Simple Procedure to Create Encrypted File System on HP-UX 11I V3

Dusan Baljevic

Simple procedure to create Encrypted File System on HP-UX 11i v3

# evfspkeykeygen -u root -k dusankey

Enter passphrase: test1234

Re-enter passphrase: test1234

Public/Private key pair "root.dusankey" has been successfully generated

# evfspkey lookup -u root -k dusankey

Key ID: root.dusankey

Key Cipher: rsa-1536

Public Key Fingerprint: f8ce8cfca1c30e3d7d727b22382dde009ca2f87c

Private Key Keywrap: evfs-pbe1

Private Key Fingerprint: b13d3a5e2324e4843fb4ff7db9f36efa82784b34

Passphrase Keywrap: n/a

Passphrase Fingerprint: n/a

# rm /etc/evfs/pkey/evfs/evfs.pub (remove old keys!!!)

# evfspkeykeygen -r

Enter recovery passphrase:

Re-enter recovery passphrase:

Public/Private key pair "evfs.evfs" has been successfully generated

# evfspkey lookup -r

Key ID: evfs.evfs

Key Cipher: rsa-1536

Public Key Fingerprint: e4baa758a02fb9e4cd7d78b9ad93d1ff4e1399b0

Private Key Keywrap: n/a

Private Key Fingerprint: n/a

Passphrase Keywrap: n/a

Passphrase Fingerprint: n/a

# lvcreate -L 500 -n evfsvol2 vg00

Warning: rounding up logical volume size to extent boundary at size "512" MB.

Logical volume "/dev/vg00/evfsvol2" has been successfully created with character device "/dev/vg00/revfsvol2".

Logical volume "/dev/vg00/evfsvol2" has been successfully extended.

Volume Group configuration for /dev/vg00 has been saved in /etc/lvmconf/vg00.conf

# evfsadm map /dev/vg00/evfsvol2

Volume "/dev/vg00/evfsvol2" has been successfully mapped to EVFS volume "/dev/evfs/vg00/evfsvol2"

# cat /etc/evfs/evfstab

#

# (C) Copyright 2006 Hewlett-Packard Development Company, L.P.

#

# Entry format is as follows:

#v <logical volume device file> <encrypted volume device file> <username.keyname> <options> # First three fields are mandatory, rest is optional.

# Examples:

#v /dev/vg01/oracle /dev/evfs/vg01/oracle #v /dev/vg01/oracle /dev/evfs/vg01/oracle root.rootkey

#v /dev/vg01/oracle /dev/evfs/vg01/oracle root.rootkeynoauto

#v /dev/dsk/c0t0d0 /dev/evfs/dsk/c0t0d0

#v /dev/vx/dsk/rootdisk/disk1 /dev/evfs/vx/dsk/rootdisk/disk1

#v /dev/dsk/c0t0d1 /dev/evfs/dsk/c0t0d1 root.key1 boot_local

#v /dev/dsk/c0t0d2 /dev/evfs/dsk/c0t0d2 root.key2 boot_remote

#v /dev/vg00/evfsvol /dev/evfs/vg00/evfsvol evfsauto.evfsautoboot_local

v /dev/vg00/evfsvol /dev/evfs/vg00/evfsvol v /dev/vg00/evfsvol2 /dev/evfs/vg00/evfsvol2

# evfsvol create -k dusankey /dev/evfs/vg00/evfsvol2

Enter owner passphrase:

Encrypted volume "/dev/evfs/vg00/evfsvol2" has been successfully created

# evfsvol add -r /dev/evfs/vg00/evfsvol2

Enter owner passphrase:

Key "evfs.evfs" has been successfully added to EVFS volume "/dev/evfs/vg00/evfsvol2"

# evfsvol display /dev/evfs/vg00/evfsvol2

EVFS Volume Name: /dev/evfs/vg00/evfsvol2

Mapped Volume Name: /dev/vg00/evfsvol2

EVFS Volume State: disabled

EMD Size (Kbytes): 520

Max User Envelopes: 1024

Data Encryption Cipher: aes-128-cbc

Digest: sha1

Owner Key ID: root.dusankey

Recovery Agent Key IDs: evfs.evfs

Total Recovery Agent Keys: 1

User Key IDs:

Total User Keys: 0

# evfsvol enable -k dusankey /dev/evfs/vg00/evfsvol2

Enter user passphrase:

Encrypted volume "/dev/evfs/vg00/evfsvol2" has been successfully enabled

# evfsvol display /dev/evfs/vg00/evfsvol2

EVFS Volume Name: /dev/evfs/vg00/evfsvol2

Mapped Volume Name: /dev/vg00/evfsvol2

EVFS Volume State: enabled

EMD Size (Kbytes): 520

Max User Envelopes: 1024

Data Encryption Cipher: aes-128-cbc

Digest: sha1

Owner Key ID: root.dusankey

Recovery Agent Key IDs: evfs.evfs

Total Recovery Agent Keys: 1

User Key IDs:

Total User Keys: 0

# newfs /dev/evfs/vg00/revfsvol2

newfs: /etc/default/fs is used for determining the file system type

version 7 layout

523768 sectors, 523768 blocks of size 1024, log size 1024 blocks

largefiles supported

# mkdir /evfs

# mount /dev/evfs/vg00/evfsvol2 /evfs

# useradd -s /usr/bin/false auto

# evfspkeykeygen -p -u auto

Enter passphrase:

Re-enter passphrase:

Public/Private key pair "auto.auto" has been successfully generated

# evfsvol add -u auto /dev/evfs/vg00/evfsvol2

Enter owner passphrase:

Key "auto.auto" has been successfully added to EVFS volume "/dev/evfs/vg00/evfsvol2"

# evfsvol display /dev/evfs/vg00/evfsvol2

EVFS Volume Name: /dev/evfs/vg00/evfsvol2

Mapped Volume Name: /dev/vg00/evfsvol2

EVFS Volume State: enabled

EMD Size (Kbytes): 520

Max User Envelopes: 1024

Data Encryption Cipher: aes-128-cbc

Digest: sha1

Owner Key ID: root.dusankey

Recovery Agent Key IDs: evfs.evfs

Total Recovery Agent Keys: 1

User Key IDs: auto.auto

Total User Keys: 1

# cat /etc/evfs/evfstab

#

# (C) Copyright 2006 Hewlett-Packard Development Company, L.P.

#

# Entry format is as follows:

#v <logical volume device file> <encrypted volume device file> <username.keyname> <options> # First three fields are mandatory, rest is optional.

# Examples:

#v /dev/vg01/oracle /dev/evfs/vg01/oracle #v /dev/vg01/oracle /dev/evfs/vg01/oracle root.rootkey

#v /dev/vg01/oracle /dev/evfs/vg01/oracle root.rootkeynoauto #v /dev/dsk/c0t0d0 /dev/evfs/dsk/c0t0d0 #v /dev/vx/dsk/rootdisk/disk1 /dev/evfs/vx/dsk/rootdisk/disk1

#v /dev/dsk/c0t0d1 /dev/evfs/dsk/c0t0d1 root.key1 boot_local

#v /dev/dsk/c0t0d2 /dev/evfs/dsk/c0t0d2 root.key2 boot_remote

#v /dev/vg00/evfsvol /dev/evfs/vg00/evfsvol evfsauto.evfsautoboot_local

v /dev/vg00/evfsvol2 /dev/evfs/vg00/evfsvol2 auto.autoboot_local

# cat /etc/fstab

# System /etc/fstab file. Static information about the file systems # See fstab(4) and sam(1M) for further details on configuring devices.

/dev/vg00/lvol3 / vxfs delaylog 0 1

/dev/vg00/lvol1 /stand vxfs tranflush 0 1

/dev/vg00/lvol4 /home vxfs delaylog,quota 0 2

/dev/vg00/lvol5 /opt vxfs delaylog 0 2

/dev/vg00/lvol6 /tmp vxfs delaylog 0 2

/dev/vg00/lvol7 /usr vxfs delaylog 0 2

/dev/vg00/lvol8 /var vxfs delaylog 0 2

/dev/vg00/lvol10 /var/tmp vxfs delaylog 0 2

/dev/vg00/lvol9 /var/adm/crash vxfs delaylog 0 2

/dev/evfs/vg00/evfsvol2 /evfs vxfs delaylog 0 4 /dev/vgvm2/lvvmsrc /src vxfs defaults 0 3 /dev/vg01/datavol /data_soh vxfs defaults 0 3

# shutdown -ry 0