Manualshelf

Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software
11121314151617181920
decrypted data as output, and users can access individual files in cleartext. You must use
normal HP-UX file system permissions and access control to restrict access to the data.
You cannot encrypt the following objects:
Files or disk areas used during system boot. This includes the following objects:
the root file system (/)
the HP-UX kernel directory (/stand)
the /usr directory
EVFS cannot decrypt the kernel or other data before the system boots.
CAUTION: Encrypting the boot disk can cause the boot disk to become unusable and
prevent you from booting the system.
Dump devices.
Swap space (swap devices or file swap space).
CAUTION: Encrypting swap space can cause the system to panic.
EVFS does not automatically convert existing volume data to encrypted data. To encrypt
existing volume data, use the inline encryption feature in this release of EVFS.
CAUTION: If you improperly configure EVFS on a volume that already contains data, the
existing data will be unusable.
IMPORTANT: To use inline encryption, 3 MB of spare disk space are required at the end of
the volume, and the minimum volume size must be 4 MB. If the entire volume is used, extend
the volume using lvextend for LVM, or vxassist for VxVM.
To mount a file system on an EVFS volume configured in EVS mode, the EVFS volume must be
enabled and the data transfer to and from the file system must be in cleartext (unencrypted)
format. Therefore, any executable that uses file system utilities to read or write data can operate
only on cleartext data.
Network file sharing utilities, such as NFS, CIFS, FTP, or rcp will transmit files in cleartext,
even if the original files reside on an EVFS volume.
For EVFS volumes configured in EVS mode, to use a backup utility that performs incremental
backups or that backs up individual files, you must enable the EVFS volume. The backup utility
will read the data in cleartext, even if the original files reside on an EVFS volume. If the target
backup device is another EVFS volume, the target EVFS volume will re-encrypt the data.
If the target backup device is a tape device or other non-EVFS device:
You must back up the volume as a volume device (as a single unit), not as a file system
or group of files, to create encrypted backup media. You can create encrypted backup
media using block device utilities, such as dd.
You cannot create encrypted backup media using file-based utilities with EVFS volumes
configured for EVS.
EVFS is not supported by SAM or SMH.
The evfsadm trace command is intended for use by support personnel only. HP does not
support this feature on customer environments.
During inline encryption, the volume is not accessible until the entire operation is completed.
Product limitations and precautions 19