Purpose
Provides the cryptographic management of logical volumes (LV) and physical volumes (PV).
Syntax
hdcryptmgr action [-h] [flags] devicename
Description
The hdcryptmgr command manages encrypted logical volumes. Starting from IBM®
AIX® 7.3 with Technology Level 1, you can run the
hdcryptmgr command to manage both encrypted logical volumes and encrypted
physical volumes. The encrypted logical volumes or physical volumes are managed by specifying the
action parameter to perform one of the following operations.
Note: Some of the attributes of the action parameter are specific to either logical volumes
or physical volumes. However, some attributes of the action parameter can be used for both
logical volumes and physical volumes.
Displaying encryption settings
You can run the following actions with the hdcryptmgr command to display
encryption settings:
- showvg
- Syntax:
hdcryptmgr showvg [-h] [device]
- Displays the data encryption status of the specified volume groups. If you do not specify a
volume group, this command shows the encryption status of all the volume groups.
# hdcryptmgr showvg
VG NAME / ID ENCRYPTION ENABLED
EVG1 yes
INSTALLVG yes
rootvg no
- showlv
- Syntax:
hdcryptmgr showlv [-h] [-v] device
- Displays the data encryption status of a logical volume. You must specify the device name of a
volume group or a logical volume. When you specify a volume group, this command displays the data
encryption status of all the logical volumes in the volume group. When you specify a logical volume,
this command displays the data encryption status of the specified logical volume. If the data
encryption capability is not enabled for the volume group, a message, which indicates that
encryption is not enabled on the volume group, is displayed.
# hdcryptmgr showlv vg00
NAME CRYPTO_STATUS %ENCRYPTED NOTE
lv00 unlocked 100
lv01 unlocked 100
lv03 not_enabled 0
lv04 locked 100
lv02 uninitialized 0
lv06 uninitialized n/a not_accessible
lv07 locked 100
fslv00 locked 1 encrypting
- showmd
- Syntax:
hdcryptmgr showmd [-h] [-v] device
- Displays encryption metadata for a specific logical volume, volume group, or
physical volume. You must specify the device name of a logical volume, volume group, or a physical
volume. When you specify a volume group, only the header and trailer encryption metadata of the
specified volume group are displayed. When you specify an encrypted physical volume, the metadata
that is associated with the physical volume is displayed. If the specified physical volume is not
encrypted and if it is part of a volume group that contains encrypted logical volumes, the metadata
of encrypted logical volumes are displayed even if the corresponding volume group is not varied on.
When you specify a logical volume, the entire encryption metadata of the specific logical volume is
displayed.
# hdcryptmgr showmd ELV1
.....
..... Wed Jun 17 13:25:46 2020
..... Device type : LV
..... Device name : ELV1
.....
=============== B: LV HEADER ================
Version : 0
MasterKey : Defined
MasterKey size : 16 bytes
Encryption status : Fully encrypted
Data crypto algorithm : AES_XTS
=============== E: LV HEADER ================
============= B: LV AUTH METHODS ============
---- Index #0 -------------------------------
Method defined : yes
Method name : initpwd
Authentication type : Passphrase
Auto-auth method : no
MasterKey crypto algorithm : AES_GCM
---- Index #1 -------------------------------
Method defined : no
---- Index #2 -------------------------------
Method defined : no
---- Index #3 -------------------------------
Method defined : no
---- Index #4 -------------------------------
Method defined : no
---- Index #5 -------------------------------
Method defined : no
============= E: LV AUTH METHODS ============
- showconv
- Syntax:
hdcryptmgr showconv [-h]
- Displays the status of both active and stopped processes of logical volume that are being
converted.
# hdcryptmgr showconv
NAME TID/STATUS %ENCRYPTED DIRECTION START_TIME
lv03 29557045 3 plain2crypt Sun Feb 14 09:43:10 2021
fslv00 stopped/dirty 1 plain2crypt
- showpv
- Syntax:
hdcryptmgr showpv [-h] [-v] [device]
- -h
- Prints help message.
- -v
- Specifies verbose mode. Prints more detailed output if the physical volume device name is
specified.
- device
- Specifies the device name of the encrypted physical volume. The device
attribute is optional.
Displays information about one or all encrypted physical volumes. If the encrypted physical
volume name is specified, information about the specific physical volume is displayed. If the device
name is not specified, information about all the encrypted physical volumes are
displayed.
# hdcryptmgr showpv
NAME CRYPTO_STATUS %ENCRYPTED NOTE
hdisk24 unlocked 100
hdisk25 unlocked 100
Controlling authentication methods
The encryption function of the logical and physical volumes support the following key-protection
methods: passphrase, key file, key server management solution (such as IBM Security Key Lifecycle Manager, called
keyserv
),
Key
Protect (IBM Key Protect for IBM Cloud®)
,
HPCS
(IBM Cloud® Hyper Protect Crypto Services, called
HPCS
), and
platform keystore (PKS). The passphrase and key file protection methods require you to specify a
password or a key file location manually. The key server management and PKS protection methods can
be used to automatically unlock and activate the encrypted volume. For the key server authentication
method to qualify as an automatic method, you must either store the client certificate password in
PKS or choose no password for the client certificate. You can run the following actions with the
hdcryptmgr command to control authentication methods:
- authinit
- Syntax:
hdcryptmgr authinit [-h] [-e algo_detail] [-n name] device
- Initializes the primary key and encryption metadata for an encrypted volume. For each encrypted
volume, the primary key and encrypted metadata must be initialized only once. A first passphrase
that is obtained from the key-protection method is added to the encryption metadata of the volume.
The pvenable action parameter also runs the authinit
action parameter to initialize authentication on a physical volume. You can specify the following
flags or values for the authinit action parameter:
- -e
- Specifies the data encryption algorithm, mode, and key length. The valid values of the
-e flag are as follows:
- prompt
- Specifies that the encryption algorithm details are prompted when the command runs.
- [algorithm]:[b|B][key_len][:w]
- Specifies the encryption algorithm details. The supported algorithms are Advanced Encryption
Standard XTS mode (AES-XTS) 128 bits or 256 bits. The character b refers to bits (default) of
the key, character B refers to bytes of the key, and the key_len variable
refers to the length of the key. The :w parameter overwrites the default values
of the volume group with the specified values. By default, when a volume group or physical volume,
in which encryption is enabled, is created, the default encryption algorithm is AES-XTS 128 bits.
- -n
- Specifies a name for the key-protection method. Name can change in the range 1 - 15 characters
and can contain only the following characters: A - Z, a - z, 0 - 9, "_" (the underscore), "-" (the
minus sign), or "." (the period). All other characters are considered invalid.
- device
- Specifies the device name of the logical volume or the volume group or the physical volume for
which the key-protection method must be initialized.
- authadd
- Syntax:
hdcryptmgr authadd [-h] [-t type [-m method_detail]] [-n name] device
- Adds an additional key-protection method to an encrypted volume in which a key-protection method
is already initialized. To activate the authentication method that you added to an encrypted volume,
the encrypted volume must be unlocked. This action parameter can be specified
with the following flags or values:
- -t
- Specifies the key-protection type. The valid values are
pwd
,
keyfile
, keyserv
, hpcs
, and pks
.
- -m
- Specifies any additional information about the key-protection method that might include the
following details:
- Input path to the authentication key file
- Key server ID in the
KeySvr
Object Data Manager (ODM) class
- Key server name in the
HpcsSvr
Object Data Manager (ODM) class
- -n
- Specifies a name for the key-protection method. Name can be in the range 1 - 15 characters and
can contain only the following characters: A - Z, a - z, 0 - 9, "_" (the underscore), "-" (the minus
sign), or "." (the period). All other characters are considered invalid.
- device
- Specifies the device name of the logical volume or physical volume for which the key-protection
method must be added.
If you do not specify the required flags or values when you run the hdcryptmgr
authadd command, you are prompted to specify the same. For information about registering
key server information, see the keysvrmgr command.
- authunlock or authunl
- Syntax:
hdcryptmgr authunlock [-h] [-t type [-m method_detail]] [-A] device
- Authenticates to the encrypted volume and unlocks the encrypted volumes. This
action parameter can be specified with the following flags or values:
- -A
- Authenticates to the encrypted LV by using the automatic key-protection methods that do not
require any user inputs. You can use this flag at a volume group (VG) level only if the VG uses
automatic key-protection methods, such as a key server management solution or PKS.
- -t
- Specifies the type of the key-protection method. The valid values are
pwd
,
keyfile
, keyserv
, hpcs
, and pks
.
- -m
- Specifies any additional information about the key-protection method that might include the
following details:
- Input path to the authentication key file
- Key server ID in the
KeySvr
ODM class
- Key server name in the
HpcsSvr
Object Data Manager (ODM) class
- device
-
Specifies the device name of the logical volume or physical volume that must be authenticated and
then the key-protection method must be unlocked. You must specify this value with the
-A flag.
When you specify a device name, you can specify the key-protection method by using the
-t and -m flags. If more than one key-protection methods
meet the criteria, you are prompted to select a specific key-protection method.
Note: For encrypted logical volumes that use key server authentication methods during the boot
operation to decrypt the logical volume, the server or the client certificate must be located in the
/etc directory or in the file systems that are mounted early in the boot
operation sequence.
- authcheck or authchk
- Syntax:
hdcryptmgr authcheck [-h] [-t <type> [-m <method_detail>]] [-i <index>] [-n <name>] <device>
- Checks the validity of an authentication method. This action parameter can be
specified with the following flags or values:
- -h
- Displays help information.
- -t
- Specifies the type of the key-protection method. The valid values are
pwd
,
keyfile
, keyserv
, hpcs
, and pks
.
- -m
- Specifies any additional information about the key-protection method that might include the
following details:
- Input path to the authentication key file
- Key server ID in the
KeySvr
ODM class
- Key server name in the
HpcsSvr
Object Data Manager (ODM) class
- -i
- Checks the authentication of only the specified index. Authentication type is automatically
forced according to the selected index.
- -n
- Specifies the name of the key-protection method that must be checked. Name can be in the range 1
- 15 characters and can contain only the following characters: A - Z, a - z, 0 - 9, "_" (the
underscore), "-" (the minus sign), or "." (the period). All other characters are considered
invalid.
- device
- Specifies the device name of the logical volume or physical volume that must be checked.
- authdelete or authdel
- Syntax:
hdcryptmgr authdelete [-h] [-t type [-m method_detail]] [-i index] [-n name] [-f] device
- Removes an initiated key-protection method. This action parameter can be
specified with the following flags:
- -t
- Specifies the key-protection type. The valid values are
pwd
,
keyfile
, keyserv
, hpcs
, and pks
.
- -m
- Specifies any additional information about the key-protection method that might include the
following details:
- Input path to the authentication key file
- Key server ID in the
KeySvr
ODM class
- Key server name in the
HpcsSvr
Object Data Manager (ODM) class
- -i
- Specifies the index of the key-protection method that must be deleted.
- -n
- Specifies the name of the key-protection method that must be deleted. Name can be in the range 1
- 15 characters and can contain only the following characters: A - Z, a - z, 0 - 9, "_" (the
underscore), "-" (the minus sign), or "." (the period). All other characters are considered
invalid.
- -f
- Specifies the force option. This flag bypasses the authentication method checks to remove the
key-protection method.
- device
- Specifies the device name of the logical volume or physical volume for which the key-protection
method must be deleted.
Only one key-protection method can be removed at a time. If you know the correct index or
name of the key-protection method, you can specify the key-protection method by using the
-i or -n flags. You can use the -t
and -m flags to filter the list of existing key-protection methods. If multiple
entries match the specified criteria, you are prompted to choose the key-protection method that must
be removed.
Before the key-protection method is removed, the validity of the key-protection
method is checked, unless the -f flag is used. You must authenticate to the
volume with the selected key-protection method.
Note: Ensure that the volume has at least a
passphrase key-protection method after performing the authdelete
operation.
- authsetrvgpwd or setrvgpwd
- Syntax:
hdcryptmgr authsetrvgpwd [-h]
- Sets a recovery password for the rootvg. When you install the operating system in an LPAR, if
you enable the encryption of logical volumes, only the PKS authentication method is created for the
encrypted LVs. After the installation is complete and the LPAR boots up in normal mode, you must run
the hdcryptmgr authsetrvgpwd command to add a recovery password for the rootvg.
Managing PKS keys
The platform keystore (PKS) is a secure key-protection method that is available in IBM
PowerVM® firmware of the IBM
Power® E950. You can add the PKS key-protection method to an
encrypted LV. You can use the following action parameters to manage the PKS keys
for authentication.
- pksshow
- Syntax:
hdcryptmgr pksshow [-h]
- Displays the PKS label of volume that is associated with the PKS keys and the status of the PKS
keys. The PKS labels that are stored in both the PKS and in the volume metadata are displayed.
# hdcryptmgr pksshow
Total PKS size: 65536 bytes
Used PKS size: 479 bytes
Estimated encryption key slots: 747
PKS_Label (LVid) Status Device
00fb293100004c0000000174c0a994b7.1 VALID testlv
00fb293100004c0000000174c0a994b7.2 UNKNOWN
00fb293100004c0000000174c0a994b7.3 UNKNOWN
PKS_Label (PVuuid) status Device
pvuuid:706aa87a-e4d0-f2ec-3999-2631162226d2 VALID KEY hdisk3
PKS_Label (objects)
ksvr:gpfs-pw-t2
- pksclean
- Syntax:
hdcryptmgr pksclean [-h] <pks_label>
- Removes an invalid key from the PKS. You must specify the PKS label that is associated with the
invalid key that you want to remove. This command must be used to remove the keys that are listed in
the hdcryptmgr pksshow command output with the status as
UNKNOWN.
- pksexport
- Syntax:
hdcryptmgr pksexport [-h] -p ExportFile device
-
Exports the PKS keys into the specified file. If you specify an LV or PV device name, the PKS key
that is associated with the specified LV or PV is exported. If you specify a VG device name, all PKS
keys that are associated with the logical volumes in the volume group are exported.
Note: You can export the PKS keys of multiple devices into the same file. In AIX 7.3.0, the existing file content is overwritten by the newly exported content. Therefore, using different passwords does not cause any problems. In AIX 7.3.1, and later, the new content is appended to the end of the existing file content. Therefore, you must use the same password for all the devices otherwise the pksimport command fails.
- pksimport
- Syntax:
hdcryptmgr pksimport [-h] -p ExportFile [device]
- Imports the PKS keys into the specified file. If you specify an LV or PV device name, the PKS
key that is associated with the specified LV or PV is imported. If you specify a VG device name, all
PKS keys that are associated with the logical volumes in the volume group are imported. If you do
not specify a device name, all PKS keys are imported.
Converting the encryption status of the logical volume
You can convert a regular logical volume to an encrypted logical volume, and vice versa. You can
perform this conversion operation only on the logical volume that is active and online.
Warning: You must back up your data before you run the following conversion
commands.
Note: Converting the encryption status of a logical volume is not
supported on active boot, dump, paging, and aio_cache
logical volume
type.
The rootvg must have at least one free partition for converting the encryption status of
logical volumes from encrypted to decrypted, and vice versa. When you convert the encryption status
of a logical volume in the rootvg, the
hdcryptmgr command creates a recovery
logical volume to store the recovery data that is generated during the encryption status change.
Whereas for encryption of logical volumes in user volume groups, the
hdcryptmgr
command uses a recovery file to store the recovery data. You must not interrupt the conversion
process that received the SIGKILL signal as your action might leave the logical volume in a
dirty state. If the logical volume that is required for the boot process is in a dirty state,
the logical partition might not start, and the logical partition must be repaired or recovered in
maintenance mode. You can use the following
action parameters to change the
encryption status:
- plain2crypt
- Syntax:
hdcryptmgr plain2crypt [-h] [-e algo_detail] [-n name] [-f] device
- Enables encryption in a logical volume, configures the encryption settings, and encrypts the LV
data. This action parameter can be specified with the following flags and values:
- -e
- Specifies the data encryption algorithm, mode, and key length. The valid values of the
-e flag are as follows:
- prompt
- Specifies that the encryption algorithm details are prompted when the command runs.
- [algorithm]:[b|B][key_len][:w]
- Specifies the encryption algorithm details. The supported algorithms are Advanced Encryption
Standard XTS mode (AES-XTS) 128 bits or 256 bits. The character b refers to bits (default) of
the key, character B refers to bytes of the key, and the key_len variable
refers to the length of the key. The :w parameter overwrites the default values
of the volume group with the specified values. By default, when a volume group or physical volume,
in which encryption is enabled, is created, the default encryption algorithm is AES-XTS 128 bits.
- -n
- Specifies a name for the key-protection method. Name can be in the range 1 - 15 characters and
can contain only the following characters: A - Z, a - z, 0 - 9, "_" (the underscore), "-" (the minus
sign), or "." (the period). All other characters are considered invalid.
- -f
- Specifies the force option. If you do not use this flag, the hdcryptmgr
command prompts you to confirm that data have been backed up. The force option suppresses this
prompt.
- device
- Specifies the device name of the logical volume for which the encryption status must be
converted.
- crypt2plain
- Syntax:
hdcryptmgr crypt2plain [-h] [-f] device
- Decrypts the encrypted data of the specified logical volume and disables the encryption status
of the specified logical volume. This action parameter can be specified with the
following flags and values:
- -f
- Specifies the force option. If you do not use this flag, the hdcryptmgr
command prompts you to confirm that data have been backed up. The force option suppresses this
prompt.
- device
- Specifies the device name of the logical volume for which the encryption status must be
converted.
Managing the physical volume encryption
Physical volume (PV) encryption protects user data by encrypting data that is written to the
physical volume. The base operating system performs physical volume data encryption and decryption
during I/O operations. For more information about the physical volume encryption, see Encrypted physical
volumes.
Note: If encryption of a shared physical volume is enabled or disabled by using the
pvenable or pvdisable action parameters on one LPAR, you
must run the rmdev and mkdev command for the shared physical
volume on the other LPARs or reboot the other LPARs to recognize the changes to the encryption state
of the shared physical volume.
You can run the following action parameters of the hdcryptmgr command on
encrypted physical volumes:
- pvenable
- Syntax:
hdcrpytmgr pvenable [-h] [e algo detail] [-n <name>] [-f] device
- Enables encryption on a physical volume, configures the primary key, and initializes the first
authentication method.
-
- -h
- Displays help information.
- -e
- Specifies the data encryption algorithm, mode, and key length. The valid values of the
-e flag follow:
- prompt
- Indicates that the encryption algorithm details are displayed when the command runs.
- [algorithm]:[b|B][key_len][:w]
- Specifies the encryption algorithm details. The supported algorithms for physical volumes are
Advanced Encryption Standard XTS mode (AES-XTS) 128 bits or 256 bits. Where character
b is bits (default) of the key, character B is bytes of the
key, and the key_len variable indicates to the length of the key. The
:w parameter overwrites the default values of the volume group with the specified
values. By default, when you create a volume group or physical volume for which data encryption is
enabled, the default encryption algorithm is set to AES-XTS 128 bits.
- -n
- Specifies the name of the key-protection method that must be checked. Name can be 1 - 15
characters long and can contain only the following characters: A - Z, a - z, 0 - 9, "_" (the
underscore), "-" (the minus sign), or "." (the period). All other characters are invalid.
- -f
- Specifies the force option. If you do not use the -f flag, the
hdcryptmgr command prompts you to confirm that the data in the physical volume on
which data encryption is enabled, can be deleted.
- device
- Specifies the name of the physical volume on which encryption is enabled.
- pvdisable
- Syntax:
hdcryptmgr pvdisable [-h] [-f] device
- Disables the physical volume encryption.
-
- -h
- Displays help information.
- -f
- Specifies the force option. If you do not use the -f flag, the
hdcryptmgr command prompts you to confirm that the data in the physical volume on
which data encryption is disabled, can be deleted.
- device
- Specifies the name of the physical volume on which encryption is disabled.
- pvsavemd
- Syntax:
hdcryptmgr pvsavemd [-h] -p file device
- Saves physical volume encryption metadata to a file. When encryption is enabled on a physical
volume by using the pvenable action parameter, the AIX operating system reserves space on the physical volume to store encryption
metadata. The encryption metadata is used when the physical volume is unlocked for I/O operations.
The pvsavemd action parameter saves a copy of the encryption metadata. The
pvrecovmd action parameter validates the encryption metadata and boot record
and also restores encryption metadata from a previously saved file.
Note: The
pvsavemd and pvrecovmd action parameters save and recover
only the encryption metadata on the physical volume. The pvsavemd action
parameter does not save external data such as encryption details stored in PKS keys or on an
external key server. The encryption details must be backed up separately.
-
- -h
- Displays help information.
- -p
- Specifies the file path to save the encryption metadata.
- device
- Specifies the name of the physical volume from which the encryption metadata is copied to a
specified file.
- pvrecovmd
- Syntax:
hdcryptmgr pvrecovmd [-h] [-c] [-f] [-v] [-p File] device
-
The pvrecovmd action parameter verifies the encryption metadata on an
encrypted physical volume and attempts to restore any corrupted encryption metadata.
The encrypted physical volume has two copies of the encryption metadata. The
pvrecovmd action parameter validates and compares both the encryption metadata
copies in the physical volume. If one of the encryption metadata copy is incorrect, the
pvrecovmd action parameter overwrites the incorrect encryption metadata with
the correct encryption metadata. The pvrecovmd action parameter also verifies
the boot record and includes the correct tag in the boot record to indicate that the physical disk
is encrypted. If you specify a file with previously saved encryption metadata, the
pvrecovmd action parameter uses the content of the specified file to restore
the encryption metadata on the physical volume.
-
- -h
- Displays help information.
- -f
- Specifies the force option. If the encryption metadata has issues that can be corrected, the
pvrecovmd action parameter prompts you to confirm before the
hdcryptmgr command corrects the corrupt encryption metadata. If the
–f option is specified, the pvrecovmd action parameter
writes to the physical volume without the prompt.
- -v
- Specifies verbose mode. Prints a more detailed output if the physical volume device name is
specified.
- -p
- Specifies the file path of the file, which contains metadata that is previously saved by the
pvsavemd command.
- -c
- Checks the encryption metadata on the physical volume but does not update the physical
volume.
- device
- Specifies the name of the physical volume for which encryption metadata is verified.
- The pvrecovmd action parameter must be used only with an encryption-enabled
physical volume. If you use the pvrecovmd action parameter on an unencrypted
physical volume, the hdcryptmr command might overwrite the user data on the
unencrypted physical volume.
Commands and function restrictions for encrypted LV
For more information about the logical volume commands or functions that are not supported when
the LV is encrypted, see the Limitations section in Encrypting logical volumes.
Examples
- Scenario: Creating an encrypted logical volume with the passphrase key-protection method
-
- Create a volume group in which encryption is enabled.
# mkvg -k y hdisk1 hdisk2
vg00
- Create an encrypted LV with a size of 32 MB.
# mklv -k y vg00 32M
mklv: Please run :
# hdcryptmgr authinit lvname [..] to define LV encryption options.
lv00
- Initialize the encryption configuration on the logical volume by using a primary key and the
passphrase key-protection method.
# hdcryptmgr authinit -n default lv00
Enter Passphrase:
Confirm Passphrase:
Password authentication method added successfully
- Scenario: Creating a file system in an encrypted LV
-
- Create volume group in which encryption is enabled, and then create a logical volume with a size
of 32 MB, and then initialize the encryption configuration for the logical
volume.
# mkvg -k y hdisk1 hdisk2
vg00
# mklv -t jfs2 -k y vg00 32M
mklv: Please run :
# hdcryptmgr authinit lvname [..] to define LV encryption options.
fslv00
# hdcryptmgr authinit -n default fslv00
Enter Passphrase:
Confirm Passphrase:
Password authentication method added successfully
- Create a file system in the encrypted logical volume similar to creating it in a regular logical
volume.
# crfs -v jfs2 -d fslv00 -m /mnt/myfs -A no
File system created successfully.
32560 kilobytes total disk space.
New File System size is 65536
- Scenario: Authenticating to a logical volume in which encryption is enabled
-
When the volume group is varied off or the system is restarted, the authentication to the
encrypted LV expires. You must authenticate to the encrypted LV to access its data. You must use the
configured key-protection method for the encrypted LV. To authenticate an encryption-enabled LV,
complete the following steps:
- Vary on the VG.
# varyonvg vg00
varyonvg: 1 encrypted LV defined in VG vg00.
To check if a LV is encrypted and if it is unlocked, use:
hdcryptmgr showlv vgname or
hdcryptmgr showlv lvname
In order to unlock a LV, use:
hdcryptmgr authunlock lvname
- Authenticate by using the passphrase key-protection
method.
# hdcryptmgr authunlock -t pwd fslv00
Enter Passphrase:
Password authentication succeeded
- Scenario: Repairing corrupted PKS keys in encrypted LVs that are required to boot the operating
system
-
If an encrypted LV is required to boot the operating system, the
LV must have a valid PKS key. Otherwise, the boot process will not be successful. In such a
scenario, you must boot the LPAR in maintenance mode. The following instructions are applicable if
you are booting the operating system in maintenance mode by using the NIM server. The
hdisk0
disk contains the rootvg, and the PKS keys in the
hd3
LV is corrupted.
- In the following screen, select 3:
Maintenance
Type the number of your choice and press Enter.
1 Access a Root Volume Group
2 Copy a System Dump to Removable Media
>>> 3 Access Advanced Maintenance Functions
4 Erase Disks
5 Configure Network Disks (iSCSI)
6 Select Storage Adapters
- In the following screen, select 0:
Information for Advanced Maintenance Functions
-------------------------------------------------------------------------------
To return to the Maintenance Menu after completing maintenance
activities, type exit on the command line and press Enter.
-------------------------------------------------------------------------------
Type the number of your choice and press Enter.
>>> 0 Enter the Limited Function Maintenance Shell
- Run the following
commands:
# LIBPATH=/SPOT/usr/lib:$LIBPATH
# importvg hdisk0
# hdcryptmgr32 authunlock hd3
# hdcryptmgr32 authdel -t pks hd3
# hdcryptmgr32 authadd -t pks -n initpks hd3
- Repeat steps 1 - 3 for all encrypted LVs that need repair.
- Scenario: Recovering an aborted conversion operation of an LV that is required to boot the
operating system
-
If the conversion of a regular logical volume to an encrypted
logical volume, and vice versa has stopped, you can resume the conversion operation by rerunning the
same hdcryptmgr conversion command that you issued earlier. The
hdcryptmgr conversion command reads the conversion recovery information and picks
up the conversion process from where it had stopped in the previous run. This
hdcryptmgr conversion command runs regardless of whether the LV is used in the
boot process or not. However, if the LPAR reboots when the conversion operation is in progress, and
if the LPAR turns into a dirty state, for example, the data block that is being converted is
partially encrypted, and if the LV that is being converted is required to boot the operating system,
the reboot operation might fail. In such a scenario, you must boot the LPAR in maintenance mode and
resume the conversion operation.
The following instructions assume that you are booting the operating
system in maintenance mode by using the NIM server. The hdisk0 disk contains the rootvg, and the hd3
LV has turned into a dirty state because of an aborted conversion process.
- In the Maintenance menu, select 3 Access Advanced Maintenance
Functions.
- In Advanced Maintenance Functions, select 0 Enter the Limited Function
Maintenance Shell.
- Run the following commands:
# LIBPATH=/SPOT/usr/lib:$LIBPATH
# importvg hdisk0
# hdcryptmgr32 plain2crypt hd3
- Scenario: Creating an encrypted physical volume
-
When you create an encrypted physical volume, by default a passphrase key protection method is
added to the encrypted physical volume. You can enable encryption for a physical volume
(
hdisk3
) by using the following
command:
# hdcryptmgr pvenable -f hdisk3
Enter Passphrase:
Confirm Passphrase:
Passphrase authentication method with name "initpwd" added successfully.
The -f flag indicates that the hdcryptmgr pvenable
command can overwrite the data in the physical volume without prompting for a confirmation. After
the hdcryptmgr pvenable command runs successfully, the physical volume is enabled
for encryption and is unlocked for I/O operations. Any data that is written to the encrypted
physical volume is encrypted and any data that is read from the encrypted physical volume is
decrypted.
- Scenario: Checking and correcting encrypted volume metadata
-
The hdcryptmgr pvrecovmd -c command validates the encryption metadata on an
encrypted physical volume. If the physical volume has two copies of the encryption metadata, the
pvrecovmd action parameter validates and compares both copies of the encryption
metadata.
To validate the encryption metadata on a physical volume (hdisk24), enter the following
command:
# hdcryptmgr pvrecovmd -cv hdisk24
If both copies of encryption metadata on the physical volume (hdisk24) are valid, the following
message is displayed:
Metadata area 1 is valid.
Metadata area 2 is valid.
IPL record is valid for an encrypted disk.
All encryption fields for disk hdisk24 are valid.
Check of metadata on PV hdisk24 is complete.
pvrecovmd action complete.
If any of the encryption metadata copy on the physical volume (hdisk24) is corrupted, the
following message is displayed:
Metadata area 1 is valid.
Disk metadata copy #2 is corrupt.
IPL record is valid for an encrypted disk.
Check of metadata on PV hdisk24 is complete.
pvrecovmd action complete.
To overwrite the corrupted encryption metadata with the correct encryption metadata on the
physical volume (hdisk24), enter the following
command:
# hdcryptmgr pvrecovmd hdisk24 -v
The
hdcryptmgr pvrecovmd command displays the following message and prompts
you to confirm whether the corrupted encryption metadata can be
overwritten:
Metadata area 1 is valid.
Disk metadata copy #2 is corrupt.
IPL record is valid for an encrypted disk.
Preparing to write the following fields to the disk:
Backup metadata
Warning, about to write to disk hdisk25
Do you wish to continue? y(es) or n(o)?
If you want to overwrite the corrupted
encryption metadata, enter
y
. The
hdcryptmgr pvrecovmd command
overwrites the corrupted encryption metadata with the correct encryption metadata and displays the
following message:
Encrypted disk recovery attempt complete.
pvrecovmd action complete.
Files
- /usr/sbin/hdcryptmgr
- Contains the hdcryptmgr command.