Encrypting logical volumes

Edit online

Starting with IBM® AIX® 7.2 with Technology Level 5, the Logical Volume Manager (LVM) supports the data encryption at the logical volume (LV) level. Using this feature, you can encrypt the data at rest to protect data exposure because of lost or stolen hard disk drives or because of inappropriately decommissioned computers. The term data at rest refers to an inactive data that is stored physically in any digital form.

Each LV is encrypted with a unique key. The logical volume data is encrypted before the data is written to the physical volume. This data is decrypted when it is read from the physical volume. By default, data encryption is not enabled in logical volumes. You must enable the data encryption option at the volume group level before you enable the data encryption option at the logical volume level.

The hdcryptmgr command manages the encryption keys, data encryption, and data decryption of the logical volume.

To enable logical volume encryption, complete the following steps:
  1. To create a volume group with the data encryption option enabled, run the following command:
    mkvg -f -k y -y testvg hdisk1 hdisk2
    where testvg is the name of the new volume group, hdisk1 and hdisk2 are the physical volumes that are used for the volume group.
  2. To create a logical volume with the data encryption option enabled, run the following command:
    mklv -k y -y testlv testvg 10
    where testlv is the name of the new logical volume and testvg is the volume group in which the logical volume must be created.
  3. To initialize the primary encryption key of the logical volume, run the following command:
    hdcryptmgr authinit testlv