evfs.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

evfs(5) evfs(5)

(EVFS Software Required)

NAME

EVFS - Encrypted Volume and File System (EVFS)

DESCRIPTION

EVFS (Encrypted Volume and File System) is an application-transparent technology providing protection

of data at rest.

With EVFS, critical ﬁles and data at rest (on disk) are stored in encrypted form on disk. EVFS safe-

guards against compromised use of and unauthorized access to data due to physical theft of storage dev-

ices. The data encryption is based on a secret-key cryptosystem and runs as an integrated kernel service

transparent to the user.

With HP-UX EVFS, disks and volumes can be conﬁgured to be used in one of two modes - volume-level

encryption (EVS) or ﬁle-level encryption (EFS).

Volume-Level Encryption Mode

For this mode, HP-UX EVFS includes the following EVFS commands, typically used in the order shown

below:

evfsadm Starts and manages the EVFS subsystem. Maps LVM, VxVM, or physical volumes to the

EVFS subsystem. See evfsadm (1M).

evfspkey Creates and manages EVFS public/private key pairs. Also protects the privates keys using

passphrases, and manages the passphrases. See evfspkey (1).

evfsvol Creates and manages EVFS encrypted volumes. See evfsvol (1M).

The main steps in creating EVFS keys and encrypted volumes are:

1. Start the EVFS subsystem using the

evfsadm start command. See evfsadm (1M).

2. Create EVFS public/private key pairs using the

evfspkey keygen command. See evfspkey (1)

and evfs_pkey (4).

At a minimum, you must create one key pair for the EVFS volume owner. You can use the same key

pair for multiple volumes, but using a unique key pair for each volume is more secure.

HP recommends that you also create at least one recovery key pair. You can use a recovery key pair

to change the owner of a volume if the owner key pair is lost or compromised.

To use the autostart feature, you must create a passphrase ﬁle using the

evfspkey passgen

command. (See lvcreate (1M).) Passphrase ﬁles are a security risk. If you are going to use a

passphrase ﬁle, you can reduce the security risk by creating and conﬁguring an authorized user key

pair and creating the passphrase ﬁle for the authorized user key pair instead of the owner key pair.

Depending on the type of backup performed, a user creating backup data may require an authorized

user key pair for the volume. Creating and conﬁguring an authorized user key pair will enable a

non-owner to create encrypted backup media on a tape device.

3. If you are using LVM or VxVM (you are not directly accessing the physical disk as a physical

volume), use the appropriate LVM or VxVM commands (such as

lvcreate or vxassist) to create

a new LVM or VxVM volume to use for the EVFS volume. Include 1 MB of the EVFS Encryption

Metadata (EMD). See lvcreate (1M) or vxassist (1M).

Caution:

• You cannot create an LVM or VxVM volume above an EVFS volume.

• You can create an EVFS volume on an existing LVM, VxVM, or physical volume, but any existing

data on the volume will be unusable. If you have existing data that you want to protect with

EVFS, you must create an EVFS volume on a different LVM, VxVM, or physical volume and then

copy the existing data to the EVFS volume.

4. Associate the underlying LVM, VxVM, or physical volume to an EVFS volume using the

evfsadm

map command. This command also creates block and character ("raw") device special ﬁles for the

EVFS volume and adds them to the kernel registry. If the encrypted volume must be automatically

enabled at boot time using the autostart feature, then you must modify the /etc/evfs/evfstab

ﬁle. See evfstab (4).

5. Create an EVFS Encryption Metadata (EMD) header in the EVFS volume using the

evfsvol

create command. See evfsvol (1M).

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
evfs(5) evfs(5) (EVFS Software Required) NAME EVFS - Encrypted Volume and File System (EVFS) DESCRIPTION EVFS (Encrypted Volume and File System) is an application-transparent technology providing protection of data at rest. With EVFS, critical files and data at rest (on disk) are stored in encrypted form on disk. EVFS safeguards against compromised use of and unauthorized access to data due to physical theft of storage devices.
PAGE 2
evfs(5) evfs(5) (EVFS Software Required) A 6. Add recovery keys and authorized user keys to the EVFS volume using the evfspkey add command. 7. Enable the encrypted volume to start encrypting and decrypting data to and from the volume using the evfsvol enable command. See evfsvol (1M). 8. If you want to create a file system on the EVFS volume, create one on the character (raw) EVFS volume device file using the newfs command. See newfs (1M). 9.
PAGE 3
evfs(5) evfs(5) (EVFS Software Required) The mapping between regular volumes and encrypted volumes are described in evfstab (4). Recovery Keys Any encrypted volume owner can add recovery keys to an encrypted volume. The purpose of the recovery key is to have a way to recover the volume key if the owner’s key becomes compromised or unavailable. Though recovery keys are just like any other public/private key pairs, they are managed differently. Recovery keys can also be added to encrypted file. See evfs.
PAGE 4
evfs(5) evfs(5) (EVFS Software Required) % fsck -F vxfs /dev/evfs/vg01/rlvol6 • Modify /etc/fstab to include the EVFS volume: /dev/evfs/vg01/lvol6 /opt/my_data vxfs,stackfs=sefs delaylog 0 2 Unlike volume-level encryption, if you want the system to automatically mount this file system at system startup time, no further action is required. /etc/evfs/evfstab file to enable the autostart feature. See evfstab (4).