to access the EVFS volume device file and meet at least one of the following criteria: • • • You are the volume owner.
6. Check the file system on the EVFS backup volume for consistency using the fsck command. For example: # fsck -F vxfs /dev/evfs/vg01/rlvol5backup 7. Create a temporary directory to use as mount point for the EVFS backup volume. For example: # mkdir /opt/evfs/backup_source 8. Mount the temporary directory on the EVFS backup volume. For example: # mount -F vxfs /dev/evfs/vg01/lvol5backup /opt/evfs/backup_source 9. EVFS encryption and decryption must be enabled on the target volume also.
Creating Cleartext Backup Media (LVM Mirrored Volumes) If you have mirrored LVM volumes, you can create cleartext backup media using the procedure described in “Creating Encrypted Backup Media on a Second EVFS Volume Using a Block Device Utility (LVM Mirrored Volumes)” (page 107) or “Creating Encrypted Backup Media on a Second EVFS Volume Using a File Utility (LVM Mirrored Volumes)” (page 109).
Backups Using VxVM Mirrored Volumes If you have VxVM mirrored volumes, you can back up the EVFS volumes on line, without disabling the EVFS volume or interrupting access to the data.
dirty bit is set even though the backup volume has not been enabled. You must reset the dirty bit in the EMD of the backup volume using the evfsvol check –r command. The syntax is as follows: evfsvol check -r evfs_volume_path Where evfs_volume_path is the absolute pathname for the EVFS volume device file. For example: # evfsvol Encrypted Resetting Encrypted 8. check -r /dev/evfs/vx/dsk/testdg/backupvol volume "/dev/evfs/vx/dsk/testdg/backupvol" has not been properly shut down. dirty bit...
# # # # # # # # # # # # # 114 vxplex -g testdg dis -v vol05 vol05-02 vxmake -g testdg -U gen vol backupvol plex=vol05-02 vxvol -g testdg start backupvol evfsvol map /dev/vx/dsk/testdg/backupvol evfsvol check -r /dev/evfs/vx/dsk/testdg/backupvol evfsvol raw /dev/evfs/vx/dsk/testdg/backupvol (EVFS prompts if you want to continue.
Creating Encrypted Backup Media on a Second EVFS Volume Using a Block Device Utility (VxVM Mirrored Volumes) If you have VxVM mirrored volumes, use the following procedure to perform online encrypted backups to second (target) EVFS volume using a block device backup utility, such as dd. To use this backup procedure, you must have the appropriate file permissions to access the EVFS volume device file and meet at least one of the following criteria: • • • You are the volume owner.
7. Enable the encryption and decryption access to the backup volume using the evfsvol enable command. For example: # evfsvol enable –k mykey /dev/evfs/vx/dsk/testdg/backupvol 8. Use the evfsadm stat -a or evfsvol display evfs_volume_path command to verify that EVFS is enabled on the target volume. In this example, /dev/evfs/vx/dsk/testdg/vol06 is a spare EVFS volume that will be used as the backup target device: # evfsvol display /dev/evfs/vx/dsk/testdg/vol06 9.
Creating Encrypted Backup Media on a Second EVFS Volume Using a File Utility (VxVM Mirrored Volumes) If you have VxVM mirrored volumes, use the following procedure to perform online encrypted backups to a second (target) EVFS volume using a file-based backup utility, such as tar or cp. To use this backup procedure, you must have the appropriate file permissions to access the EVFS volume device file and meet at least one of the following criteria: • • • You are the volume owner.
7. Enable the EVFS backup volume using the evfsvol enable command. For example: # evfsvol enable –k mykey /dev/evfs/vx/dsk/testdg/backupvol 8. Check the file system on the character (raw) EVFS backup volume for consistency using the fsck command. For example: # fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol 9. Create a temporary directory to use as mount point for the EVFS backup volume. For example: # mkdir /opt/evfs/backup_source 10. Mount the temporary directory on the EVFS backup volume.
# # # # # # # # # # # # # # # # # vxplex -g testdg dis -v vol05 vol05-02 vxmake -g testdg -U gen vol backupvol plex=vol05-02 vxvol -g testdg start backupvol evfsvol map /dev/vx/dsk/testdg/backupvol evfsvol check -r /dev/evfs/vx/dsk/testdg/backupvol evfsvol enable -k mykey /dev/evfs/vx/dsk/testdg/backupvol fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol mount -f vxfs /dev/evfs/vx/dsk/testdg/backupvol /opt/evfs/backup_source evfsvol display /dev/evfs/vx/dsk/testdg/vol06 (the target volume must be enabled) cp
Creating Cleartext Backup Media (VxVM Mirrored Volumes) If you have mirrored VxVM volumes, you can create cleartext backup media using the procedure described in “Creating Encrypted Backup Media on a Second EVFS Volume Using a Block Device Utility (VxVM Mirrored Volumes)” (page 115) or “Creating Encrypted Backup Media on a Second EVFS Volume Using a File Utility (VxVM Mirrored Volumes)” (page 117).
Backups Using Nonmirrored Volumes This section contains procedures for performing backups without mirrored volumes. NOTE: To create encrypted backup media to a tape or other non-EVFS device without using mirrored volumes , you must disable access to the EVFS volume. The EVFS volume will be off line and unavailable to users or applications. If you do not have mirrored volumes, you can still perform online encrypted backups, but you must use a second EVFS volume as the target device.
5. Open raw access to the backup EVFS volume using the evfsvol raw command. CAUTION: After you open the volume for raw access, any entity reading data from the EVFS volume receives encrypted data. Any entity writing data to the EVFS volume writes directly to the underlying disk; EVFS does not encrypt the text. HP recommends that you use the evfsvol raw command only when creating encrypted backup media or restoring encrypted backup media.
Creating Encrypted Backup Media on a Second EVFS Volume Using a Block Device Utility (Nonmirrored Volumes) Use the following procedure to perform an offline backup and create encrypted media on a second EVFS volume. You must have the appropriate file permissions to access the EVFS volume device file. CAUTION: EVFS must be enabled on both the source volume and target volume.
Creating Encrypted Backup Media on a Second EVFS Volume Using a File Utility (Nonmirrored Volumes) Use the following procedure to perform an offline backup and create encrypted media on a second EVFS volume. CAUTION: EVFS must be enabled on both the source volume and target volume. The backup utility will receive cleartext data from the source EVFS volume, and EVFS will encrypt the data when writing it to the target EVFS volume.
Restoring Backup Media This section describes how to restore backup media, and describes the following procedures: • • “Restoring Encrypted Backup Media from a Non-EVFS Device to an EVFS Volume” (page 125) “Restoring Backup Data from an EVFS Volume to an EVFS Volume” (page 126) Restoring Encrypted Backup Media from a Non-EVFS Device to an EVFS Volume When restoring encrypted backup media created on a non-EVFS device (such as a tape device) that contains an EVFS volume, the target volume to which you are r
This enables the utility you use in the next step to write data to the EVFS volume without encrypting the data. CAUTION: After you open the volume for raw access, any entity reading data from the EVFS volume receives encrypted data. Any entity writing data to the EVFS volume writes directly to the underlying disk; EVFS does not encrypt the text. HP recommends that you use the evfsvol raw command only when creating encrypted backup media or restoring encrypted backup media. 6. 7. 8. 9.
4. Use the same utility that you used to create the backup media to restore the media (or an equivalent utility). If you used a file-based utility to create the backup media, use a file-based utility to restore the data; if you used a block device utility to create the backup media, use a block device utility to restore the data. After you restore the data, the target volume now contains the data from the backup (source) EVFS volume, encrypted using the target volume's EVFS data key.
8 Troubleshooting EVFS This chapter contains information about troubleshooting the HP-UX Encrypted Volume and File System (EVFS) product.
Displaying EVFS Volume Information You can display the following information about EVFS volumes: • • I/O and encryption statistics, using the evfsadm stat command. Keys configured for an EVFS volume, using the evfsvol display command. This command also displays operating parameters for the EVFS volume, including the underlying LVM, VxVM, or physical volume device file name and the volume encryption algorithm.
bpr Number of data blocks read. bpw Number of data blocks written. bpd Number of data blocks decrypted. bpe Number of data blocks encrypted. kbpsr Read rate in kilobytes per second (kb/s). This statistic is based on the time it takes the EVFS pseudo-driver to complete a read request. This statistic includes the time it takes to read data from the physical disk and the underlying LVM or VxVM volume (if applicable), and to decrypt the data. kbpsw Write rate in kilobytes per second (kb/s).
The meaning of each field is as follows: 132 EVFS Volume Name Name of the EVFS volume. Mapped Volume Name Device file name of the underlying LVM, VxVM, or physical volume. EMD Size Size of the encrypted metadata (EMD) area, in kilobytes. EVFS Volume State State of the EVFS volume, as maintained by the EVFS kernel driver. Max User Envelopes Maximum number of key records (user envelopes) allowed in the EMD. Each key record contains the volume encryption key, encrypted by a user's public key.
Verifying the EMD (evfsvol check) The evfsvol check command verifies the integrity of the EMD for an encrypted volume. You must disable the EVFS volumes you want to check before executing the evfsvol check command. If the verification fails, you can use the evfsvol restore command to restore the previous version of the EMD. See “Recovering from EMD Corruption” (page 89) for more information.
Verifying User Keys (evfspkey lookup) The evfspkey lookup command retrieves key pairs from the key storage data base and displays information about the keys, such as the encryption algorithm. Syntax evfspkey lookup [-u user|-r] [-k keyname] where: -u user -r -k keyname Specifies the user name of the key owner. If you do not specify -u user, evfspkey uses your user name as the key owner. You must have superuser or the appropriate privileges to look up a key pair for another user.
Problem Scenarios This section describes the following problem scenarios and solutions for the scenarios: • • • • • • • • “evfspkey Cannot Generate Key Pairs” (page 135) “evfspkey Cannot Store Keys” (page 135) “evfsvol Cannot Retrieve Private Key” (page 136) “evfsvol create Fails, EVFS Device File Not Found in evfstab File” (page 136) “evfsvol create Fails, Valid EMD Already Exists” (page 136) “evfsvol disable Fails, EVFS Volume Is Busy” (page 137) “evfsadm map Fails, Invalid Device” (page 137) “EMD Is Dir
evfsvol Cannot Retrieve Private Key Symptom An evfsvol command fails, and evfsvol displays a message similar to the following: # evfsvol disable /dev/evfs/vg01/lvol5 evfsvol: disable error: cannot retrieve private key "root.root", key loading failure Description The evfsvol utility cannot retrieve a user's private key to perform an operation on an EVFS volume. Solution If you do not specify a key name using the -k keyname option, evfsvol uses the default key name, which is the user's account name.
Description The evfsvol create command fails if an EMD already exists on the volume. This can occur if you reuse an EVFS volume without destroying the previous EMD. Solution If you are reusing an EVFS volume and do not want to recover the existing data, re-enter the evfsvol create command with the -f option. The evfsvol create command generates a new volume encryption key and new EMD. Any existing data is irrecoverable.
EMD Is Dirty Symptom The evfsvol enable or evfsvol check command fails.
Reporting Problems If you are unable to resolve a problem with EVFS, complete the following steps: 1. 2. 3. Read the EVFS product release notes to see if the problem is a known problem. If it is, follow the documented solution. Determine if you have a valid warranty or support contract for your HP-UX system. Your operations manager can supply you with the necessary information. Go to the HP IT Response Center website at the following URL: http://itrc.hp.
A Product Specifications This appendix contains product specification information, including file names.
User Files EVFS uses the following directories and files for configuration and other runtime data: • /etc/evfs/emd: Default directory for storing backup EMD data. • /etc/evfs/evfs.conf: Configuration file for global EVFS parameters, such as the recovery user name, encryption algorithm for volume data encryption, and directories for the user key database. • /etc/evfs/evfs_cryptx.conf: Configuration file for encryption libraries. Do not modify this file.
Commands and Tools EVFS provides the following commands: • /usr/sbin/evfsadm: Utility for administering EVFS (starting and stopping EVFS), mapping volumes to EVFS (creating EVFS volume device files), and other administrative tasks. • /usr/sbin/evfspkey: Utility for creating and managing user keys and passphrases. • /usr/sbin/evfsvol: Utility for creating and enabling EVFS volumes, displaying information about EVFS volumes, adding user keys to EVFS volumes, and other volume management tasks.
B EVFS Quick Reference This appendix contains reference information about EVFS.
Preparing EVFS This section briefly describes the steps in the EVFS preparation procedure. For more information, refer to Chapter 3 (page 35). 1. At installation, EVFS attempts to create the evfs user account and group for the EVFS pseudo-user. If you cannot use evfs as the user and group name for the EVFS pseudo-user, set the evfs_user attribute in the /etc/evfs/evfs.conf file to a different user name.
Option 1: Creating New EVFS Volume 1. Configure the EVFS volume: a. Create an LVM or VxVM volume if you are not creating the EVFS volume directly above a whole physical volume: # lvcreate -L lv_size [options]vgfile (LVM) # vxassist -g group make volume_name size (VxVM) b. Create the EVFS device files: CAUTION: Any data on the underlying LVM, VxVM, or physical volume will be overwritten in subsequent steps, so HP recommends that you specify an empty volume. # evfsadm map volume_path c.
The options field must contain the keyword boot_local, boot_local2, or boot_remote. See “Step 5: (Optional) Configuring the Autostart Feature” (page 62) for more information. 6. Back up your configuration. Back up all files in the /etc/evfs directory and all subdirectories below it. Option 2: Converting an Existing Volume into an EVFS Volume (Inline Encryption) 1. Prepare the file system and data. 1. Verify the file systems or volumes you want to secure with EVFS are suitable for encryption. 2.
EVFS Tasks and Commands The following tables provide the command syntax for common EVFS administrative tasks. Table B-1 Starting and Stopping EVFS Task Command Start the EVFS subsystem. evfsadm start [-n number_threads] Stop the EVFS subsystem. evfsadm stop Table B-2 Managing EVFS Volumes Task Command Map an LVM, VxVM, or physical volume to EVFS and create EVFS device files. evfsadm map volume_path Unmap an EVFS volume.
Table B-3 Managing EVFS Keys and Users Task Command Change the owner of an EVFS volume. evfsvol assign -u newowner [-r recovery_key.priv] [-k keyname] evfs_volume_path Recover from problems with owner keys. evfsvol assign -u newowner[-r recovkeyfile] [-k keyname]evfs_volume_path Remove keys from an EVFS volume. evfsvol delete [-u user] [-k keyname] evfs_volume_path Remove user keys or stored passphrases. evfspkey delete [-u user|-r] [-k keyname] Change the passphrase for a key.
Table B-4 Troubleshooting EVFS Task Command Show all I/O and cryptography evfsadm stat -a statistics for each EVFS volume. Show the total number of data evfsadm stat -s blocks, read, written, decrypted, and encrypted by EVFS. Reset EVFS statistic values to zero. evfsadm stat -z Display key IDs, underlying volume, and operating parameters for EVFS volumes. evfsvol display -a|evfs_volume_path] Verify the integrity of the EMD area of a volume.
C Using EVFS with Serviceguard This chapter describes how to use EVFS with the HP Serviceguard product.
Restrictions HP does not support EVFS with Serviceguard in the following configurations: • EVFS volumes are not supported with Serviceguard multi-node or system multi-node packages. The only package type supported with EVFS volumes is FAILOVER. • EVFS is not supported with the Veritas Cluster File System (CFS). • EVFS is not supported with SG/SGeRAC shared activation.
Configuration Overview EVFS includes the following files for operation with Serviceguard: • /etc/evfs/opt/cmcluster/evfs_sg.sh EVFS control script The following script is required for legacy packages only: • /etc/evfs/opt/cmcluster/evfssgconv Utility for converting existing package control scripts to make them execute the EVFS control script The following two scripts are required for modular packages only: • /etc/evfs/opt/cmcluster/evfs.1 EVFS Attribute Definition File (ADF) • /etc/evfs/opt/cmcluster/evfs.
Step 1: Installing EVFS Install EVFS on all Serviceguard nodes that will use EVFS volumes. For more information, see Chapter 2 “Installation”.
Step 2: Creating the Serviceguard Storage Infrastructure Before configuring EVFS, you must create a Serviceguard storage infrastructure for the cluster with cluster-aware LVM volume groups or VxVM disk groups. This infrastructure must be accessible to all nodes in the cluster. Select one node to be the configuration node. You will perform most of the configuration tasks on this node, then copy configuration data to the other nodes in the cluster. The primary node is typically the configuration node.
Adoptive Nodes On the adoptive nodes, import and start the disk group and volumes as follows: a. Use the vxdg import dg_name command to import the disk group. b. Use the vxvol -g dg_name startall command to initialize the disk group. c. To test the import operation, you can configure and mount temporary file systems on the VxVM volumes. When the configuration is complete, you will configure and mount file systems on EVFS volumes, not on the VxVM volumes.
Step 3: Configuring EVFS on the Configuration Node On the configuration node, configure and verify EVFS using the procedures described in Chapter 3 (page 35). After you have verified EVFS operation, you must complete the following additional tasks to use the EVFS volumes with a Serviceguard package: a. Create a cluster key pair, an EVFS key pair that will be distributed and used on all nodes in the cluster. b. Add the cluster key pair to the EMD of the EVFS volumes used by the Serviceguard package. c.
where: v volume_path evfs_volume_path user_name.key_name noauto Indicates that the entry is for an EVFS volume. Specifies the path for the underlying LVM, VxVM, or physical device file, such as /dev/vg01/lvol5, /dev/vx/dsk/rootdg/vol05, or /dev/dsk/c2t0d1. Specifies the absolute pathname for the EVFS volume device file, such as /dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/c2t0d1. Specifies the user name and key name pair to use when enabling the volume.
Step 4: Configuring EVFS Volumes on the Adoptive Nodes On each adoptive node, configure the EVFS volumes using the following procedure: a. Copy the appropriate EVFS configuration files and keys from the configuration node. b. Restore the cluster key pair files on the adoptive node. c. Create a local passphrase file for the cluster private key. d. Import and activate the LVM volume group or VxVM disk group on the adoptive node. e. Map the LVM or VxVM volumes to EVFS on the adoptive node. f.
Step 4e: Mapping the LVM or VxVM Volumes to EVFS Start the EVFS subsystem using the evfsadm start command if you have not already done so. Use the evfsadm map command to map the LVM or VxVM volumes to EVFS. (EVFS must add the volumes to the kernel registry on the adoptive node.) The evfsadm map syntax is as follows: evfsadm map volume_path where: Specifies the absolute path of the block device file for the underlying LVM or volume_path VxVM volume, such as /dev/vx/dsk/rootdg/vol01 or /dev/vg01/lvol5.
Step 4i: Configuring the Autostart Feature Configure the autostart feature to ensure that the EVFS subsystem is started when the adoptive node starts. Enable EVFS in the /etc/rc.config.d/evfs file.
Step 5: Configuring Serviceguard using Modular packages Use the following procedure to modify or create Serviceguard package configuration files. a. Halt the package if you want to reconfigure an existing package to use EVFS volumes. b. Install EVFS Attribute definition file in the modules directory. c. Copy the EVFS Control and Module Scripts. d. Create a modular package configuration file if you do not already have one. e. Migrate an existing legacy package configuration file if you have one. f.
Step 5d: Creating a Modular Package Configuration File Skip this step if you have an existing package configuration file. If you do not already have a package configuration file, create a subdirectory evfs under the /etc/cmcluster directory for the evfs package, and create the package configuration file using the following cmmakepkg command: # cmmakepkg -m evfs/evfs /etc/cmcluster/evfs/package_file_name.conf For example, where new_evfs_pkg.
Step 5g: Adding the EVFS Volumes to the Package Configuration File Edit the package configuration file to configure the EVFS volumes that you want Serviceguard to enable when the package starts, and the file systems to be mounted on the EVFS volumes. • If the EVFS volumes are created on VxVM volumes, specify the VxVM disk groups in the vxvm_dg parameter in the package configuration file.
Step 6: Configuring Serviceguard using Legacy packages Use the following procedure to modify or create package control scripts. a. Halt the package if you want to reconfigure an existing package to use EVFS volumes. b. Create a package configuration file if you do not already have one. c. Create a package control script if you do not already have one. d. Convert a package control script to execute the EVFS control script. e.
new_package Specifies the name for the new package control script file, such as /etc/cmcluster/my_pkg/my_pkg_evfs.sh. Modifying the Package Configuration File You must modify the RUN_SCRIPT and HALT_SCRIPT variables in the package configuration file to use the converted package control script. For example: RUN_SCRIPT /etc/cmcluster/my_pkg/my_pkg_evfs.sh : : HALT_SCRIPT /etc/cmcluster/my_pkg/my_pkg_evfs.
Glossary AES Advanced Encryption Standard. AES uses a symmetric key block encryption. EVFS supports AES with a 128-bit, 256-bit, or 292-bit key for encrypting volume data. AES is suitable for encrypting large amounts of data. authorized user A user who is authorized to enable and disable an EVFS volume, and perform other administrative operations on an EVFS volume.
user keys The public/private key pairs that EVFS uses to securely store volume encryption keys. User keys can be used as owner keys, recovery keys, or authorized user keys. volume encryption key Symmetric key used by EVFS to encrypt volume data. volume owner The owner of an EVFS volume. A volume owner with the appropriate file permissions for the EVFS device file can perform all administrative operations on an EVFS volume.
Index A AES (Advanced Encryption Standard), 169 configuring for a volume , 53 configuring the default algorithm for volumes , 42 supported key lengths , 17 assigning a new owner to a volume, 86 authorized user keys , 24 capabilities, 24 displaying the authorized user keys IDs for a volume, 131 autostart configuring, 62, 72 B backing up EVFS volumes, 102, 105, 121 nonmirrored volumes, 121 online with LVM mirrors, 105 with VxVM mirrors, 112 backup data restoring, 125 boot disk restrictions, 51, 66 boot_local
evfsevold, 80 evfspkey, 44 delete command, 87, 150 keygen command, 44 lookup command, 134, 151 evfssgconv, 167 evfsvol add command, 53 assign command, 86, 150 check command, 133, 151 close command, 83, 106, 113, 149 create command, 52, 136, 149 delete command, 87, 150 destroy command, 90, 149 disable command, 81, 149 display command, 59, 69, 84, 131 enable command, 54, 80, 149 export command, 93 import command, 93 raw command, 83, 106, 113, 149 restore command, 89 evfsvol disable error, 137 evol busy error,
configuring the directory for, 39 file permissions, 85 public/private keys, 17 creating, 44 Q quick reference for EVFS, 145 R raw access closing, 83, 149 opening, 83, 149 recovery keys adding to a volume, 53 capabilities, 24 creating, 45 displaying the recovery key IDs for a volume, 131, 132 displaying the total number for a volume, 132 file permissions, 85 removing a volume from EVFS, 90 renaming VxVM volumes, 96 reporting problems, 139 reporting volume information, 130 resizing volumes and file systems,
vxresize command, 96 cautions when using with EVFS, 96 VxVM volumes renaming, 96 174 Index
