Manualshelf

Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software
21222324252627282930
2 EVFS data and keys
EVFS data flow
EVFS is implemented using a pseudo-driver that operates on the EVFS volumes. An EVFS volume
is stacked between the underlying volume (a LVM, VxVM, or physical volume) and an upper layer.
The upper layer can be a file system or an application that reads data from and writes data directly
to the EVFS volume, such as a database application.
When the upper layer file writes data, the EVFS pseudo-driver encrypts the data before writing it
to the underlying volume. When the upper layer reads data, the pseudo-driver decrypts the data
from the underlying volume and provides the decrypted data to the upper layer. If the upper layer
caches data to the lower layer, such as a file system with buffer caching enabled, all data in the
buffer cache is in cleartext (it is not encrypted). Figure 3 shows a simplified EVFS data flow.
Figure 3 EVFS data flow
(decrypts data read by upper layer)
(encrypts data written to lower layer )
File System
LVM
EVFS
DB or Direct-Access
Application
= Non-encrypted Data
= Encrypted Data
VxVM
Physical Disks
IMPORTANT: Once encryption and decryption are enabled on an EVFS volume configured in
EVS mode, all read operations performed on the EVS volume gets decrypted data.
For accessing encrypted files created on an EVFS volume configured in EFS mode, EVFS performs
key based verification in addition to the file system access verification.
Encryption metadata (EMD)
When a volume is configured in EVS mode, each EVS volume has a set of encryption attributes,
or encryption metadata (EMD) associated with it. The EMD is stored as part of the EVS volume.
The data stored in the EMD includes operating parameters for the EVFS volume, such as the data
encryption algorithm, and copies of the volume encryption key. The copies of the volume encryption
key are encrypted ("wrapped") by user keys, as described in the following section.
When a volume is configured in EFS mode, each encrypted file has its own EMD. Contrary to the
EVS volume, there is no volume EMD associated with the EFS volume.
EVFS data flow 21