evfs.5 (2010 09)
e
evfs(5) evfs(5)
(EVFS Software Required)
The mapping between regular volumes and encrypted volumes are described in evfstab (4).
Recovery Keys
Any encrypted volume owner can add recovery keys to an encrypted volume. The purpose of the recovery
key is to have a way to recover the volume key if the owner’s key becomes compromised or unavailable.
Though recovery keys are just like any other public/private key pairs, they are managed differently.
Recovery keys can also be added to encrypted file. See evfs.conf (4) and
evfsfile add.
HP recommends that you store recovery private keys offline and restore them only during recovery opera-
tions. To manage the recovery keys, EVFS uses the EVFS pseudo-user account, configured in the
/etc/evfs/evfs.conf
file. The default EVFS pseudo-user account name is
evfs. For more infor-
mation about using recovery keys, see evfspkey (1), evfsadm (1M), and evfsvol (1M).
EXAMPLES
The following examples show how a user can configure EVFS in volume-level encryption mode:
• Start the EVFS subsystem:
% evfsadm start
• Create a key pair for the volume owner:
% evfspkey keygen -c rsa-1024 -k rootkey
• Create a recovery key pair:
% evfspkey keygen -c rsa-2048 -r -k recov
• Map the LVM volume /dev/vg01/lvol5
volume to EVFS (this command will make any data
already existing on
/dev/vg01/lvol5
unusable):
% evfsadm map /dev/vg01/lvo15
• Create an EMD header:
% evfsvol create -k rootkey /dev/evfs/vg01/lvol5
• Enable the EVFS volume:
% evfsvol enable /dev/evfs/vg01/lvol5
• Create a file system on the EVFS volume character (raw) device file:
% newfs -F vxfs /dev/evfs/vg01/rlvol5
• Run fsck (if necessary):
% fsck -F vxfs /dev/evfs/vg01/rlvol5
• Modify /etc/fstab to include the EVFS volume:
/dev/evfs/vg01/lvol5 /opt/my_data vxfs delaylog 0 2
If you want the system to automatically mount this file system at system startup time, you must create
a passphrase file and the key and passphrase files must exist on the local root disk. You must also
modify the /etc/evfs/evfstab file to enable the autostart feature. See evfstab (4).
• Mount the encrypted file system:
% mount -F vxfs /dev/evfs/vg01/lvol5 /opt/my_data
The following examples show how a user can configure EVFS in file-level encryption mode:
• Start the EVFS subsystem:
% evfsadm start
• Map the LVM volume /dev/vg01/lvol6 volume to EVFS (unlike volume-level encryption mode,
existing data on /dev/vg01/lvol6 will be not be touched.):
% evfsadm map -f /dev/vg01/lvo16
• If there was no file system, create a new file system on the EVFS volume character (raw) device file:
% newfs -F vxfs /dev/evfs/vg01/rlvol5
• Run fsck (if necessary):
HP-UX 11i Version 3: September 2010 − 3 − Hewlett-Packard Company 3