Administrator's Guide

EVFS Data Flow
EVFS is implemented using a pseudo-driver that operates on the EVFS volumes. An EVFS volume
is stacked between the underlying volume (a LVM, VxVM, or physical volume) and an upper
layer. The upper layer can be a file system or an application that reads data from and writes data
directly to the EVFS volume, such as a database application.
When the upper layer file writes data, the EVFS pseudo-driver encrypts the data before writing
it to the underlying volume. When the upper layer reads data, the pseudo-driver decrypts the
data from the underlying volume and provides the decrypted data to the upper layer. If the
upper layer caches data to the lower layer, such as a file system with buffer caching enabled, all
data in the buffer cache is in cleartext (it is not encrypted). Figure 1-1 shows a simplified EVFS
data flow.
Figure 1-1 EVFS Data Flow
(decrypts data read by upper layer)
(encrypts data written to lower layer )
File System
LVM
EVFS
DB or Direct-Access
Application
= Non-encrypted Data
= Encrypted Data
VxVM
Physical Disks
IMPORTANT: After encryption and decryption for an EVFS volume is enabled, all read operations
performed on the EVFS volume output decrypted data. You must use normal HP-UX file system
permissions and access control to restrict access to the data.
Encryption Metadata (EMD)
Each EVFS volume has a set of encryption attributes, or encryption metadata (EMD) associated
with it. The EMD is stored as part of the EVFS volume. The data stored in the EMD includes
operating parameters for the EVFS volume, such as the data encryption algorithm, and copies
of the volume encryption key. The copies of the volume encryption key are encrypted ("wrapped")
by user keys, as described in the following section.
EVFS Encryption Keys
EVFS uses two types of encryption keys:
Symmetric keys to encrypt data, referred to as volume encryption keys
Public/private key pairs to protect volume encryption keys, also referred to as user keys
EVFS also uses passphrases to protect private keys.
20 EVFS Introduction