evfsvol.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

evfsvol(1M) evfsvol(1M)

(EVFS Software Required)

NAME

evfsvol - manage EVFS encrypted volumes

SYNOPSIS

evfsvol add [-u user | -r][

-k keyname] evfs_volume_path

evfsvol assign -u newowner [-r recovkeyﬁle ][

-k keyname] evfs_volume_path

evfsvol check [-r] -a | evfs_volume_path

evfsvol close evfs_volume_path

evfsvol create [-f][-k keyname][

-c cipher ] evfs_volume_path

evfsvol delete [-u user | -r][

-k keyname] evfs_volume_path

evfsvol destroy evfs_volume_path

evfsvol disable [-a]|[-p

| -k keyname ] evfs_volume_path

evfsvol display [-a]|evfs_volume_path

evfsvol enable [-a]|[

-p | -k keyname ] evfs_volume_path

evfsvol export evfs_volume_path

evfsvol iencrypt [-f][-k keyname][-c cipher ] evfs_volume_path

evfsvol import volume_path

evfsvol raw evfs_volume_path

evfsvol restore evfs_volume_path

evfsvol scan volume_path

DESCRIPTION

The

evfsvol command enables users to create encryption metadata (EMD) and manage EVFS

encrypted volumes. It can only be used on disks or volumes that have been conﬁgured for volume-level

encryption mode.

With

evfsvol, users can create encryption metadata (EMD) on an EVFS volume device ﬁle. (Users

must ﬁrst create the EVFS volume device ﬁle using the evfsadm map command. See evfsadm (1)).

Users can also enable or disable encryption/decryption operations on EVFS volumes, and destroy, or

recover EMD.

If a subcommand requires a public key, EVFS retrieves it from the key database. If a subcommand

requires a private key, EVFS also retrieves it from the key database. If a stored passphrase does not

exist for the private key,

evfsvol will prompt the user for the passphrase. The command will fail if the

private key decryption fails.

The

evfsvol command requires the optional HP-UX Encrypted Volume and File System (EVFS)

software.

Subcommands

evfsvol recognizes the following subcommands:

add Adds a key record (key envelope) to the EMD. The key record includes the volume encryp-

tion key, encrypted with key owner’s private key. Only the EVFS volume owner volume can

execute this command. This operation gives the key owner the ability to perform EVFS

encryption/decryption operations on the EVFS volume, such as enabling and disabling the

volume. This operation can also be used to add recovery keys.

You must be the EVFS volume owner to execute this command.

assign Changes the EVFS volume owner. The current owner’s EMD record is replaced by the new

owner’s record.

Only the current EVFS volume owner or the holder of the private key ﬁle for the volume’s

recovery key can perform this operation.

check Veriﬁes and recovers the integrity of the EMD. The items checked are the owner and

recovery records, as well as the EMD signature. The EVFS volume must be disabled before

executing this command.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (6 pages)

PAGE 1
evfsvol(1M) evfsvol(1M) (EVFS Software Required) NAME evfsvol - manage EVFS encrypted volumes SYNOPSIS evfsvol add [-u user | -r] [-k keyname ] evfs_volume_path evfsvol assign -u newowner [-r recovkeyfile ] [-k keyname ] evfs_volume_path evfsvol check [-r] -a | evfs_volume_path evfsvol close evfs_volume_path evfsvol create [-f] [-k keyname ] [-c cipher ] evfs_volume_path evfsvol delete [-u user | -r] [-k keyname ] evfs_volume_path evfsvol destroy evfs_volume_path evfsvol disable [-a] | [-p | -k keyname ]
PAGE 2
evfsvol(1M) evfsvol(1M) (EVFS Software Required) Any user with encryption access to the EVFS volume and appropriate file permissions for the device file can execute this command. A eA close Closes raw access to an EVFS volume. After you close raw access, all access to the EVFS volume is disabled. To enable encrypted/decrypted access to the volume, use the evfsvol enable command. create Generates a volume encryption key and creates an EMD header in the initial blocks of the volume.
PAGE 3
evfsvol(1M) evfsvol(1M) (EVFS Software Required) You must disable encrypted/decrypted access to an EVFS volume using the evfsvol disable command before opening the volume for raw access. Caution: Writing data to an EVFS volume when it is opened for raw access will cause data corruption and may leave the volume in an unusable state. HP recommends that you use this operation only when creating encrypted backup media and restoring encrypted backup media.
PAGE 4
evfsvol(1M) evfsvol(1M) (EVFS Software Required) EXAMPLES The following command creates a new EMD area on /dev/evfs/vg01/lvol1 using the key rootkey owned by the user executing the command: % evfsvol create -k rootkey -c aes-256-cbc /dev/evfs/vg01/lvol1 The following command destroys the EMD area of /dev/evfs/vg01/lvol1. (You must be the EVFS volume owner to execute this command): % evfsvol destroy /dev/evfs/vg01/lvol1 The following command adds a new key record to the EMD of /dev/evfs/vg01/lvol1.
PAGE 5
evfsvol(1M) evfsvol(1M) (EVFS Software Required) EVFS Volume Name Name of the EVFS volume. Mapped Volume Name Device file name of the underlying LVM, VxVM, or physical volume. EVFS Volume State State of the EVFS volume, where enabled indicates it is enabled for encrypted/decrypted access, disabled indicates all access is disabled, and raw indicates it is open for raw access. The EVFS volume states iencrypt in progress and iencrypt suspended indicate inline encryption is not completed.
PAGE 6
(Notes) A (Notes) eA 6 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010