Manualshelf

HP-UX 11i Encrypted Volume and File System (EVFS) Best Practice (2009)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software
12345678910
10
With In-line encryption, there is no need to double the storage requirements only 3 MB of
extra storage is required. The drawback is that the migration process is usually slower because
the read/write I/O tasks must share the same data path.
If a volume is sparsely populated, there is no need to transform the entire volume. Backing up
the file system or equivalent data, instead of the entire volume content, and restoring it to the
encrypted volume should reduce the conversion time.
EFS mode
For EFS mode, all files should be copied (not moved) to the encrypted volume. Once the
migrated data have been verified and validated, the old clear-text copies must be securely
removed or scrubbed.
Backup and Restore
Note that incremental backup can only be done in clear-text with EVFS. To back up the data in
encrypted format, EVFS volumes must be taken off-line. Periodic down times need to be
scheduled to perform EVFS volume backup (see [2] and [5] for further detail.)
For security reasons, the keys must be backed up in a separate media from the media where the
data is backed up.
EVS mode
For encrypted backup, the volume should be enabled for raw access. And for clear-text backup,
create a FS and schedule the incremental backup.
EFS mode
For clear-text backup, the user should be in secure session and schedule the incremental
backup. And for encrypted backup, use evfsxfr to start the backup process or take the entire
volume backup.
Encryption selection (EFS mode only)
EVFS provides 3 ways to enable encryption for files individual file level, directory level and
file system level. Users should encrypt at folder or file system level, instead of encrypting
individual files. Each application creates and accesses files in different ways. Encrypting files
consistently at the directory or file system level ensure that files are not unexpectedly decrypted.
EVFS Auto Boot
Stored passphrases are used in unattended system startup of HP-UX 11i EVFS systems. It is a
convenient feature that carries security risk. One way to mitigate this risk is use EVFS in
conjunction with the TCS/TPM product (see [6] for further detail.) Note that for the system to
start unattended, the stored passphrase files can be obscured (e.g. un-mounted) but cannot be
moved off-line.