Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Encrypted Volume and Filesystem (EVFS)

evfsvol create -k keyname [-c cipher]evfs_volume_path

where:

-k keyname Specifies the key pair name. The evfsadm utility creates the EMD area

with the keyname as the owner key. For information about user keys,

see “Step 5: Creating User Key Pairs” (page 44).

-c cipher

Specifies the cipher (cryptography) algorithm EVFS uses to encrypt

the volume data.

Valid values:

aes-128-cbc (128-bit AES CBC)

aes-192-cbc (256-bit AES CBC)

aes-256-cbc (256-bit AES CBC)

A longer key length provides more security, but it slows data transfer

rates.

Default: The value of the data_cipher attribute in the

/etc/evfs/evfs.conf file. The default value for this attribute is

aes-128-cbc.

evfs_volume_path

Specifies the absolute pathname for the EVFS volume device file, such

as /dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05,

or /dev/evfs/rdsk/c2t0d1.

CAUTION: The evfsvol create command overwrites any existing data on the volume.

If you have existing data that you want to protect with EVFS, you must use one of the following

methods:

• Use option 1 to create an EVFS volume on an unused LVM, VxVM, or physical volume and

then copy the data to the EVFS volume.

• Use option 2 to convert an existing volume into an EVFS volume.

For more information, see “Configuration Overview” (page 49).

When the evfsvol utility creates the EMD, it:

• Reads operating parameters from the /etc/evfs/evfs.conf file, such as the data

encryption algorithm for the volume, and writes them to the EMD.

• Generates the volume encryption key (the symmetric key used to encrypt the volume data).

• Creates a key record for the owner by encrypting the volume encryption key using the

owner's public key. The evfsvol utility then writes this key record to the EMD.

Example

The root user enters the following evfsvol create command. EVFS creates the EMD and

overwrites any existing data on the volume. The owner key for the volume will be

root.rootkey1.

# evfsvol create -k rootkey1 /dev/evfs/vg01/lvol5

Enter owner passphrase:(Enter the passphrase for rootkey1.)

Encrypted volume "/dev/evfs/vg01/lvol5" has been successfully created.

Step 1d: (Optional) Adding Recovery Keys and authorized user Keys

Optionally, use the evfsvol add command to add recovery and authorized user key pairs to

the EVFS volume. HP recommends that you add a recovery key pair to each EVFS volume.

i. Use the following command to add a recovery key pair:

evfsvol add -r [-k keyname] evfs_volume_path

where:

Option 1: Creating a New EVFS Volume 53