Encrypted Volume and File System v2.0 Administrator Guide HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

names of the keys configured for the EVS volume. The output for the evfsvol display

evfs_volume_path is similar to the following:

# evfsvol display /dev/evfs/vg01/lvol5

EVFS Volume Name: /dev/evfs/vg01/lvol5

Mapped Volume Name: /dev/vg01/lvol5

EVFS Volume State: enabled

EMD Size (Kbytes): 520

Max User Envelopes: 1024

Data Encryption Cipher: aes-128-cbc

Digest: sha1

Owner Key ID: root.rootkey1

Recovery Agent Key IDs: evfs.evfs

Total Recovery Agent Keys: 1

User Key IDs: init.initkey

Total User Keys: 1

See “Displaying EVFS volume keys and operating parameters (evfsvol display)” (page 148) for more

information.

Verifying data encryption

You can use the following procedure to verify that EVFS is encrypting data before it is written to

the underlying LVM, VxVM, or physical volume:

1. Write text (a character string) to a file on an enabled EVS volume.

2. Use the strings utility to search the EVS volume device file. The text is stored in the underlying

LVM, VxVM or physical volume as encrypted data, but the strings utility is reading from

the EVS volume. The EVFS subsystem will provide decrypted data to the strings utility, and

strings will find and display the text string you wrote.

3. Verify that applications that bypass EVFS receive encrypted data. To do this, you must disable

EVFS on the volume. Use the following procedure to disable EVFS on the volume:

a. For data consistency, stop all applications accessing the EVS volume. You can use the

fuser -cu command to determine the processes accessing files and the fuser -cku

command to terminate the processes. See fuser(1M) for more information.

If the data is used by system processes, you might need to terminate the processes by

changing the system runlevel to single-user level with the shutdown utility. See

shutdown(1M) for more information.

b. Use the umount command to unmount the file system. See umount( (1M)) for more

information.

c. Use the following command to disable encryption and decryption access to the volume:

evfsvol disable [-k keyname] evfs_volume_path

See “Disabling encryption and decryption access to EVS volumes” (page 62) for more

information.

4. Use the following command to open the EVS volume for raw access:

evfsvol raw evfs_volume_path

See “Opening raw access to EVS volumes” (page 63) and the evfsvol( (1M)) manpage for

more information.

CAUTION: After you open the volume for raw access, any entity reading data from the EVS

volume receives encrypted data. Any entity writing data to the EVS volume writes directly to

the underlying disk; EVFS does not encrypt the text. HP recommends that you use the evfsvol

raw command only when creating encrypted backup media or restoring encrypted backup

media.

Option 1: Creating a new EVS volume 51