HP-UX 11i Encrypted Volume and File System (EVFS) Best Practice (2009)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

Table of Contents

Overview .......................................................................................................................... 3

Executive Summary ............................................................................................................. 4

Strategy, Policy and Procedure ............................................................................................. 4

Selecting Data for Encryption ............................................................................................... 5

Selecting EFS or EVS mode .................................................................................................. 5

Key Management ............................................................................................................... 6

Differences between EFS and EVS keys .............................................................................. 6

Encryption Keys .............................................................................................................. 6

Secure Passphrase .......................................................................................................... 7

Off-line Key Storage ........................................................................................................ 7

Key sharing and distribution ............................................................................................. 7

Recovery Agent .............................................................................................................. 8

EFS Key Manager ........................................................................................................... 9

Key archival ................................................................................................................... 9

EVFS wrapper commands ................................................................................................ 9

Preparing for EVFS .............................................................................................................. 9

Migrating data to EVFS ................................................................................................... 9

EVS mode ................................................................................................................... 9

EFS mode .................................................................................................................. 10

Backup and Restore ...................................................................................................... 10

EVS mode ................................................................................................................. 10

EFS mode .................................................................................................................. 10

Encryption selection (EFS mode only) ............................................................................... 10

EVFS Auto Boot ............................................................................................................ 10

EVS mode ................................................................................................................. 11

HP-UX 11i Encrypted Volume and File System

(EVFS) Best Practice

A cost-effective encryption strategy to secure your data

Summary of content (15 pages)

PAGE 1
HP-UX 11i Encrypted Volume and File System (EVFS) Best Practice A cost-effective encryption strategy to secure your data Table of Contents Overview .......................................................................................................................... 3 Executive Summary ............................................................................................................. 4 Strategy, Policy and Procedure .............................................................................
PAGE 2
EFS mode .................................................................................................................. 11 CPU usage................................................................................................................... 11 Operational ..................................................................................................................... 12 Avoid Data Corruption ..................................................................................................
PAGE 3
Overview Laws and standards, these days, are more stringent for businesses to ensure the safety of sensitive consumer data. Data confidentiality breaches affect millions of people and result in millions of dollars in direct costs, and even more in indirect costs. The Ponemon report [1] found that data breaches in 2008 cost U.S. companies average cost of $6.65 million per incident, up from $6.3 million in 2007.
PAGE 4
Barrier Performance EVFS solution Encryption algorithm is optimized for the architecture. Performance is scalable with number of CPUs. A white paper on EVFS performance is available (see [4].) The intended audiences for this document are customers who are interested in deploying EVFS or have already deployed EVFS on HP-UX 11i. Executive Summary Technology alone does not solve security problem.
PAGE 5
• Continually monitor or audit all automated and manual actions. • Ensure procedures are in place to ensure the integrity and security of logs. Each organization should develop its own guidelines and procedures to satisfy its own specific security requirements. Selecting Data for Encryption Because of overhead associated with data encryption, only sensitive and private data should to be encrypted. HP-UX 11i EVFS has some restrictions on the types of volumes that can be encrypted.
PAGE 6
For example, to deny administrator access to the encrypted data, users should use EFS mode to protect the information. Another example is if the application must access a raw volume directly instead of a file system, only EVS mode can be used. Key Management HP-UX 11i EVFS has a built-in key management facility to manage key pairs – for user, group and recovery agent. Each EVFS key pair has an associated key identifier (key-id) that consists of 2 parts - user name (or group name) and key name.
PAGE 7
Secure Passphrase The private key of each key pair is always protected by a passphrase. The minimum passphrase length is 8 characters. Since encrypted data is only as secure as the complexity and obscurity of the passphrase, the passphrase must be strong enough to protect the data. If the passphrase is lost or forgotten, these are the methods to retrieve the data: 1) If a recovery agent is configured, the data can be retrieved with the recovery agent.
PAGE 8
In key replication, a centralized system is selected to be the master key keeper. All keys are created on this master server and replicated to all other servers through protocol such as ftp. The key directories on the clients must be read-only to prevent inadvertent modification. Keys should be pushed periodically to the clients, especially after key passphrase is changed. Recovery Agent Recovery agent allows recovery of encrypted data when the access keys have become unavailable.
PAGE 9
EFS Key Manager The use of the EFS key manager key is optional in EVFS. The following functions require the use of key manager: 1. Reset a user's passphrase without having the user's passphrase 2. Manage EFS group access Key manager and administrator can be the same account. But to support the additional function of denying administrator access to the EFS encrypted data, the key manage account must be a regular user account (non-zero uid) and not an administrator account.
PAGE 10
With In-line encryption, there is no need to double the storage requirements – only 3 MB of extra storage is required. The drawback is that the migration process is usually slower because the read/write I/O tasks must share the same data path. If a volume is sparsely populated, there is no need to transform the entire volume. Backing up the file system or equivalent data, instead of the entire volume content, and restoring it to the encrypted volume should reduce the conversion time.
PAGE 11
EVS mode For auto boot, volumes in EVS mode must be assigned a level during startup – boot_local, boot_local2 or boot_remote. See the restriction for EVS volumes in /etc/fstab below. Level boot_local Description Enable the EVFS volume before all the local file systems are mounted and before NFS and other networking subsystems are started. Key Storage Located at the root disk of the local system. If this volume is listed in /etc/fstab, it is automatically mounted during system startup.
PAGE 12
Operational Avoid Data Corruption Do not manipulate the EMD or the encrypted data. Any modifications, intentional or accidental, will render the encrypted data irretrievable. Each EMD header starts with the magic number 90fa 4a62 c4df ff09. Users and administrators must avoid writing to volumes or files that start with this magic number. EVS mode Writing directly to an EVFS raw volume must be avoided.
PAGE 13
Deprecation of Owner keys Owner keys need to be deprecated if the keys are compromised or are irretrievable (e.g. key corruption, forgotten passphrase, etc.). Under this situation, it is possible for multiple keys to have the same key-id, but their fingerprints are different. Administrators and users need to ensure the correct key pair is used when accessing the encrypted content. EVS mode Replacing the owner key of an encrypted volume requires either the recovery key or the owner key.
PAGE 14
Temporary file creation (EFS mode only) Some applications create temporary files which may not be encrypted. One example is the vi text editor. Applications need to be validated to ensure they do not place sensitive and private data in directories that are not configured for encryption. Periodic EVFS tasks Administrators should periodically check the EVFS status to ensure encrypted volumes are enabled and properly mounted. Encryption counters and rates should be monitored for proper operation.
PAGE 15
References 1. Data Breaches Cost U.S. Companies $6.65 Million By Jennifer LeClaire, Ponemon, February 2, 2009 2. HP-UX 11i EVFS 2.0 Administration Guide, HP Part Number: 5992-4727 August 2009 3. HP-UX 11i EVFS 2.0 Release Notes, HP Part Number: 5992-5031 August 2009 4. HP-UX Encrypted Volume and File System Performance and Tuning White Paper 5. Backing Up and Restoring Data on HP-UX EVFS Volumes Using HP OpenView Storage Data Protector 6.0 White Paper 6.