Encrypted Volume and File System v2.2 Administrator Guide HP-UX 11i v3 Abstract This document describes how to install, configure, and troubleshoot the Encrypted Volume and File System (EVFS) product. This document is intended for system and network administrators responsible for installing, configuring, and managing EVFS. Administrators are expected to have knowledge of operating system concepts, commands, and configuration.
© Copyright 2009, 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents HP secure development lifecycle....................................................................11 I Encrypted Volume and File System (EVFS).....................................................12 1 Overview.............................................................................................14 EVFS architecture...............................................................................................................14 Features and benefits..............................................
II Encrypted Volume System (EVS)..................................................................36 5 EVS keys and user privileges..................................................................40 User privileges and permissions...........................................................................................40 EVS volume owner keys......................................................................................................40 Recovery keys................................................
Step 3: Verifying the configuration...................................................................................57 evfsadm stat -a.........................................................................................................57 evfsvol display evfs_volume_path................................................................................58 Verifying data encryption..........................................................................................58 Example............................
Example.............................................................................................................88 Creating encrypted backup media on a second EVS volume using a block device utility (VxVM mirrored volumes)..........................................................................................89 Example.............................................................................................................
Listing file encryption attributes......................................................................................113 Sharing encrypted files via groups and group keys...............................................................113 File conversion operations.................................................................................................114 Converting a cleartext file to an encrypted file.................................................................
Verifying the EMD (evfsvol check)............................................................................................152 Syntax............................................................................................................................152 Example.........................................................................................................................152 Verifying user keys (evfspkey lookup)................................................................................
C EVFS quick reference..............................................................................161 Preparing EVFS....................................................................................................................161 Configuring EVS...................................................................................................................161 Option 1: Creating a new EVS volume................................................................................
LVM and VxVM modular package example....................................................................179 Step 5h: Verifying the script...............................................................................................180 Step 6: Configuring HP Serviceguard using legacy packages.....................................................180 Step 6a: Halting an existing package.................................................................................
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
Part I Encrypted Volume and File System (EVFS) Part I includes the following topics: • “Overview” (page 14) • “EVFS data and keys” (page 21) • “EVFS installation” (page 25) • “Preparing EVFS for configuration” (page 28)
Contents 1 Overview................................................................................................14 EVFS architecture....................................................................................................................14 Features and benefits..............................................................................................................15 Supported software..........................................................................................................
1 Overview HP-UX Encrypted Volume and File System (EVFS) is an application-transparent technology providing protection of data at rest. With EVFS, critical files and data at rest (on disk) are stored in encrypted form on disk. EVFS safeguards against compromised use of and unauthorized access to data due to physical theft of storage devices. The data encryption is based on a secret-key cryptosystem and runs as an integrated kernel service transparent to the user.
Figure 1 EVFS architecture Features and benefits EVFS protects data by encrypting data volumes to protect data at rest – data on disks. You can also use EVFS to create encrypted backup media. EVFS prevents anyone who gains unauthorized physical access to storage media from reading or using the data. EVFS creates EVFS volumes, which are pseudo-devices (or virtual devices) layered on Logical Volume Manager (LVM), Veritas Volume Manager (VxVM), or physical volume devices.
• High-performance bulk data encryption using symmetric keys EVFS encrypts volume data using a symmetric encryption key, referred to as the volume encryption key.
• EFS Secure Session In order to use EFS, a user needs to be in an EFS secure session (see evfsauth(1)) This session contains all the necessary credential for a user to access and operate on encrypted files. Secure session credentials are inherited by its child processes. • Key Management EVFS provides its own local key management system. It supports encryption keys for both EVS and EFS. The concept of key manager is introduced in EVFS 2.0.
Figure 2 Software types Type 1: User applications System Calls Kernel Type 2: Kernel daemons that interface with VFS Virtual File System (VFS) File Systems (HFS, VxFS) Type 3: Kernel Modules that interface with physical disks and implement file system or volume management functions EVFS Pseudo-Driver Logical Volume Managers (LVM, VxVM) Physical Disk Product limitations and precautions The EVFS product has the following limitations: • EVFS operates with LVM, VxVM and physical volumes only.
decrypted data as output, and users can access individual files in cleartext. You must use normal HP-UX file system permissions and access control to restrict access to the data. • You cannot encrypt the following objects: ◦ Files or disk areas used during system boot. This includes the following objects: – the root file system (/) – the HP-UX kernel directory (/stand) – the /usr directory EVFS cannot decrypt the kernel or other data before the system boots.
• The Multi Volume File System feature of Veritas, which is not supported by EVFS. • EVFS is currently available in English only. • Secure Sessions limit: 16K secure sessions per system. • Volume limit: 1023 encrypted volumes per system. • ServiceGuard version A.11.18 or later using modular packages supports EVFS volumes without a file system. • On a EFS volume, the file size is limited to a maximum file size minus the size of the EMD (4k).
2 EVFS data and keys EVFS data flow EVFS is implemented using a pseudo-driver that operates on the EVFS volumes. An EVFS volume is stacked between the underlying volume (a LVM, VxVM, or physical volume) and an upper layer. The upper layer can be a file system or an application that reads data from and writes data directly to the EVFS volume, such as a database application. When the upper layer file writes data, the EVFS pseudo-driver encrypts the data before writing it to the underlying volume.
EVFS encryption keys EVFS uses two types of encryption keys: • Symmetric keys to encrypt data, referred to as volume encryption keys for EVS, and referred as file encryption keys for EFS. • Public/private key pairs to protect volume or file encryption keys, also referred to as user keys EVFS also uses passphrases to protect private keys. Volume and file encryption keys EVFS uses symmetric keys to encrypt data, referred to as volume or file encryption keys.
passphrase from other users, the passphrase will be automatically read from the file (see “Using the evfsrun command” (page 127)). However, when entering a secure session (see “Using a secure session” (page 108)), a user will be always prompted for the passphrase regardless if it has been stored in a file (in other words, the stored passphrase will be ignored). CAUTION: A stored passphrase enables you to use the EVFS autostart feature, but it is a security risk.
File names When using the default key storage directory, EVFS uses the following directory and file names to store user keys: Public Key /etc/evfs/pkey/users/user_name/key_name.pub, where user_name is the key owner's name and key_name is the key name. Private Key /etc/evfs/pkey/users/user_name/key_name.priv, where user_name is the key owner's name and key_name is the key name. Stored Passphrase /etc/evfs/pkey/users/user_name/key_name.pass.
3 EVFS installation This chapter describes how to install EVFS, including prerequisites, installation steps, and post-installation verification procedures. This chapter addresses the following topics: • “Prerequisites” (page 25) • “Installing EVFS” (page 25) Prerequisites The following are the minimum requirements to install and use EVFS. Hardware requirements • HP 9000 computers • HP Integrity servers Disk space requirements The system must have at least 12 MB of disk space available.
If the EVFS depot file is correctly stored on the system, you will see the following message after executing the command: # swlist -d @ /tmp/EVFS.depot # Initializing... # Contacting target "my_host"... # # Target: my_host:/tmp/EVFS.depot # # # Bundle(s): # EVFS A.02.01.00 HP-UX Encrypted Volume and File System (EVFS) 5. Install EVFS using an interactive swinstall session or the following swinstall command: # swinstall -x autoreboot=true -s /tmp/.
8. Verify the installation using the following swverifycommand: #swverify EVFS If EVFS is installed correctly on the system, the swverify command includes the following text in the data it reports: * Verification succeeded 9. On IA, delete the user keys. For more information on deleting a user key, see “Deleting a user key” (page 138). 10. Check the value of emd_digest in the EVFS configuration file /etc/evfs/evfs.conf. If the value is SHA1, replace this with SHA2. 11. Start the EVFS subsystem.
4 Preparing EVFS for configuration This chapter describes how to prepare the EVFS product for configuration.
Step 1: Configuring an alternate EVFS pseudo-user EVFS uses the pseudo-user evfs to own and control internal resources. When you install EVFS for the first time, the installation script attempts to add the user account evfs and the group evfs for the EVFS pseudo-user. If the evfs user account or evfs group already exists on the system when you initially install EVFS, you must configure a different user account and group for the EVFS pseudo-user.
# useradd -g my_evfs_group -c "EVFS pseudo-user" \ -d /tmp -s /usr/bin/false my_evfs_user Step 2: (Optional) Configuring alternate key database directories EVFS stores user key data (public keys, private keys, and stored passphrases) in a key database. By default, EVFS stores this database in subdirectories and files under the /etc/evfs/pkey directory. EVFS then automatically creates a users subdirectory. You can modify the pub_key, priv_key, and pass_key attribute statements in the /etc/evfs/evfs.
/usr/lib/evfs/hpux64/libevfs_pkey.so (HP Integrity servers) /usr/lib/evfs/pa20_64/libevfs_pkey.sl (HP 9000 servers) [ Literal left square bracket. key_directory Specifies the fully qualified pathname of the base directory in which to store key data, such as /etc/evfs/pkey. See “Key storage directory requirements” (page 31) for more information. EVFS automatically creates a users subdirectory under the key_directory to store the key files. Therefore, you do not need to include users in the path.
Example: Alternate directory for public keys The following attribute statements configure EVFS to store public keys in the user-created directory /etc/evfs/mykeys/users and to store private keys and passphrase files in the directory /etc/evfs/pkey/users: pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/mykeys,onfail:stop] priv_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop] pass_key = /usr/lib/evfs/hpux64/libevfs_pkey.
aes-192-cbc (192-bit AES CBC) aes-256-cbc (256-bit AES CBC) A longer key length provides more security, but slows data transfer rates. Default file cipher for PA: aes-128-cfb Default file cipher for IA: aes-128-cbc • emd_backup The emd_backup attribute specifies the directory EVFS uses to store backup images of EMD data. Default: /etc/evfs/emd • pbe The pbe attribute specifies the encryption library EVFS uses to secure EVFS private keys.
On multiprocessor systems, the default is the number of processors in the system minus 1. Setting the number of threads to a lower value can decrease EVFS throughput. The evfsadm start command starts the EVFS subsystem by initializing the EVFS pseudo-driver and starting the evfsevold process. The evfsevold process starts kernel threads for data encryption and decryption. You must start the EVFS subsystem to generate EVFS user keys and enable EVFS volumes.
EVFS uses the stored passphrase to decrypt the private key, then uses the private key to enable the EVFS volume. options Following are the valid options for the autostart feature: boot_local Causes EVFS to enable the EVFS volume before local file systems in /etc/fstab are mounted and before NFS and other networking subsystems are started. Use this flag if the private key and stored passphrase used to enable the volume are located on the root disk of the local system.
Part II Encrypted Volume System (EVS) Part II includes the following topics: • “EVS keys and user privileges” (page 40) • “Configuring an EVS volume” (page 45) • “Administering EVS” (page 63) • “Backing up and restoring data on EVS volumes” (page 78)
Contents 5 EVS keys and user privileges......................................................................40 User privileges and permissions................................................................................................40 EVS volume owner keys...........................................................................................................40 Recovery keys........................................................................................................................
Suspending an ongoing inline encryption....................................................................57 Re-starting a suspended inline encryption....................................................................57 Step 3: Verifying the configuration.......................................................................................57 evfsadm stat -a..............................................................................................................57 evfsvol display evfs_volume_path.....
Backups using VxVM mirrored volumes.................................................................................87 Creating encrypted backup media on a non-EVFS device (VxVM mirrored volumes)...............87 Example..................................................................................................................88 Creating encrypted backup media on a second EVS volume using a block device utility (VxVM mirrored volumes)....................................................................
5 EVS keys and user privileges EVFS defines the following types of user keys and restricts the execution of EVFS commands based on these keys and HP-UX user privileges: • EVS volume owner keys • Recovery keys • Authorized user keys User privileges and permissions Some EVFS commands do not require user keys. Only users with the appropriate privileges can execute these commands. By default, the appropriate privilege required for these EVFS commands is superuser privilege.
Table 1 Key types and user capabilities Key type/user type Capabilities Superuser or appropriate privileges and file permissions for the device files Any user with superuser privileges or the appropriate privileges and file permissions can perform the following tasks (no EVFS key is required): • Start or stop the EVFS subsystem • Map volumes to EVFS (create EVFS device files) • Create user keys for other users • Display information about EVS volumes • Restore an EVS volume's EMD Owner Key If a user has
for an authorized user and creating the passphrase file for the authorized user key pair instead of the owner key pair. • To create encrypted backup media on a tape device, a user must have an authorized user key pair for the volume. (The user must execute the evfsvol disable command as part of the backup procedure, which requires an EVFS authorized user key or owner key pair.) Creating and configuring an authorized user key pair will enable a non-owner to create encrypted backup media.
Public/Private key pair "root.rootkey1" has been successfully generated. (The evfspkey utility shows the key ID, which is the owner name, root, and the key name, rootkey1.) Creating recovery keys Creating recovery keys is optional, but HP recommends that you create at least one recovery key pair. Use the following evfspkey keygen command to create a public/private key pair for the recovery user. The evfspkey utility will prompt you for a passphrase to secure the private key.
-c cipher Specifies the type of public/private (cipher) keys to create. Valid values: rsa-1024 (RSA 1024-bit keys) rsa-1536 (RSA 1536-bit keys) rsa-2048 (RSA 2048-bit keys) Default for PA: rsa-1536 Default for IA: rsa-2048 -u user Specifies the user name of the key owner. If you do not specify -u user, evfspkey uses your user name as the key owner. You must have superuser capability or the appropriate privileges to create a key pair for another user. -k keyname Specifies the key name.
6 Configuring an EVS volume This chapter describes how to configure an EVS volume after preparing EVFS for configuration.
d. e. (Optional) Add recovery keys and authorized user keys. Enable the EVS volume. Step 1a: Creating an LVM or VxVM volume for EVFS Skip this step if you are not using LVM or VxVM (if you are directly accessing the whole physical disk as a physical volume). You will create the EVS volume directly above the physical volume in the next step.
The syntax of the evfsadm map command is as follows: evfsadm map volume_path where: volume_path Specifies the absolute path of the block device file for the underlying LVM, VxVM, or physical volume, such as /dev/vx/dsk/rootdg/vol01, /dev/ vg01/lvol5, or /dev/dsk/c2d0t0. The evfsadm map command maps the underlying LVM, VxVM, or physical volume to an EVS volume. The command also creates a block and a character () device file for the EVS volume and adds them to the kernel registry.
Valid values: aes-128-cbc aes-192-cbc aes-256-cbc aes-128-cfb aes-192-cfb aes-256-cfb (128-bit AES CBC) (256-bit AES CBC) (256-bit AES CBC) (128-bit AES CFB) (256-bit AES CFB) (256-bit AES CFB) A longer key length provides more security, but it slows data transfer rates. Default: The value of the data_cipher attribute in the /etc/evfs/ evfs.conf file. The default value for this attribute is aes-128-cbc.
evfs_volume_path Specifies the absolute pathname for the EVS volume device file, such as /dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/ c2t0d1. You must be the owner of the EVS volume to add a recovery key. If you do not have a stored passphrase for the owner key, evfsvol prompts you for the passphrase. Example The following command adds the default recovery key to the /dev/evfs/vg01/lvol5 volume. The default recovery key owner and key name is evfs.
evfs_volume_path Specifies the absolute pathname for the EVS volume device file, such as /dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/c2t0d1. To enable the EVS volume, the evfsvol utility: • Retrieves the passphrase for the owner or authorized user's private key by prompting the user for the passphrase or by using system data to decrypt the stored passphrase. • Uses the passphrase to decrypt the owner or authorized user's private key.
Step 2b: (Optional) Using fsck to check the file volume Optionally, use the fsck command to check the integrity of the file volume: fsck [-F file_sys_type] raw_evfs_volume_path where: -F file_sys_type Specifies the file system type. This must be a file system type supported by the underlying LVM, VxVM, or physical volume, such as hfs or vxfs. If you do not specify this option, fsck uses the file system type from the corresponding entry in the /etc/ fstab file. For more information, see fsck(1m).
Step 2e: (Optional) Adding an entry to /etc/fstab Optionally, add an entry to the /etc/fstab file for the encrypted volume. The system can use this entry for the mount -a command (mount all file systems in the /etc/fstab file) or to automatically mount the file system at system startup.
names of the keys configured for the EVS volume. The output for the evfsvol display evfs_volume_path is similar to the following: # evfsvol display /dev/evfs/vg01/lvol5 EVFS Volume Name: /dev/evfs/vg01/lvol5 Mapped Volume Name: /dev/vg01/lvol5 EVFS Volume State: enabled EMD Size (Kbytes): 520 Max User Envelopes: 1024 Data Encryption Cipher: aes-128-cbc Digest: sha2 Owner Key ID: root.rootkey1 Recovery Agent Key IDs: evfs.evfs Total Recovery Agent Keys: 1 User Key IDs: init.
5. 6. Use the strings utility and try to find the text. The strings utility will not find the text because it receives data from the EVS volume in encrypted form. Return the EVS volume to a working state. Close raw access using the following command: evfsvol close evfs_volume_path Enable the volume using the following command: evfsvol enable –k keyname evfs_volume_path Remount the file system using the mount command.
# # # # fuser fuser cp -R rm -r -cu /opt/my_data -cku /opt/my_data /opt/my_data/* /opt/encrypted_data /opt/mydata (If /opt/mydata was a file system, you would unmount it instead and remove the corresponding entry from the /etc/fstab file.) # ln -s /opt/encrypted_data /opt/my_data Step 5: Backing up your configuration After you have completed your configuration, back up the files and subdirectories under the /etc/ evfs directory. You must back up the user key database.
CAUTION: Encrypting the boot disk makes the boot disk unusable and prevents you from booting the system. • Swap space (swap devices or file swap space). CAUTION: • b. Encrypting swap space can cause the system to panic. Dump devices. For data consistency, stop all applications accessing the data. You can use the fuser -cu command to determine the processes accessing files, and the fuser -cku command to terminate the processes. For more information, see fuser(1M).
CAUTION: The following two operations render the volume data irrecoverable. evfsvol create –f Use this command to recreate the EMD on the volume. evfsvol destroy Use this command to remove the EMD header from the volume. The percentage of progress is reported after every 1 MB of data is processed. When the entire volume is converted successfully, a message is displayed. If the option -f is specified, we force the operation without prompting.
---- EVFS Volume Name ----|--- State ---|-------------- Counters -------------| bpr bpw bpd bpe /dev/evfs/vg01/lvol5 enabled 2074 52441 362 52345 ---- EVFS Volume Name ----|--- State ---|---------------- Rates --------------| kbpsr kbpsw dkbps ekbps /dev/evfs/vg01/lvol5 enabled 25 3 362 34 For descriptions of the output fields, see “Displaying I/O and encryption statistics (evfsadm stat)” (page 149).
4. Use the following command to open the EVS volume for raw access: evfsvol raw evfs_volume_path For more information, see “Opening raw access to EVS volumes” (page 65) and the evfsvol( (1M)) manpage. CAUTION: After you open the volume for raw access, any entity reading data from the EVS volume receives encrypted data. Any entity writing data to the EVS volume writes directly to the underlying disk; EVFS does not encrypt the text.
Option 1 Step 1a: Create an EVS volume. If you are using LVM or VxVM, create a new LVM or VxVM volume to use as the underlying volume. If you reuse an existing LVM or VxVM volume as the underlying volume, you will lose all existing data. You can skip this step if you are using whole disk access. # lvcreate -L 64 -n lvol5 /dev/vg01 Step 1b: Map the new LVM or VxVM volume or physical volume to an EVS volume. # evfsadm map /dev/vg01/lvol5 Step 1c: Create the EMD on the new EVS volume.
Korn shell script for creating an EVS volume and file system The following Korn shell (ksh) script configures an EVS volume and creates and mounts a file system on the volume. This script is a basic script, and HP recommends that you enhance it to perform error checking. The script does not use file locking when editing /etc/evfs/evfstab or /etc/fstab. This script assumes the administrator has already performed the following tasks: • Created an alternate recovery user account, if necessary.
# # # # evfsvol enable /dev/evfs/vx/dsk/rootdg/vol10 mount /dev/evfs/vx/dsk/rootdg/vol10 /home evfsadm stat –a evfsvol display /dev/evfs/vx/dsk/rootdg/vol10 Optionally, configure the autostart feature, as described in “Step 6: (Optional) Configuring the autostart feature” (page 34). Finally, backup your EVFS configuration and user keys, as described in “Step 4: Backing up your configuration” (page 59).
7 Administering EVS This chapter describes how to perform the following EVFS administrative tasks: • • Starting and stopping EVFS components.
Enabling encryption and decryption access to EVS volumes The following evfsvol enable commands enable EVFS encryption and decryption access to EVS volumes. The EVS volumes must already be configured, as described in “Preparing EVFS for configuration” (page 28).
3. Use the evfsvol disable command to disable EVFS operation for the volume as follows: • To disable a single EVS volume without a stored passphrase: evfsvol disable [-k keyname] evfs_volume_path You must be the volume owner or an authorized user for the volume to execute this command.
data. Entities writing data to the EVS volume write directly to the underlying disk; EVFS does not encrypt the text. CAUTION: Writing data to or reading data from an EVS volume when it is opened for raw access can cause data corruption. HP recommends that you use this operation only when creating encrypted backup media or restoring encrypted backup media, as described in “Backing up EVS volumes” (page 78). Use the following procedure to open raw access to an EVS volume: 1.
command also displays operating parameters for the EVS volume, including the volume encryption algorithm and the underlying LVM, VxVM, or physical volume device file name. Syntax evfsvol display [-a|evfs_volume_path] where: -a Displays the EMD information for all configured EVS volumes. -evfs_volume_path Specifies the absolute pathname for the EVS volume device file, such as /dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/ c2t0d1.
users/evfs directory (or a subdirectory under the key storage directory using the EVFS pseudo-user name) with the following permissions, owner, and group: drwxr-xr-x 4. 2 bin bin 96 Mar 16 17:27 evfs Restore the public and private key files and any passphrase files with the following name, owner, group, and permissions: • • • Public Key ◦ File name: key_storage_directory/users/user_name/key_name.pub (/etc/evfs/pkey/users/user_name/key_name.
in “Creating recovery keys” (page 43). The procedure for adding a recovery key to an EVS volume is described in “Step 1d: (Optional) Adding recovery keys and authorized user keys” (page 48).) evfsvol assign -u newowner [-r recoveryprivkeyfile] [-k keyname] evfs_volume_path where: -u newowner Specifies the name of the new owner for the EVS volume. -r recoveryprivkeyfile Specifies the name of the file containing private key that corresponds to a recovery user's key in the EMD.
-r Specifies that you want to delete recovery user keys. -p Specifies that you only want to delete the stored passphrase for the private key. -k keyname Specifies the name of the key pair you want to delete. If you do not specify this option, evfsvol uses the user name as the key name. Changing the passphrase for a key Use the evfspkey passgen command to change the passphrase for an existing private key. You must have superuser privileges to change the passphrase for a key that you do not own.
-u username Specifies the name of the user for the key pair that corresponds to the passphrase you want to modify. If you do not specify this argument, evfsvol uses your user name. You must have superuser or appropriate privileges to specify a different user. -k keyname Specifies the name of the key pair that corresponds to the passphrase you want to modify. If you do not specify this option, evfsvol uses the user name as the key name.
Removing a volume from the EVFS subsystem Use the following procedure to deconfigure EVFS on a volume and remove it from the EVFS subsystem. 1. For data consistency, suspend or stop all applications accessing the data. You can use the fuser -cu command to determine the processes accessing files and the fuser -cku command to terminate the processes. For more information, see fuser(1M).
from one system and installing (importing) the volume and disk on another system. This section describes the following procedures: • “Exporting an EVS volume” (page 73) • “Importing an EVS volume” (page 75) NOTE: Do not use the procedures in this section to configure EVS volumes for use in an HP Serviceguard cluster. For more information, see “Using EVFS with HP Serviceguard” (page 168). Exporting an EVS volume Use the following procedure to export an EVS volume.
1. If you are moving the volume to another system, add an authorized user key pair for the administrator on the destination system. You will use this key pair on the destination system. a. Create a new key pair for the administrator on the destination system using the following criteria: • The user account for the key owner must exist on the destination system. • The key name must be unique for the owner on the destination system.
2. Copy the owner's public and private keys files to removable media. You must restore these files on the destination system. By default, EVFS stores the user key database in subdirectories below /etc/evfs/pkey/users, with a subdirectory for each user. The administrator can configure alternate database directories using the pub_key, priv_key, and pass_key attributes in the /etc/evfs/evfs.conf file.
3. Use the evfsvol enable command to enable the encrypted volume: evfsvol enable [-p] [-k keyname] evfs_volume_path For more information, see “Step 1: Configuring an EVS volume” (page 45) or evfsvol(1m). 4. If the EVS volume had a file system, use the mount command to mount the file system to a mount point. Add an entry to the /etc/fstab file. For more information, see “Step 2: Creating and mounting a file system on an EVS volume” (page 50).
: # bdf /test5 Filesystem kbytes used avail %used Mounted on /dev/evfs/vg01/lvol5 65016 1125 59905 2% /test5 # umount /test5 # lvextend -L 112 /dev/vg01/lvol5 Logical volume "/dev/vg01/lvol5" has been successfully extended. Volume Group configuration for /dev/vg01 has been saved in /etc/lvmconf/vg01.
8 Backing up and restoring data on EVS volumes This chapter contains procedures for backing up and restoring data on EVS volumes and addresses the following topics: • “Backing up EVS volumes” (page 78) • “Backups using LVM mirrored volumes” (page 80) • “Backups using VxVM mirrored volumes” (page 87) • “Backups using nonmirrored volumes” (page 94) • “Restoring backup media” (page 97) Backing up EVS volumes This section contains procedures for backing up data on EVS volumes.
Table 2 Backup types with LVM or VxVM mirrored volumes (continued) Media format Target device Backup utility type Supported? Source EVFS volume state Notes Encrypted EVS volume Block device utility, such as dd Yes Enabled The target EVS volume must also be enabled.
Table 3 Backup types with nonmirrored volumes (continued) Media format Target device Backup utility type Supported? Source EVFS volume state Notes See “Creating encrypted backup media on a second EVS volume using a block device utility (nonmirrored volumes)” (page 95). Encrypted EVS volume File utility Yes Enabled The source volume can be on line, but HP recommends that you stop access to the source volume.
Creating encrypted backup media on a Non-EVFS device (LVM mirrored volumes) If you have LVM mirrored volumes, use the following procedure to perform online encrypted backups to a non-EVFS target device, such as a tape drive. You must use a block device backup utility, such as dd. You must have the appropriate file permissions to access the EVS volume device file to use this procedure. 1. Configure the mirror, if you have not already done so.
The syntax for the evfsvol raw command is as follows: evfsvol raw evfs_volume_path where evfs_volume_path is the absolute pathname for the EVS volume device file. For example: # evfsvol raw /dev/evfs/vg01/lvol5backup 7. Use a block device utility such as dd to copy data from the EVFS backup volume to the target device. For example: # dd bs=64k if=/dev/evfs/vg01/lvol5backup of=/dev/rmt/0m 8.
1. 2. Configure the mirror, if you have not already done so. Create the mirror copy using the lvcreate –m or lvextend –m command. Configure EVFS on the LVM volume using the evfsadm map and evfsvol create commands. Enable the EVS volume using the evfsvol enable command and migrate data to the EVS volume, if necessary. Split the mirrored LVM volume into two logical volumes using the lvsplit command.
10. Merge the backup volume back with the original LVM volume using the lvmerge command. For example: # lvmerge /dev/vg01/lvol5backup /dev/vg01/lvol5 Example In the following example, the administrator splits the /dev/vg01/lvol5 mirror volume and creates the /dev/vg01/lvol5backup volume. The target is the EVS volume/dev/evfs/vg01/ lvol6. The dd command receives cleartext from the source EVS volume and the target EVS volume encrypts the data.
4. Do not create an EMD area for the EVS volume. The backup volume inherits a copy of the EMD from the original volume. However, because the backup volume inherits its EMD, the dirty bit is set even though the backup volume has not been enabled. You must reset the dirty bit in the EMD of the backup volume using the evfsvol check –r command. The syntax is as follows: evfsvol check -r evfs_volume_path Where evfs_volume_path is the absolute pathname for the EVS volume device file.
on the EVS volume/dev/evfs/vg01/lvol6. The cp command receives cleartext from the source EVS volume and the target EVS volume encrypts the data. # lvsplit –s backup /dev/vg01/lvol5 (LVM creates the /dev/vg01/lvol5backup volume) # evfsvol map /dev/vg01/lvol5backup # evfsvol check -r /dev/evfs/vg01/lvol5backup # evfsvol enable -k mykey /dev/evfs/vg01/lvol5backup (evfsvol prompts for a passphrase if there is no stored passphrase.
Backups using VxVM mirrored volumes If you have VxVM mirrored volumes, you can back up the EVS volumes on line, without disabling the EVS volume or interrupting access to the data.
evfsvol check -r evfs_volume_path Where evfs_volume_path is the absolute pathname for the EVS volume device file. For example: # evfsvol Encrypted Resetting Encrypted 8. check -r /dev/evfs/vx/dsk/testdg/backupvol volume "/dev/evfs/vx/dsk/testdg/backupvol" has not been properly shut down. dirty bit... volume "/dev/evfs/vx/dsk/testdg/backupvol" has been successfully recovered Open raw access to the backup EVS volume using the evfsvol raw command.
# # # # # # # dd bs=64k if=/dev/evfs/vx/dsk/testdg/backupvol of=/dev/rmt/0m evfsvol close /dev/evfs/vx/dsk/testdg/backupvol evfsadm unmap /dev/evfs/vx/dsk/testdg/backupvol vxvol -g testdg stop backupvol vxplex -g testdg -v backupvol dis vol05-02 vxplex -g testdg -v vol05 att vol05-02 vxassist -g testdg remove volume backupvol Creating encrypted backup media on a second EVS volume using a block device utility (VxVM mirrored volumes) If you have VxVM mirrored volumes, use the following procedure to perform
# evfsvol Encrypted Resetting Encrypted 7. check -r /dev/evfs/vx/dsk/testdg/backupvol volume "/dev/evfs/vx/dsk/testdg/backupvol" has not been properly shut down. dirty bit... volume "/dev/evfs/vx/dsk/testdg/backupvol" has been successfully recovered Enable the encryption and decryption access to the backup volume using the evfsvol enable command. For example: # evfsvol enable –k mykey /dev/evfs/vx/dsk/testdg/backupvol 8.
Creating encrypted backup media on a second EVS volume using a file utility (VxVM mirrored volumes) If you have VxVM mirrored volumes, use the following procedure to perform online encrypted backups to a second (target) EVS volume using a file-based backup utility, such as tar or cp. To use this backup procedure, you must have the appropriate file permissions to access the EVS volume device file and meet at least one of the following criteria: • You are the volume owner.
8. Check the file system on the character (raw) EVFS backup volume for consistency using the fsck command. For example: # fsck -F vxfs /dev/evfs/vx/rdsk/testdg/backupvol 9. Create a temporary directory to use as mount point for the EVFS backup volume. For example: # mkdir /opt/evfs/backup_source 10. Mount the temporary directory on the EVFS backup volume. For example: # mount -F vxfs /dev/evfs/vx/dsk/testdg/backupvol /opt/evfs/backup_source 11.
# # # # # # # # # # mount -f vxfs /dev/evfs/vx/dsk/testdg/backupvol /opt/evfs/backup_source evfsvol display /dev/evfs/vx/dsk/testdg/vol06 (the target volume must be enabled) cp -r /opt/evfs/backup_source /opt/evfs/backup_target umount /opt/evfs/backup_source evfsvol disable -k mykey /dev/evfs/vx/dsk/testdg/backupvol evfsadm unmap /dev/evfs/vx/dsk/testdg/backupvol vxvol -g testdg stop backupvol vxplex -g testdg -v backupvol dis vol05-02 vxplex -g testdg -v vol05 att vol05-02 vxassist -g testdg remove volume
# # # # vxvol -g testdg stop backupvol vxplex -g testdg -v backupvol dis vol05-02 vxplex -g testdg -v vol05 att vol05-02 vxassist -g testdg remove volume backupvol Backups using nonmirrored volumes This section contains procedures for performing backups without mirrored volumes. NOTE: To create encrypted backup media to a tape or other non-EVFS device without using mirrored volumes , you must disable access to the EVS volume. The EVS volume will be off line and unavailable to users or applications.
The evfsvol utility prompts you for the passphrase if a stored passphrase does not exist. 5. Open raw access to the backup EVS volume using the evfsvol raw command. CAUTION: After you open the volume for raw access, any entity reading data from the EVS volume receives encrypted data. Any entity writing data to the EVS volume writes directly to the underlying disk; EVFS does not encrypt the text.
1. For data consistency, suspend or stop all applications accessing the data on both volumes. You can use the fuser -cu command to determine the processes accessing files, and the fuser -cku command to terminate the processes. For more information, see fuser(1M). If the data is used by system processes, you might need to terminate the processes by changing the system runlevel to single-user level with the shutdown utility. For more information, see shutdown(1M). 2. 3.
3. Use a file-based utility, such as cp, to copy data from the EVS volume device file to the target volume. The target volume now contains the data from the source EVS volume, encrypted using the target volume's EVFS data key. In the following example, /opt/encrypted_data is mounted on the source EVS volume, and /opt/evfs_backup is mounted on the EVS volume.
2. For data consistency, suspend or stop any applications accessing data on the target volume. You can use the fuser -cu command to determine the processes accessing files, and the fuser -cku command to terminate the processes. If the data is used by system processes, you might need to terminate the processes by changing the system runlevel to single-user level with the shutdown utility. For more information, see shutdown(1M). 3. 4.
1. For data consistency, suspend or stop all applications accessing the data on both volumes. You can use the fuser -cu command to determine the processes accessing files, and the fuser -cku command to terminate the processes. For more information, see fuser(1M). If the data is used by system processes, you might need to terminate the processes by changing the system runlevel to single-user level with the shutdown utility. For more information, see shutdown(1M). 2. 3. 4.
Part III Encrypted File System (EFS) Part III includes the following topics: • “Determining user roles” (page 103) • “Creating an EFS volume and file system” (page 105) • “Using EFS” (page 108) • “Managing keys” (page 131)
Contents 9 Determining user roles.............................................................................103 The system administrator role..................................................................................................103 The user role........................................................................................................................103 The key manager role...........................................................................................................
Changing the passphrase.................................................................................................134 Displaying user key information.........................................................................................136 Exporting a user key........................................................................................................136 Importing a user key.........................................................................................................
9 Determining user roles EFS consists of three user functions defined as follows: • The system administrator • The user • The key manager The system administrator role The 1. 2. 3.
1. 2. 3. 4. 5. 6. Creates user keys Deletes user keys Displays user key information Changes a user’s passphrase which protects the private key (requires the user’s old key passphrase) Imports user keys Exports user keys (requires the user’s key passphrase) The system administrator can also perform operations 1 through 4. Only the key manager can perform operations 5 and 6. NOTE: Users who are the key owners can perform all of these operations.
10 Creating an EFS volume and file system This section describes the procedure to configure a new encrypted file system or to convert an existing file system to an encryption file system: • Starting the EVFS Subsystem (see “Step 5: Starting the EVFS subsystem” (page 33)) • Creating an LVM or VxVM volume (see “Creating an LVM or VxVM volume” (page 105)) • Mapping the volume to EVFS in EFS mode (see “Mapping the volume to EVFS” (page 105)) • Creating a file system (see “Creating a file system” (page 10
mapped, access to both the underlying volume path (/dev/disk) and the EVFS volume path (/dev/evfs/disk) is shared. HP recommends that you use the EVFS volume path (for example, /dev/evfs/disk). Creating a file system NOTE: Skip this step if you already have an existing file system.
2. This command creates the EVFS raw and block device files /dev/evfs/vg01/rlvol1 and /dev/evfs/vg01/lvol1. Create a file system on the EVFS volume mapped for file level encryption, using either one of the following commands: # newfs –F vxfs /dev/evfs/vg01/rlvol1 or # newfs –F vxfs /dev/vg01/rlvol1 3.
11 Using EFS Once you have an EFS file system mounted, you can create and manipulate an encrypted file.
Re-enter passphrase: You are entering into a secure session. Use "exit" to end the session. If the key manager changed your user key, the evfsauth login command forces you to reset your passphrase, as follow: # evfsauth login Enter passphrase: You need to reset EFS passphrase. Enter new passphrase: Re-enter new passphrase: You are entering in a secure session. Use "exit" to end the session. You can use the following options with the evfsauth login command.
Changing the file permissions Use the HP-UX chmod command to change the mode bits (user and group access permissions) on an encrypted file. You need to have a valid DAC permission to change the mode bits. You do not need to be in a secure session to perform this operation. Changing the file owner/group You must be in a secure session to change the owner/group on an encrypted file. Only the owner of the file can change the owner/group permissions of an encrypted file.
Enabling encryption at the FS level Encryption can be enabled at FS level by setting encryption parameters at the EFS mount point. All the new files and directories created use the encryption parameters at the mount point. All the existing files are still in cleartext and have no impact because of this operation. In this example, an EFS is created and mounted on the /efsmnt directory.
# evfsfile list /efsmnt/dir1/file1 evfsfile: list error: "/efsmnt/dir1/file1" is not an encrypted file.
# evfsfile set -d /efsmnt # evfsfile list /efsmnt evfsfile: list error: "/efsmnt" is not enabled for encryption. # evfsfile list /efsmnt/dir1 EFS directory information: Data Encryption Cipher: aes-192-cfb # evfsfile list /efsmnt/dir2 EFS directory information: Data Encryption Cipher: aes-192-cfb Disabling encryption at the directory level In this example, assume that /efsmnt/dir2 is enabled for encryption.
EVFS supports only the user's primary group key. After a key pair is created for a group configured in the system, the group access is implicitly added to the key records of the users who have this group as their primary group (for example, the group ID is configured in the user account entry in the /etc/passwd directory or in the remote data repository such as NIS or LDAP).
# evfsfile encrypt [-c cipher] file The parameters are as follows: cipher The symmetric key algorithm name and key length. Valid values are aes-128-cfb, aes-192-cfb, and aes-256-cfb. On IA, aes-128-cbc, aes-192-cbc and aes-256-cbc are also valid. Using this option creates the encryption key with specified cipher. Otherwise, the cipher information is extracted using the "cipher precedence" rules described in Section (page 117). file Encrypted file name.
1. List the encryption attributes on the /efsmnt/file1 file: # evfsfile list /efsmnt/file1 EFS file information: EMD Size (Kbytes): 4 Data Encryption Cipher: aes-128-cbc Owner Key ID: root.root Group Key ID: sys.sys 2. 3. 4. Turn off all the applications that use the /efsmnt/file1 file. For data consistency, stop all applications that are accessing the data. You can use the fuser –cu command to determine the processes accessing files, and the fuser -cku command to terminate the processes.
# evfsfile list /efsmnt/file1 EFS file information: EMD Size (Kbytes): 4 Data Encryption Cipher: aes-128-cbc Owner Key ID: root.root Group Key ID: sys.sys Recovery Key ID: evfs.efs 5. Change the encryption key with a different cipher: # evfsfile rekey -c aes-256-cfb /efsmnt/file1 Successfully changed the file encryption key 6.
# evfsfile list ME EFS file information: EMD Size (Kbytes): 4 Data Encryption Cipher: aes-128-cbc Owner Key ID: dlin.dlin # ls -l total 10 -rw-r--r-- 1 dlin users 15 Jul 31 12:26 ME Without evfsxfr, the size of ME is displayed as 15 bytes.
# evfsfile list AG/secret.c EFS file information: EMD Size (Kbytes): 4 Data Encryption Cipher: aes-128-cbc Owner Key ID: dlin.dlin Group Key ID: users.users Recovery Key ID: evfs.efs Note that if you do not use the evfsxfr command when restoring into an encrypted directory, the encryption is done twice: # evfsfile list AG EFS directory information: Data Encryption Cipher: aes-128-cbc # tar xvf AG.
The EVFS wrapper commands EVFS provides wrapper commands to facilitate user/group encrypted data access and prevent unintended decryption of encrypted files. These wrapper commands exhibit similar behaviors as the corresponding HP-UX commands, except for the restrictions described in this section. EVFS wrapper commands are located at /opt/evfs/bin.
# cp file1 /efs/encdir # ll /efs/encdir/file1 -rw-rw-rw1 jsmith users 6 Jul 29 10:33 /efs/encdir/file1 # cp file1 /efs/cleardir cp: file1: is encrypted, but /efs/cleardir is not configured for encryption: Permission denied Example 2 In this example, user jsmith who is in a secure session, copies an encrypted file to a regular directory using the evfsxfr cp. The target file is still encrypted.
Example 5 When not in a secure session, user jsmith uses the evfsxfr cp command to copy a clear file into a directory configured for encryption. The target file remains clear: # pwd /efs/jsmith # evfsfile list . EFS directory information: Data Encryption Cipher: aes-128-cbc # evfsxfr cp /efs/cleardir/fileb . # evfsfile list fileb evfsfile: list error: "fileb" is not an encrypted file.
Data Encryption Cipher: aes-128-cbc Owner Key ID: usera.usera Example 2 If the new owner does not have a key, the chown wrapper command fails to change the owner of an encrypted file: # ll filea -rw-rw-rw1 usera users 15 Jul 30 15:40 filea # evfspkey lookup -u userb evfspkey: lookup error: user key pair "userb.userb" does not exist. # chown userb filea chown: error: cannot retrieve public key "userb.
The following table shows the restrictions for the mv wrapper command: Destination Directory Encryption: Session evfsxfr Source Configured Not Configured Configured Across Different File Systems All Not Configured Within the Same File System With All Allowed Without Encrypted File Note 1 No Allowed Note 2 Cleartext File No Allowed Note 2 Allowed Encrypted File No No Allowed Note 2 Cleartext File No Allowed Note 2 Allowed Secure Session Non-secure Session Note 1: Only root
# mv filex filey # evfsfile list filey EFS file information: EMD Size (Kbytes): 4 Data Encryption Cipher: aes-128-cbc Owner Key ID: jsmith.jsmith Example 4 The root user in a secure session is allowed to move an encrypted file across different file systems: # id uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail) # evfsauth login Enter your key passphrase: You are entering in a secure session. Use "exit" to end the session.
groupmod command is issued to modify the group name while the group already has a key, the old group key becomes inaccessible and there will be no group key for the new group name. NOTE: Do not change the group name once the group has a key. If you are not in a secure session to issue these wrapper commands, you must do one of the following: • Change the shell variable PATH to add /opt/evfs/bin in order to override /usr/sbin. • Refer to the full path /opt/evfs/bin/.
storage if it is the primary group. If the HP-UX groupdel command is used to delete the group, the group key and the group access information is not deleted. In that case, the key manager can delete them using the evfspkey delete –g < group> command. Example 1 User jsmith has a key pair.
To start the Oracle database during system boot, typically the Oracle's startup script has the following entry. This starts the Oracle database during system boot automatically as user $ORACLE: # su $ORACLE -c "$ORACLE_HOME/bin/dbstart $ORACLE_HOME" If the database files are encrypted using EVFS (configured in EFS mode), the Oracle database must be started with the evfsrun command in order to access the database file created by user $ORACLE in clear.
Recovery key: Key name: evfs.efs /* The following command adds the EFS recovery key evfs.efs to encrypted file file1.*/ # evfsfile add -r file1 Successfully added the recovery key to encrypted file "file1" /* The recovery key is added to the encrypted file */ # evfsfile list file1 EFS file information: EMD Size (Kbytes): 4 Data Encryption Cipher: aes-128-cbc Owner Key ID: jsmith.jsmith Recovery Key ID: evfs.
# evfsauth display You are not in a secure session.# id # more file1 file1: Permission denied /* root user who is in the secure session but cannot read the file */ /* because root is not the owner */ # id uid=0(root) gid=3(sys) groups=0(root) # evfsauth display User key: Key name: root.root Recovery key: Key name: evfs.newkey # more file1 File1: Permission denied /* Assign encrypted file to root user */ # evfsfile assign -r /test1/newkey.
12 Managing keys This chapter describes how to manage EFS keys as follows: • “Types of keys” (page 131) • “Key manager key” (page 131) • “Managing a user key” (page 132) • “Managing a group key” (page 138) • “Key manager operations” (page 142) • “Key file location” (page 144) Types of keys EFS includes the following types of keys: Table 4 EFS keys Key Description User Allows user to access file content through owner and group key. The user passphrase and user access key protect the user key.
file. The value of key_manager in the /etc/evfs/evfs.conf file must not change once the key manager’s key pair is created, or all group keys which are associated with the key manager will become inaccessible. Since the key manager’s key is used to protect group keys and is possibly linked to user keys, there are several limitations to use the key manager: • For security reasons, the key manager is not allowed to have a secure session (this voids using the same key to encrypt files).
is prompted to enter the aforementioned passphrase, and also requested to change the passphrase. The system administrator or key manager is allowed to create a key pair for other users by specifying the user name with the -u and -s options. When the -s option is specified, keygen automatically generates a random passphrase to protect the private key, and stores it in a designated file. There is no need for the system administrator or key manager to share the passphrase with the user.
not allowed to enter in an EFS secure session. To create a key manager key, the user configured as the key manager (see key_manager in the /etc/evfs/evfs.conf file) must log into the system and run the evfspkey keygen command. The following options are allowed only by the system administrator or the key manager: -u Specify the user name (for example, the key owner). Specify recovery key. -r See evfspkey for detailed information on their usage.
Re-enter new passphrase: Passphrase for key "testuser.testuser" has been successfully generated 2. The key manager – by entering the key manager’s passphrase The key manager can change a user's key passphrase by entering its own passphrase when the following conditions are true: • The key_manager account has been configured in the /etc/evfs/evfs.conf file. • The key manager has created his key pair. • The parameter keymgr_reset_passphrase is yes.
Displaying user key information The system administrator or the key manager can display any user’s key information using the evfspkey lookup command with the -u option. A key owner can also display its own key information. For example: # id uid=110(luser1) gid=20(users) # evfspkey lookup Key ID: luser1.
The exported key stored in standard PKCS12 or PEM format can be shared with other applications which recognize the format.
-p Prompts and stores the passphrase in a file. -s Generates a random passphrase and stores it in a file. -m Specifies the keywrap to override in the /etc/evfs.conf file. -f Specifies the file name to import the key from. This option is mandatory. Specify the key format in the file. Default is pkcs12. -F {pkcs12|pem} If the user key is imported by the key manager, the user will have to change its passphrase upon the next logging into EFS when the user runs the evfsauth command.
Creating a group key Only the key manager can create a group key. Therefore, the key manager’s key must be created before any group keys can be created. Unlike user keys where a user can have multiple keys (specified with –k ), each group is allowed only one key and the key name is always the same as the group name. Therefore, the option –k is not valid to create a group key.
the key manager’s passphrase once. The file contains all the groups to be created; the group names are specified one group per line. Example In this example, the grpfile file contains the following: # more grpfile lgrp1 lgrp2 testgrp The key manager can create all those groups as follows: # evfspkey keygen -f grpfile Enter key manager's passphrase: Public/Private key pair "lgrp1.lgrp1" has been successfully generated. lgrp1: group access key has been added into user "luser1" key record.
By default, the exported key is stored in the PKCS12 format. To store keys in the PEM format, specify the –F pem option. The key can be shared with any applications that understand the format. To export a group key, use the following options: -g Specifies the group name. -f Specifies the file to store exported key. -F {pkcs12|pem} Specifies the exported key file format. Default is pkcs12.
Key manager operations The following operations require the key manager to log into the system. The system administrator cannot perform these operations when running the su command as the key manager.
# evfspkey add -u jsmith -g users Enter key manager's passphrase: The "users" group access key was successfully added to the user "jsmith" key record. # evfspkey lookup -u jsmith Key ID: jsmith.
Check or synchronize users and groups The key manager uses the evfspkey chkgrp command to verify if the EFS users and groups key information are synchronized. For example, if the primary group access keys are in the user key records for all members. There are three levels of verification: 1.
keys from previous releases in different directories, you still need to configure those directories into priv_key, pub_key, and pass_key so that EVFS can successfully locate them. EVFS creates a users subdirectory for all user keys, and a groups subdirectory for all group keys, it then creates a subdirectory under users for each user that creates EVFS keys, using the user name as the directory name.
13 Support and other resources Contacting HP Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Product identification number • Applicable error message • Third-party hardware or software • Operating system type and revision level HP contact information For the name of the nearest HP authorized reseller: • See the Contact HP worldwide (in English) webpage (http://www.hp.
Related information Documents • Encrypted Volume and File System v2.2 Release Notes www.hp.com/go/hpux-security-docs • HP-UX System Administrator's Guide: Configuration Management http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02281490/ c02281490.pdf • Managing Serviceguard http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02835426/ c02835426.pdf • Veritas™ File System 5.0.1 Administrator's Guide HP-UX 11i v3 http://h20000.www2.hp.
Indicates the continuation of a code example. | Separates items in a list of choices. WARNING WARNING! A warning calls attention to important information that if not understood or followed will result in personal injury or nonrecoverable system problems. CAUTION CAUTION: A caution calls attention to important information that if not understood or followed will result in data loss, data corruption, or damage to hardware or software.
A Troubleshooting EVFS This appendix contains information about troubleshooting the HP-UX Encrypted Volume and File System (EVFS) product.
Syntax evfsadm stat [-a|-s|-z] where: -a Displays all available information about EVFS. Displays the number of EVFS volumes, the EVFS subsystem status (up or down), and the number of kernel encryption threads. For each EVFS volume, displays the state, as maintained by the EVFS kernel driver (enabled, disabled, or raw) and I/O and cryptography statistics. -s Displays EVFS encryption and decryption statistics.
dkbps Decryption rate in kilobytes per second (kb/s). ekbps Encryption rate in kilobytes per second (kb/s).
Digest The algorithm used to create a message digest value for the EMD, such as Secure Hash Algorithm 1 (SHA-1/SHA-2). EVFS uses the message digest value and other information to verify the contents of the EMD. Owner Key ID Owner key ID for the volume, in the format user_name.key_name. Recovery Agent Key IDs Recovery keys configured for the volume, in the format user_name.key_name. Total Recovery Agent Keys Total number of recovery key pairs configured for the volume. The maximum is 2.
Key Fingerprint: c1ff371f6d1b15260d2acdefa2d0c4eb593e99e2 Private Key Keywrap: evfs-pbe1 Reset passphrase required: no Allow passphrase reset by key manger: no Stored passphrase: no Problem scenarios This section describes the following problem scenarios and solutions for the scenarios: • “evfspkey cannot generate key pairs” (page 153) • “evfspkey cannot store keys” (page 153) • “evfsvol cannot retrieve private key” (page 154) • “evfsvol create fails, EVFS device file not found in evfstab file” (pag
evfsvol cannot retrieve private key Symptom An evfsvol command fails, and evfsvol displays a message similar to the following: # evfsvol disable /dev/evfs/vg01/lvol5 evfsvol: disable error: cannot retrieve private key "root.root", key loading failure Description The evfsvol utility cannot retrieve a user's private key to perform an operation on an EVFS volume. Solution If you do not specify a key name using the -k keyname option, evfsvol uses the default key name, which is the user's account name.
Solution If you are reusing an EVFS volume and do not want to recover the existing data, re-enter the evfsvol create command with the -f option. The evfsvol create command generates a new volume encryption key and new EMD. Any existing data is irrecoverable. If you want to retrieve data from an existing EVFS volume and have problems with the existing EMD, use the procedure described in “Recovering from EMD corruption” (page 71).
The output from the evfsvol check command includes the text EMD is dirty and is similar to the following: evfsvol: check error: cannot check encrypted volume "ev1", EMD is dirty Description If the system terminates without executing the system shutdown scripts, EVFS volumes will have a "dirty bit" set in the EMD areas. If you try to enable an EVFS volume with the dirty bit set, EVFS displays the message EMD is dirty.
Solution This error occurs when the mapping is not initialized correctly. Make sure that there is no problem with the volumes and use the evfsadm map –a command to restore the mapping.
• If the system failed, the system dump files and a description of the system activities at the time of the failure. • Output from the following commands: lsdev | grep evfs ls -l /dev/evfs/* ls -l /usr/lib/evfs/* cat /etc/evfs/evfstab cat /etc/evfs/evfs.
B Product specifications This appendix contains product specification information, including file names. User files EVFS uses the following directories and files for configuration and other runtime data: • /etc/evfs/emd: Default directory for storing backup EMD data. • /etc/evfs/evfs.conf: Configuration file for global EVFS parameters, such as the recovery user name, encryption algorithm for volume data encryption, and directories for the user key database. • /etc/evfs/evfs_cryptx.
• /sbin/rc0.d/K898evfs_local2: Link to /sbin/init.d/evfs_local2 for shutdown. • /sbin/rc0.d/K901evfs_local: Link to /sbin/init.d/evfs_local for shutdown. • /sbin/rc0.d/K501evfs_remote: Link to /sbin/init.d/evfs_remote for shutdown. • /sbin/rc0.d/S099evfs_local: Link to /sbin/init.d/evfs_local for startup. • /sbin/rc0.d/S102evfs_local2: Link to /sbin/init.d/evfs_local2 for startup. • /sbin/rc0.d/S499evfs_remote: Link to /sbin/init.d/evfs_remote for startup.
C EVFS quick reference This appendix contains reference information about EVFS. Preparing EVFS This section briefly describes the steps in the EVFS preparation procedure. For more information, refer to Chapter 4 (page 28). 1. At installation, EVFS attempts to create the evfs user account and group for the EVFS pseudo-user. If you cannot use evfs as the user and group name for the EVFS pseudo-user, set the evfs_user attribute in the /etc/evfs/evfs.conf file to a different user name.
Option 1: Creating a new EVS volume 1. Configure the EVS volume: a. Create an LVM or VxVM volume if you are not creating the EVS volume directly above a whole physical volume: # lvcreate -L lv_size [options]vgfile (LVM) # vxassist -g group make volume_name size (VxVM) b. Create the EVFS device files: CAUTION: Any data on the underlying LVM, VxVM, or physical volume will be overwritten in subsequent steps, so HP recommends that you specify an empty volume. # evfsadm map volume_path c.
For more information, see “Step 6: (Optional) Configuring the autostart feature” (page 34). 6. Back up your configuration. Back up all files in the /etc/evfs directory and all subdirectories below it. Option 2: Converting an existing volume into an EVS volume (inline encryption) 1. Prepare the file system and data. 1. Verify the file systems or volumes you want to secure with EVFS are suitable for encryption. 2. For data consistency, stop all applications accessing the data. 3.
EFS quick start HP-UX EVFS includes the following EFS commands, typically used in the following order: Command Description evfsadm Starts and manages the EVFS subsystem. Maps LVM, VxVM, or physical volumes to the EVFS subsystem. See evfsadm(1M). evfsauth Enters a user secure session. A secure session contains the needed credentials to access encrypted files pertaining to that particular user. The command also allows users to display their current secure session information. See evfsauth(1).
4. Run fsck (if necessary): # fsck -F vxfs /dev/evfs/vg01/rlvol6 5. Modify /etc/fstab to include the EVFS volume: # /dev/evfs/vg01/lvol6 /opt/my_data vxfs stackfs=sefs,delaylog 0 2 Unlike volume-level encryption, if you want the system to automatically mount this file system at system startup time, you do not need to modify the /etc/evfs/evfstab file. 6. Mount the encrypted file system: # mount -F vxfs -o stackfs=sefs /dev/evfs/vg01/lvol6 /opt/my_data 7. Enter a secure session: # evfsauth login 8.
Table 7 Managing EVS volumes (continued) Task Command Disable an EVS volume with a stored evfsvol disable -p evfs_volume_path passphrase and key ID in /etc/ evfs/evfstab. Disable all EVS volumes with key IDs evfsvol disable -a in /etc/evfs/evfstab. Inline Encrypt data on an existing volume evfsvol iencrypt [-f] [-k keyname] [-c cipher] evfs_volume_path Open raw access for an EVS volume evfsvol raw [-k keyname] evfs_volume_path .
Table 9 Troubleshooting EVFS (continued) Task Command Verify the integrity of the EMD area of a volume. evfsvol check -a|evfs_volume_path Verify and display information about user key pairs.
D Using EVFS with HP Serviceguard This chapter describes how to use EVFS with the HP Serviceguard product.
Restrictions HP does not support EVFS with Serviceguard in the following configurations: • EVFS volumes are not supported with Serviceguard multi-node or system multi-node packages. The only package type supported with EVFS volumes is FAILOVER. • EVFS is not supported with the Veritas Cluster File System (CFS). • EVFS is not supported with SG/SGeRAC shared activation. The following features on ServiceGuard version A.11.
the configuration tasks on this node, then copy configuration data to the other nodes in the cluster. The primary node is typically the configuration node. This section summarizes the procedures for creating a Serviceguard storage infrastructure. For more information, see the Serviceguard product documentation.
a. b. c. Use the vxdg import dg_name command to import the disk group. Use the vxvol -g dg_name startall command to initialize the disk group. To test the import operation, you can configure and mount temporary file systems on the VxVM volumes. When the configuration is complete, you will configure and mount file systems on EVFS volumes, not on the VxVM volumes.
/etc/evfs/evfstab must include the key ID and the noauto flag. EVFS uses the key ID to enable the volumes without manual intervention when the package fails over. The noauto flag stops EVFS from enabling the volumes at system startup. Use the following syntax for the entries in the /etc/evfs/evfstab file: v volume_path evfs_volume_path user_name.key_name noauto where: v Indicates that the entry is for an EVFS volume.
# vgchange -a n /dev/vg02 • If you are using EVFS volumes created on VxVM volumes, use the following vxdg command to deport the VxVM disk group on the configuration node: # vxdg deport vxvm_group For example: # vxdg deport evfsdg Step 4 (EVS only): Configuring EVS Volumes on the adoptive nodes On each adoptive node, configure the EVFS volumes using the following procedure: a. Configure the EVFS Volume EMD backup from emd_backup directory in the EVFS configuration file /etc/evfs/evfs.conf. b.
vgchange -a y lvolgroup_device_file VxVM If you are using EVFS volumes created on VxVM volumes, use the following VxVM commands to import the disk group and start the volumes on the adoptive node: vxdg import group_name vxvol -g group_name startall Step 4e: Mapping the LVM or VxVM volumes to EVFS Start the EVFS subsystem using the evfsadm start command if you have not already done so. Use the evfsadm map command to map the LVM or VxVM volumes to EVFS.
If you are using EVFS volumes created on VxVM volumes, use the following vxdg command to deport the VxVM disk group on the configuration node: vxdg deport vxvm_group For example: vxdg deport evfsdg Step 4i: Configuring the autostart feature Configure the autostart feature to ensure that the EVFS subsystem is started when the adoptive node starts. Enable EVFS in the /etc/rc.config.d/evfs file.
Step 4c: Mapping the LVM or VxVM volumes to EVFS Start the EVFS subsystem using the evfsadm start command if you have not already done so. Use the evfsadm map command with the -f option to map the LVM or VxVM volumes to EVFS in EFS mode (EVFS must add the volumes to the kernel registry on the adoptive node). The evfsadm map syntax is as follows: evfsadm map -f volume_path where: -f volume_path Specifies the EFS mode. The EVS mode is used if this option is not specified.
g. h. Modify the package configuration file to enable EVFS volumes and mount file systems on the EVFS volumes. Verify and distribute the package configuration. Step 5a: Halting an existing package You cannot re-configure an active package to use EVFS volumes. To re-configure an existing, active package to use EVFS volumes, you must halt the package using the cmhaltpkg command. For more information, see the Serviceguard product documentation. Step 5b: Installing the EVFS attribute definition file 1.
IMPORTANT: Additional changes must be made to the new package configuration file before it can be used. For more information, see the Serviceguard product documentation. Continue to “Step 5g: Adding the EVFS volumes to the package configuration file” (page 179). Step 5e: Migrating a legacy package configuration file Skip this step if you have an existing modular package configuration file.
Step 5g: Adding the EVFS volumes to the package configuration file Edit the package configuration file to configure the EVFS volumes that you want Serviceguard to enable when the package starts, and the file systems to be mounted on the EVFS volumes. • If the EVFS volumes are created on VxVM volumes, specify the VxVM disk groups in the vxvm_dg parameter in the package configuration file.
# # # # # fs_directory /tst fs_mount_opt "-o stackfs=sefs" fs_umount_opt "-s" fs_fcsk_opt "-s" fs_type "vxfs" LVM for EVS without file system For ServiceGuard A.11.18: # evfs_raw_vol /dev/evfs/vg01/lvol1 For ServiceGuard A.11.19: # evfs/evfs/evfs_raw_vol /dev/evfs/vg01/lvol1 VxVM for EVS without file system For ServiceGuard A.11.18 # vxvm_dg evfs_dg : # evfs_raw_vol /dev/evfs/vx/dsk/evfs_dg/lvxvm_vol1 For ServiceGuard A.11.
# cmmakepkg -p /etc/cmcluster/evfs/my_pkg.conf For more information, see the Serviceguard product documentation. IMPORTANT: Additional changes must be made to the new package configuration file before it can be used. For more information, see the Serviceguard product documentation. Step 6c: Creating a package control script Skip this step if you already have a package control script.
LVM for EVS LV[0]="/dev/evfs/vg02/lvol5"; FS[0]="/opt/crypto"; FS_MOUNT_OPT[0]= "-o rw" #FS_TYPE[0]="vxfs" LVM for EFS LV[0]="/dev/evfs/vg02/lvol5"; FS[0]="/opt/crypto"; FS_MOUNT_OPT[0]= "-o stackfs=sefs" #FS_TYPE[0]="vxfs" VxVM for EVS VXVM_DG[0]="evfsdg" : : LV[0]="/dev/evfs/vx/dsk/evfsdg/vol5"; FS[0]="/opt/crypto"; FS_MOUNT_OPT[0]= "-o rw" #FS_TYPE[0]="vxfs" VxVM for EFS VXVM_DG[0]="evfsdg" : : LV[0]="/dev/evfs/vx/dsk/evfsdg/vol5"; FS[0]="/opt/crypto"; FS_MOUNT_OPT[0]= "-o stackfs=sefs" #FS_TYPE[0]="v
Glossary AES Advanced Encryption Standard. AES uses a symmetric key block encryption. EVFS supports AES with a 128-bit, 256-bit, or 292-bit key for encrypting volume data. AES is suitable for encrypting large amounts of data. authorized user A user who is authorized to enable and disable an EVFS volume in EVS mode, and perform other administrative operations on an EVS volume.
recovery key A key pair that a user can use to change the owner of an EVS volume or encrypted file. A user who has the private recovery key file can change the owner of an EVS volume or encrypted file. In addition, the current owner of the EVS volume or encrypted file can change the ownership. RSA (Rivest-Shamir-Adelman) A public/private key cryptosystem that is used for privacy (encryption) and authentication (signatures). For encryption, system A can send data encrypted with system B's public key.
Index A AES (Advanced Encryption Standard), 183 configuring for a volume , 47 configuring the default algorithm for files, 32 configuring the default algorithm for volumes , 32 supported key lengths , 16 assigning a new owner to a volume, 68 authorized user keys , 40 capabilities, 40 displaying the authorized user keys IDs for a volume, 151 autostart configuring, 34 B backing up EVFS volumes, 78, 80, 94 nonmirrored volumes, 94 online with LVM mirrors, 80 with VxVM mirrors, 87 backup data restoring, 97 boot
keygen command, 42 lookup command, 152, 167 evfssgconv, 181 evfsvol add command, 48 assign command, 68, 166 check command, 152, 167 close command, 66, 82, 88, 166 create command, 47, 154, 165 delete command, 69, 166 destroy command, 72, 165 disable command, 64, 165 display command, 52, 58, 66, 151 enable command, 49, 64, 165 export command, 75 import command, 75 raw command, 65, 81, 88, 166 restore command, 71 evfsvol disable error, 155 evol busy error, 155 exporting EVFS volumes, 73 F file permissions, 67
configuring the directory for, 30 file permissions, 67 public/private keys, 16 creating, 41 Q quick reference for EVFS, 161 R raw access closing, 66, 166 opening, 65, 166 recovery keys adding to a volume, 48 capabilities, 40 creating, 43 displaying the recovery key IDs for a volume, 151, 152 displaying the total number for a volume, 152 file permissions, 67 removing a volume from EVFS, 72 reporting problems, 157 reporting volume information, 149 resizing volumes and file systems, 76 restoring data to EVFS
