Manualshelf

Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software
41424344454647484950
Valid values:
aes-128-cbc (128-bit AES CBC)
aes-192-cbc (256-bit AES CBC)
aes-256-cbc (256-bit AES CBC)
aes-128-cfb (128-bit AES CFB)
aes-192-cfb (256-bit AES CFB)
aes-256-cfb (256-bit AES CFB)
A longer key length provides more security, but it slows data transfer
rates.
Default: The value of the data_cipher attribute in the /etc/evfs/
evfs.conf file. The default value for this attribute is aes-128-cbc.
evfs_volume_path Specifies the absolute pathname for the EVS volume device file, such as
/dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05,
or /dev/evfs/dsk/c2t0d1.
CAUTION: The evfsvol create command overwrites any existing data on the volume.
If you have existing data that you want to protect with EVFS, you must use one of the following
methods:
Use option 1 to create an EVS volume on an unused LVM, VxVM, or physical volume and
then copy the data to the EVS volume.
Use option 2 to convert an existing volume into an EVS volume.
For more information, see “Configuration overview” (page 45).
When the evfsvol utility creates the EMD, it:
Reads operating parameters from the /etc/evfs/evfs.conf file, such as the data
encryption algorithm for the volume, and writes them to the EMD.
Generates the volume encryption key (the symmetric key used to encrypt the volume data).
Creates a key record for the owner by encrypting the volume encryption key using the owner's
public key. The evfsvol utility then writes this key record to the EMD.
Example
The root user enters the following evfsvol create command. EVFS creates the EMD and
overwrites any existing data on the volume. The owner key for the volume will be root.rootkey1.
# evfsvol create -k rootkey1 /dev/evfs/vg01/lvol5
Enter owner passphrase:(Enter the passphrase for rootkey1.)
Encrypted volume "/dev/evfs/vg01/lvol5" has been successfully created.
Step 1d: (Optional) Adding recovery keys and authorized user keys
Optionally, use the evfsvol add command to add recovery and authorized user key pairs to
the EVS volume. HP recommends that you add a recovery key pair to each EVS volume.
i. Use the following command to add a recovery key pair:
evfsvol add -r [-k keyname] evfs_volume_path
where:
r Specifies that the key pair is a recovery key pair.
-k keyname Specifies the name of the key pair to add. If you do not specify -k
keyname, evfsvol uses the EVFS pseudo-user (evfs) as the key
owner and key name. You can configure up to two recovery keys
per EVS volume. For information about user keys, see “Creating
keys” (page 41).
48 Configuring an EVS volume