Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

---- EVFS Volume Name ----|--- State ---|-------------- Counters -------------|

bpr bpw bpd bpe

/dev/evfs/vg01/lvol5 enabled 2074 52441 362 52345

---- EVFS Volume Name ----|--- State ---|---------------- Rates --------------|

kbpsr kbpsw dkbps ekbps

/dev/evfs/vg01/lvol5 enabled 25 3 362 34

For descriptions of the output fields, see “Displaying I/O and encryption statistics (evfsadm stat)”

(page 149).

evfsvol display evfs_volume_path

The evfsvol display evfs_volume_path command displays information about the EVS

volume, including the name of the underlying LVM, VxVM, or physical volume device file, and the

names of the keys configured for the EVS volume. The output for the evfsvol display

evfs_volume_path is similar to the following:

# evfsvol display /dev/evfs/vg01/lvol5

EVFS Volume Name: /dev/evfs/vg01/lvol5

Mapped Volume Name: /dev/vg01/lvol5

EVFS Volume State: enabled

EMD Size (Kbytes): 520

Max User Envelopes: 1024

Data Encryption Cipher: aes-128-cbc

Digest: sha2

Owner Key ID: root.rootkey1

Recovery Agent Key IDs: evfs.evfs

Total Recovery Agent Keys: 1

User Key IDs: init.initkey

Total User Keys: 1

For more information, see “Displaying EVFS volume keys and operating parameters (evfsvol

display)” (page 151).

Verifying data encryption

You can use the following procedure to verify that EVFS is encrypting data before it is written to

the underlying LVM, VxVM, or physical volume:

1. Write text (a character string) to a file on an enabled EVS volume.

2. Use the strings utility to search the EVS volume device file. The text is stored in the underlying

LVM, VxVM or physical volume as encrypted data, but the strings utility is reading from

the EVS volume. The EVFS subsystem will provide decrypted data to the strings utility, and

strings will find and display the text string you wrote.

3. Verify that applications that bypass EVFS receive encrypted data. To do this, you must disable

EVFS on the volume. Use the following procedure to disable EVFS on the volume:

a. For data consistency, stop all applications accessing the EVS volume. You can use the

fuser -cu command to determine the processes accessing files and the fuser -cku

command to terminate the processes. For more information, see fuser(1M).

If the data is used by system processes, you might need to terminate the processes by

changing the system runlevel to single-user level with the shutdown utility. For more

information, see shutdown(1M).

b. Use the umount command to unmount the file system. For more information, see umount(

(1M)).

c. Use the following command to disable encryption and decryption access to the volume:

evfsvol disable [-k keyname] evfs_volume_path

For more information, see “Disabling encryption and decryption access to EVS volumes”

(page 64).

58 Configuring an EVS volume