Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

names of the keys configured for the EVS volume. The output for the evfsvol display

evfs_volume_path is similar to the following:

# evfsvol display /dev/evfs/vg01/lvol5

EVFS Volume Name: /dev/evfs/vg01/lvol5

Mapped Volume Name: /dev/vg01/lvol5

EVFS Volume State: enabled

EMD Size (Kbytes): 520

Max User Envelopes: 1024

Data Encryption Cipher: aes-128-cbc

Digest: sha2

Owner Key ID: root.rootkey1

Recovery Agent Key IDs: evfs.evfs

Total Recovery Agent Keys: 1

User Key IDs: init.initkey

Total User Keys: 1

For more information, see “Displaying EVFS volume keys and operating parameters (evfsvol

display)” (page 151).

Verifying data encryption

You can use the following procedure to verify that EVFS is encrypting data before it is written to

the underlying LVM, VxVM, or physical volume:

1. Write text (a character string) to a file on an enabled EVS volume.

2. Use the strings utility to search the EVS volume device file. The text is stored in the underlying

LVM, VxVM or physical volume as encrypted data, but the strings utility is reading from

the EVS volume. The EVFS subsystem will provide decrypted data to the strings utility, and

strings will find and display the text string you wrote.

3. Verify that applications that bypass EVFS receive encrypted data. To do this, you must disable

EVFS on the volume. Use the following procedure to disable EVFS on the volume:

a. For data consistency, stop all applications accessing the EVS volume. You can use the

fuser -cu command to determine the processes accessing files and the fuser -cku

command to terminate the processes. For more information, see fuser(1M).

If the data is used by system processes, you might need to terminate the processes by

changing the system runlevel to single-user level with the shutdown utility. For more

information, see shutdown(1M).

b. Use the umount command to unmount the file system. For more information, see umount(

(1M)).

c. Use the following command to disable encryption and decryption access to the volume:

evfsvol disable [-k keyname] evfs_volume_path

For more information, see “Disabling encryption and decryption access to EVS volumes”

(page 64).

4. Use the following command to open the EVS volume for raw access:

evfsvol raw evfs_volume_path

For more information, see “Opening raw access to EVS volumes” (page 65) and the evfsvol(

(1M)) manpage.

CAUTION: After you open the volume for raw access, any entity reading data from the EVS

volume receives encrypted data. Any entity writing data to the EVS volume writes directly to

the underlying disk; EVFS does not encrypt the text. HP recommends that you use the evfsvol

raw command only when creating encrypted backup media or restoring encrypted backup

media.

Option 1: Creating a new EVS volume 53