Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)
Creating encrypted backup media on a Non-EVFS device (LVM mirrored volumes)
If you have LVM mirrored volumes, use the following procedure to perform online encrypted backups
to a non-EVFS target device, such as a tape drive. You must use a block device backup utility, such
as dd.
You must have the appropriate file permissions to access the EVS volume device file to use this
procedure.
1. Configure the mirror, if you have not already done so. Create the mirror copy using the
lvcreate –m or lvextend –m command. Configure EVFS on the LVM volume using the
evfsadm map and evfsvol create commands. Enable the EVS volume using the evfsvol
enable command and migrate data to the EVS volume, if necessary.
2. Create a backup copy of the user key database (user key pairs and any passphrase files) if
a copy does not already exist. Determine the directories used for the key database by checking
the pkey attribute statement in the /etc/evfs/evfs.conf file and back up the database.
By default, EVFS stores the user key database in subdirectories below the
/etc/evfs/pkey/users directory.
If you will be restoring the data to another system, you must know and make note of the
passphrase for the volume owner's private key. Stored passphrase files are encrypted with
system-specific information, so a stored passphrase created on one system is unusable on any
other system.
3. Split the mirrored LVM volume into two logical volumes using the lvsplit command.
command. In the following example, the mirror LVM volume device file is /dev/vg01/lvol5,
and the –s backup option creates a backup mirror volume name using the suffix backup
(/dev/vg01/lvol5backup):
# lvsplit –s backup /dev/vg01/lvol5
Logical volume "/dev/vg01/lvol5backup" has been successfully created
with character device "/dev/vg01/rlvol5backup".
Logical volume "/dev/vg01/lvol5" has been successfully split.
Volume Group configuration has been saved in /etc/lvmconf/vg01.conf
4. Map the backup volume to EVFS. For example:
# evfsvol map /dev/vg01/lvol5backup
This creates the device files /dev/evfs/vg01/lvol5backup and /dev/evfs/vg01/
rlvol5backup.
5. Do not create an EMD area for the EVS volume. The backup volume inherits a copy of the
EMD from the original volume. However, because the backup volume inherits its EMD, the
dirty bit is set even though the backup volume has not been enabled. You must reset the dirty
bit in the EMD of the backup volume using the evfsvol check –r command. The syntax
is as follows:
evfsvol check -r evfs_volume_path
Where evfs_volume_path is the absolute pathname for the EVS volume device file.
For example:
# evfsvol check -r /dev/evfs/vg01/lvol5backup
Encrypted volume "/dev/evfs/vg01/lvol5backup" has not been properly shut down.
Resetting dirty bit...
Encrypted volume "/dev/evfs/vg01/lvol5backup" has been successfully recovered
6. Open raw access to the backup EVS volume using the evfsvol raw command.
CAUTION: After you open the volume for raw access, any entity reading data from the EVS
volume receives encrypted data. Any entity writing data to the EVS volume writes directly to
the underlying disk; EVFS does not encrypt the text. HP recommends that you use the evfsvol
raw command only when creating encrypted backup media or restoring encrypted backup
media.
Backing up EVS volumes 81