hdcryptmgr Command

Purpose

Provides the cryptographic management of logical volumes (LV) and physical volumes (PV).

Syntax

hdcryptmgr action [-h] [flags] devicename

Description

The hdcryptmgr command manages encrypted logical volumes. Starting from IBM® AIX® 7.3 with Technology Level 1, you can run the hdcryptmgr command to manage both encrypted logical volumes and encrypted physical volumes. The encrypted logical volumes or physical volumes are managed by specifying the action parameter to perform one of the following operations.

Note: Some of the attributes of the action parameter are specific to either logical volumes or physical volumes. However, some attributes of the action parameter can be used for both logical volumes and physical volumes.

Table 1. hdcryptmgr command operations
Category	`action` parameter	Description
Display encryption settings	showvg	Displays the data encryption status of the volume group
	showlv	Displays the data encryption status of the logical volume
	showmd	Displays encryption metadata for a specific volume
	showconv	Displays the status of all active and stopped conversion operations of encrypted logical volumes to decrypted logical volumes, and vice versa.
	showpv	Displays the status of encrypted physical volumes.
Control authentication methods	authinit	Initializes a primary key for data encryption in the volume
	authunlock or authunl	Authenticates to the encrypted volume to unlock the primary key of the volume
	authadd	Adds additional authentication methods
	authcheck or authchk	Checks the validity of an authentication method
	authdelete or authdel	Removes an authentication method
	authsetrvgpwd or setrvgpwd	Sets the recovery password for the root volume group (rootvg) after the BOS installation
Manage platform keystore (PKS) keys	pksimport	Imports the platform keystore (PKS) keys
	pksexport	Exports the PKS keys
	pksclean	Removes a PKS key
	pksshow	Displays status of the PKS keys
Convert the encryption status of the logical volume	plain2crypt	Enables encryption in a logical volume and encrypts the logical volume data
Convert the encryption status of the logical volume	crypt2plain	Decrypts the logical volume data and disables encryption in a logical volume
Physical volume encryption	pvenable	Enables encryption of a physical volume.
	pvdisable	Disables encryption of a physical volume.
	pvsavemd	Saves physical volume metadata to a specified file.
	pvrecovmd	Recovers physical volume metadata.

Displaying encryption settings

You can run the following actions with the hdcryptmgr command to display encryption settings:

showvg

Syntax:

hdcryptmgr showvg [-h] [device]

Displays the data encryption status of the specified volume groups. If you do not specify a volume group, this command shows the encryption status of all the volume groups.

# hdcryptmgr showvg
VG NAME / ID          ENCRYPTION ENABLED  
EVG1                      yes                 
INSTALLVG                 yes                 
rootvg                    no

showlv

Syntax:

hdcryptmgr showlv [-h] [-v] device

Displays the data encryption status of a logical volume. You must specify the device name of a volume group or a logical volume. When you specify a volume group, this command displays the data encryption status of all the logical volumes in the volume group. When you specify a logical volume, this command displays the data encryption status of the specified logical volume. If the data encryption capability is not enabled for the volume group, a message, which indicates that encryption is not enabled on the volume group, is displayed.

# hdcryptmgr showlv vg00
NAME                 CRYPTO_STATUS    %ENCRYPTED       NOTE            
lv00                 unlocked         100             
lv01                 unlocked         100             
lv03                 not_enabled      0               
lv04                 locked           100             
lv02                 uninitialized    0               
lv06                 uninitialized    n/a              not_accessible  
lv07                 locked           100             
fslv00               locked           1                encrypting

showmd

Syntax:

hdcryptmgr showmd [-h] [-v] device

Displays encryption metadata for a specific logical volume, volume group, or physical volume. You must specify the device name of a logical volume, volume group, or a physical volume. When you specify a volume group, only the header and trailer encryption metadata of the specified volume group are displayed. When you specify an encrypted physical volume, the metadata that is associated with the physical volume is displayed. If the specified physical volume is not encrypted and if it is part of a volume group that contains encrypted logical volumes, the metadata of encrypted logical volumes are displayed even if the corresponding volume group is not varied on. When you specify a logical volume, the entire encryption metadata of the specific logical volume is displayed.

# hdcryptmgr showmd ELV1
.....
.....    Wed Jun 17 13:25:46 2020
.....    Device type : LV
.....    Device name : ELV1
.....

=============== B: LV HEADER ================
Version                      : 0
MasterKey                    : Defined
MasterKey size               : 16 bytes
Encryption status            : Fully encrypted
Data crypto algorithm        : AES_XTS
=============== E: LV HEADER ================

============= B: LV AUTH METHODS ============
---- Index #0 -------------------------------
Method defined               : yes
Method name                  : initpwd
Authentication type          : Passphrase
Auto-auth method             : no
MasterKey crypto algorithm   : AES_GCM
---- Index #1 -------------------------------
Method defined               : no
---- Index #2 -------------------------------
Method defined               : no
---- Index #3 -------------------------------
Method defined               : no
---- Index #4 -------------------------------
Method defined               : no
---- Index #5 -------------------------------
Method defined               : no
============= E: LV AUTH METHODS ============

showconv

Syntax:

hdcryptmgr showconv [-h]

Displays the status of both active and stopped processes of logical volume that are being converted.

# hdcryptmgr showconv
NAME          TID/STATUS       %ENCRYPTED       DIRECTION        START_TIME      
lv03          29557045         3                plain2crypt      Sun Feb 14 09:43:10 2021
fslv00        stopped/dirty    1                plain2crypt

showpv

Syntax:

hdcryptmgr showpv [-h] [-v] [device]

-h: Prints help message.
-v: Specifies verbose mode. Prints more detailed output if the physical volume device name is specified.
device: Specifies the device name of the encrypted physical volume. The device attribute is optional.

Displays information about one or all encrypted physical volumes. If the encrypted physical volume name is specified, information about the specific physical volume is displayed. If the device name is not specified, information about all the encrypted physical volumes are displayed.

# hdcryptmgr showpv
NAME                    CRYPTO_STATUS       %ENCRYPTED     NOTE
hdisk24                 unlocked             100
hdisk25                 unlocked             100

Controlling authentication methods

The encryption function of the logical and physical volumes support the following key-protection methods: passphrase, key file, key server management solution (such as IBM Security Key Lifecycle Manager, called keyserv),

Key
Protect (IBM Key Protect for IBM Cloud®)

, HPCS (IBM Cloud® Hyper Protect Crypto Services, called HPCS), and platform keystore (PKS). The passphrase and key file protection methods require you to specify a password or a key file location manually. The key server management and PKS protection methods can be used to automatically unlock and activate the encrypted volume. For the key server authentication method to qualify as an automatic method, you must either store the client certificate password in PKS or choose no password for the client certificate. You can run the following actions with the hdcryptmgr command to control authentication methods:

authinit

Syntax:

hdcryptmgr authinit [-h] [-e algo_detail] [-n name] device

Initializes the primary key and encryption metadata for an encrypted volume. For each encrypted volume, the primary key and encrypted metadata must be initialized only once. A first passphrase that is obtained from the key-protection method is added to the encryption metadata of the volume. The pvenable action parameter also runs the authinit action parameter to initialize authentication on a physical volume. You can specify the following flags or values for the authinit action parameter:

-e

Specifies the data encryption algorithm, mode, and key length. The valid values of the -e flag are as follows:

prompt: Specifies that the encryption algorithm details are prompted when the command runs.
[algorithm]:[b|B][key_len][:w]: Specifies the encryption algorithm details. The supported algorithms are Advanced Encryption Standard XTS mode (AES-XTS) 128 bits or 256 bits. The character b refers to bits (default) of the key, character B refers to bytes of the key, and the key_len variable refers to the length of the key. The :w parameter overwrites the default values of the volume group with the specified values. By default, when a volume group or physical volume, in which encryption is enabled, is created, the default encryption algorithm is AES-XTS 128 bits.

-n

Specifies a name for the key-protection method. Name can change in the range 1 - 15 characters and can contain only the following characters: A - Z, a - z, 0 - 9, "_" (the underscore), "-" (the minus sign), or "." (the period). All other characters are considered invalid.

device

Specifies the device name of the logical volume or the volume group or the physical volume for which the key-protection method must be initialized.

authadd

Syntax:

hdcryptmgr authadd [-h] [-t type [-m method_detail]] [-n name] device

Adds an additional key-protection method to an encrypted volume in which a key-protection method is already initialized. To activate the authentication method that you added to an encrypted volume, the encrypted volume must be unlocked. This action parameter can be specified with the following flags or values:

-t

Specifies the key-protection type. The valid values are pwd, keyfile, keyserv, hpcs, and pks.

-m

Specifies any additional information about the key-protection method that might include the following details:

Input path to the authentication key file
Key server ID in the KeySvr Object Data Manager (ODM) class
Key server name in the HpcsSvr Object Data Manager (ODM) class

-n

Specifies a name for the key-protection method. Name can be in the range 1 - 15 characters and can contain only the following characters: A - Z, a - z, 0 - 9, "_" (the underscore), "-" (the minus sign), or "." (the period). All other characters are considered invalid.

device

Specifies the device name of the logical volume or physical volume for which the key-protection method must be added.

If you do not specify the required flags or values when you run the hdcryptmgr authadd command, you are prompted to specify the same. For information about registering key server information, see the keysvrmgr command.

authunlock or authunl

Syntax:

hdcryptmgr authunlock [-h] [-t type [-m method_detail]] [-A] device

Authenticates to the encrypted volume and unlocks the encrypted volumes. This action parameter can be specified with the following flags or values:

-A

Authenticates to the encrypted LV by using the automatic key-protection methods that do not require any user inputs. You can use this flag at a volume group (VG) level only if the VG uses automatic key-protection methods, such as a key server management solution or PKS.

-t

Specifies the type of the key-protection method. The valid values are pwd, keyfile, keyserv, hpcs, and pks.

-m

Specifies any additional information about the key-protection method that might include the following details:

Input path to the authentication key file
Key server ID in the KeySvr ODM class
Key server name in the HpcsSvr Object Data Manager (ODM) class

device

Specifies the device name of the logical volume or physical volume that must be authenticated and then the key-protection method must be unlocked. You must specify this value with the -A flag.

When you specify a device name, you can specify the key-protection method by using the -t and -m flags. If more than one key-protection methods meet the criteria, you are prompted to select a specific key-protection method.

Note: For encrypted logical volumes that use key server authentication methods during the boot operation to decrypt the logical volume, the server or the client certificate must be located in the /etc directory or in the file systems that are mounted early in the boot operation sequence.

authcheck or authchk

Syntax:

hdcryptmgr authcheck [-h] [-t <type> [-m <method_detail>]] [-i <index>] [-n <name>] <device>

Checks the validity of an authentication method. This action parameter can be specified with the following flags or values:

-h

Displays help information.

-t

Specifies the type of the key-protection method. The valid values are pwd, keyfile, keyserv, hpcs, and pks.

-m

Specifies any additional information about the key-protection method that might include the following details:

Input path to the authentication key file
Key server ID in the KeySvr ODM class
Key server name in the HpcsSvr Object Data Manager (ODM) class

-i

Checks the authentication of only the specified index. Authentication type is automatically forced according to the selected index.

-n

Specifies the name of the key-protection method that must be checked. Name can be in the range 1 - 15 characters and can contain only the following characters: A - Z, a - z, 0 - 9, "_" (the underscore), "-" (the minus sign), or "." (the period). All other characters are considered invalid.

device

Specifies the device name of the logical volume or physical volume that must be checked.

authdelete or authdel

Syntax:

hdcryptmgr authdelete [-h] [-t type [-m method_detail]] [-i index] [-n name] [-f] device

Removes an initiated key-protection method. This action parameter can be specified with the following flags:

-t

Specifies the key-protection type. The valid values are pwd, keyfile, keyserv, hpcs, and pks.

-m

Specifies any additional information about the key-protection method that might include the following details:

Input path to the authentication key file
Key server ID in the KeySvr ODM class
Key server name in the HpcsSvr Object Data Manager (ODM) class

-i

Specifies the index of the key-protection method that must be deleted.

-n

Specifies the name of the key-protection method that must be deleted. Name can be in the range 1 - 15 characters and can contain only the following characters: A - Z, a - z, 0 - 9, "_" (the underscore), "-" (the minus sign), or "." (the period). All other characters are considered invalid.

-f

Specifies the force option. This flag bypasses the authentication method checks to remove the key-protection method.

device

Specifies the device name of the logical volume or physical volume for which the key-protection method must be deleted.

Only one key-protection method can be removed at a time. If you know the correct index or name of the key-protection method, you can specify the key-protection method by using the -i or -n flags. You can use the -t and -m flags to filter the list of existing key-protection methods. If multiple entries match the specified criteria, you are prompted to choose the key-protection method that must be removed.

Before the key-protection method is removed, the validity of the key-protection method is checked, unless the -f flag is used. You must authenticate to the volume with the selected key-protection method.

Note: Ensure that the volume has at least a passphrase key-protection method after performing the authdelete operation.

authsetrvgpwd or setrvgpwd

Syntax:

hdcryptmgr authsetrvgpwd [-h]

Sets a recovery password for the rootvg. When you install the operating system in an LPAR, if you enable the encryption of logical volumes, only the PKS authentication method is created for the encrypted LVs. After the installation is complete and the LPAR boots up in normal mode, you must run the hdcryptmgr authsetrvgpwd command to add a recovery password for the rootvg.

Managing PKS keys

The platform keystore (PKS) is a secure key-protection method that is available in IBM PowerVM® firmware of the IBM Power® E950. You can add the PKS key-protection method to an encrypted LV. You can use the following action parameters to manage the PKS keys for authentication.

pksshow

Syntax:

hdcryptmgr pksshow [-h]

Displays the PKS label of volume that is associated with the PKS keys and the status of the PKS keys. The PKS labels that are stored in both the PKS and in the volume metadata are displayed.

# hdcryptmgr pksshow

Total PKS size: 65536 bytes 
Used  PKS size: 479 bytes
Estimated encryption key slots: 747

PKS_Label (LVid)                         Status		Device
00fb293100004c0000000174c0a994b7.1       VALID		 testlv
00fb293100004c0000000174c0a994b7.2       UNKNOWN	      
00fb293100004c0000000174c0a994b7.3       UNKNOWN	      

PKS_Label (PVuuid)                           status           Device          
pvuuid:706aa87a-e4d0-f2ec-3999-2631162226d2  VALID KEY        hdisk3

PKS_Label (objects)
ksvr:gpfs-pw-t2

pksclean

Syntax:

hdcryptmgr pksclean [-h] <pks_label>

Removes an invalid key from the PKS. You must specify the PKS label that is associated with the invalid key that you want to remove. This command must be used to remove the keys that are listed in the hdcryptmgr pksshow command output with the status as UNKNOWN.

pksexport

Syntax:

hdcryptmgr pksexport [-h] -p ExportFile device

Exports the PKS keys into the specified file. If you specify an LV or PV device name, the PKS key that is associated with the specified LV or PV is exported. If you specify a VG device name, all PKS keys that are associated with the logical volumes in the volume group are exported.

Note: You can export the PKS keys of multiple devices into the same file. In AIX 7.3.0, the existing file content is overwritten by the newly exported content. Therefore, using different passwords does not cause any problems. In AIX 7.3.1, and later, the new content is appended to the end of the existing file content. Therefore, you must use the same password for all the devices otherwise the pksimport command fails.

pksimport

Syntax:

hdcryptmgr pksimport [-h] -p ExportFile [device]

Imports the PKS keys into the specified file. If you specify an LV or PV device name, the PKS key that is associated with the specified LV or PV is imported. If you specify a VG device name, all PKS keys that are associated with the logical volumes in the volume group are imported. If you do not specify a device name, all PKS keys are imported.

Converting the encryption status of the logical volume

You can convert a regular logical volume to an encrypted logical volume, and vice versa. You can perform this conversion operation only on the logical volume that is active and online.

Warning: You must back up your data before you run the following conversion commands.

Note: Converting the encryption status of a logical volume is not supported on active boot, dump, paging, and aio_cache logical volume type.

The rootvg must have at least one free partition for converting the encryption status of logical volumes from encrypted to decrypted, and vice versa. When you convert the encryption status of a logical volume in the rootvg, the hdcryptmgr command creates a recovery logical volume to store the recovery data that is generated during the encryption status change. Whereas for encryption of logical volumes in user volume groups, the hdcryptmgr command uses a recovery file to store the recovery data. You must not interrupt the conversion process that received the SIGKILL signal as your action might leave the logical volume in a dirty state. If the logical volume that is required for the boot process is in a dirty state, the logical partition might not start, and the logical partition must be repaired or recovered in maintenance mode. You can use the following action parameters to change the encryption status:

plain2crypt

Syntax:

hdcryptmgr plain2crypt [-h] [-e algo_detail] [-n name] [-f] device

Enables encryption in a logical volume, configures the encryption settings, and encrypts the LV data. This action parameter can be specified with the following flags and values:

-e

Specifies the data encryption algorithm, mode, and key length. The valid values of the -e flag are as follows:

prompt: Specifies that the encryption algorithm details are prompted when the command runs.
[algorithm]:[b|B][key_len][:w]: Specifies the encryption algorithm details. The supported algorithms are Advanced Encryption Standard XTS mode (AES-XTS) 128 bits or 256 bits. The character b refers to bits (default) of the key, character B refers to bytes of the key, and the key_len variable refers to the length of the key. The :w parameter overwrites the default values of the volume group with the specified values. By default, when a volume group or physical volume, in which encryption is enabled, is created, the default encryption algorithm is AES-XTS 128 bits.

-n

-f

Specifies the force option. If you do not use this flag, the hdcryptmgr command prompts you to confirm that data have been backed up. The force option suppresses this prompt.

device

Specifies the device name of the logical volume for which the encryption status must be converted.

crypt2plain

Syntax:

hdcryptmgr crypt2plain [-h] [-f] device

Decrypts the encrypted data of the specified logical volume and disables the encryption status of the specified logical volume. This action parameter can be specified with the following flags and values:

-f: Specifies the force option. If you do not use this flag, the hdcryptmgr command prompts you to confirm that data have been backed up. The force option suppresses this prompt.
device: Specifies the device name of the logical volume for which the encryption status must be converted.

Managing the physical volume encryption

Physical volume (PV) encryption protects user data by encrypting data that is written to the physical volume. The base operating system performs physical volume data encryption and decryption during I/O operations. For more information about the physical volume encryption, see Encrypted physical volumes.

Note: If encryption of a shared physical volume is enabled or disabled by using the pvenable or pvdisable action parameters on one LPAR, you must run the rmdev and mkdev command for the shared physical volume on the other LPARs or reboot the other LPARs to recognize the changes to the encryption state of the shared physical volume.

You can run the following action parameters of the hdcryptmgr command on encrypted physical volumes:

pvenable

Syntax:

hdcrpytmgr pvenable [-h] [e algo detail] [-n <name>] [-f] device

Enables encryption on a physical volume, configures the primary key, and initializes the first authentication method.

-h

Displays help information.

-e

Specifies the data encryption algorithm, mode, and key length. The valid values of the -e flag follow:

prompt: Indicates that the encryption algorithm details are displayed when the command runs.
[algorithm]:[b|B][key_len][:w]: Specifies the encryption algorithm details. The supported algorithms for physical volumes are Advanced Encryption Standard XTS mode (AES-XTS) 128 bits or 256 bits. Where character b is bits (default) of the key, character B is bytes of the key, and the key_len variable indicates to the length of the key. The :w parameter overwrites the default values of the volume group with the specified values. By default, when you create a volume group or physical volume for which data encryption is enabled, the default encryption algorithm is set to AES-XTS 128 bits.

-n

Specifies the name of the key-protection method that must be checked. Name can be 1 - 15 characters long and can contain only the following characters: A - Z, a - z, 0 - 9, "_" (the underscore), "-" (the minus sign), or "." (the period). All other characters are invalid.

-f

Specifies the force option. If you do not use the -f flag, the hdcryptmgr command prompts you to confirm that the data in the physical volume on which data encryption is enabled, can be deleted.

device

Specifies the name of the physical volume on which encryption is enabled.

pvdisable

Syntax:

hdcryptmgr pvdisable [-h] [-f] device

Disables the physical volume encryption.

-h: Displays help information.
-f: Specifies the force option. If you do not use the -f flag, the hdcryptmgr command prompts you to confirm that the data in the physical volume on which data encryption is disabled, can be deleted.
device: Specifies the name of the physical volume on which encryption is disabled.

pvsavemd

Syntax:

hdcryptmgr pvsavemd [-h] -p file device

Saves physical volume encryption metadata to a file. When encryption is enabled on a physical volume by using the pvenable action parameter, the AIX operating system reserves space on the physical volume to store encryption metadata. The encryption metadata is used when the physical volume is unlocked for I/O operations. The pvsavemd action parameter saves a copy of the encryption metadata. The pvrecovmd action parameter validates the encryption metadata and boot record and also restores encryption metadata from a previously saved file.

Note: The pvsavemd and pvrecovmd action parameters save and recover only the encryption metadata on the physical volume. The pvsavemd action parameter does not save external data such as encryption details stored in PKS keys or on an external key server. The encryption details must be backed up separately.

-h: Displays help information.
-p: Specifies the file path to save the encryption metadata.
device: Specifies the name of the physical volume from which the encryption metadata is copied to a specified file.

pvrecovmd

Syntax:

hdcryptmgr pvrecovmd [-h] [-c] [-f] [-v] [-p File] device

The pvrecovmd action parameter verifies the encryption metadata on an encrypted physical volume and attempts to restore any corrupted encryption metadata.

The encrypted physical volume has two copies of the encryption metadata. The pvrecovmd action parameter validates and compares both the encryption metadata copies in the physical volume. If one of the encryption metadata copy is incorrect, the pvrecovmd action parameter overwrites the incorrect encryption metadata with the correct encryption metadata. The pvrecovmd action parameter also verifies the boot record and includes the correct tag in the boot record to indicate that the physical disk is encrypted. If you specify a file with previously saved encryption metadata, the pvrecovmd action parameter uses the content of the specified file to restore the encryption metadata on the physical volume.

-h: Displays help information.
-f: Specifies the force option. If the encryption metadata has issues that can be corrected, the pvrecovmd action parameter prompts you to confirm before the hdcryptmgr command corrects the corrupt encryption metadata. If the –f option is specified, the pvrecovmd action parameter writes to the physical volume without the prompt.
-v: Specifies verbose mode. Prints a more detailed output if the physical volume device name is specified.
-p: Specifies the file path of the file, which contains metadata that is previously saved by the pvsavemd command.
-c: Checks the encryption metadata on the physical volume but does not update the physical volume.
device: Specifies the name of the physical volume for which encryption metadata is verified.

The pvrecovmd action parameter must be used only with an encryption-enabled physical volume. If you use the pvrecovmd action parameter on an unencrypted physical volume, the hdcryptmr command might overwrite the user data on the unencrypted physical volume.

Commands and function restrictions for encrypted LV

For more information about the logical volume commands or functions that are not supported when the LV is encrypted, see the Limitations section in Encrypting logical volumes.

Examples

Scenario: Creating an encrypted logical volume with the passphrase key-protection method

Create a volume group in which encryption is enabled.
```
# mkvg -k y hdisk1 hdisk2
vg00
```

Create an encrypted LV with a size of 32 MB.

# mklv -k y vg00 32M
mklv: Please run :
# hdcryptmgr authinit lvname [..] to define LV encryption options.
lv00

Initialize the encryption configuration on the logical volume by using a primary key and the passphrase key-protection method.
```
# hdcryptmgr authinit -n default lv00
Enter Passphrase:
Confirm Passphrase:
Password authentication method added successfully
```

Scenario: Creating a file system in an encrypted LV

Create volume group in which encryption is enabled, and then create a logical volume with a size of 32 MB, and then initialize the encryption configuration for the logical volume.

# mkvg -k y hdisk1 hdisk2
vg00
# mklv -t jfs2 -k y vg00 32M
mklv: Please run :
# hdcryptmgr authinit lvname [..] to define LV encryption options.
fslv00
# hdcryptmgr authinit -n default fslv00
Enter Passphrase:
Confirm Passphrase:
Password authentication method added successfully

Create a file system in the encrypted logical volume similar to creating it in a regular logical volume.

# crfs -v jfs2 -d fslv00 -m /mnt/myfs -A no
File system created successfully.
32560 kilobytes total disk space.
New File System size is 65536

Scenario: Authenticating to a logical volume in which encryption is enabled

When the volume group is varied off or the system is restarted, the authentication to the encrypted LV expires. You must authenticate to the encrypted LV to access its data. You must use the configured key-protection method for the encrypted LV. To authenticate an encryption-enabled LV, complete the following steps:

Vary on the VG.

# varyonvg vg00
varyonvg: 1 encrypted LV defined in VG vg00.
To check if a LV is encrypted and if it is unlocked, use:
        hdcryptmgr showlv vgname    or
        hdcryptmgr showlv lvname
In order to unlock a LV, use:
        hdcryptmgr authunlock lvname

Authenticate by using the passphrase key-protection method.

# hdcryptmgr authunlock -t pwd fslv00
Enter Passphrase:
Password authentication succeeded

Scenario: Repairing corrupted PKS keys in encrypted LVs that are required to boot the operating system

If an encrypted LV is required to boot the operating system, the LV must have a valid PKS key. Otherwise, the boot process will not be successful. In such a scenario, you must boot the LPAR in maintenance mode. The following instructions are applicable if you are booting the operating system in maintenance mode by using the NIM server. The hdisk0 disk contains the rootvg, and the PKS keys in the hd3 LV is corrupted.

In the following screen, select 3:

       Maintenance 

Type the number of your choice and press Enter.

    1 Access a Root Volume Group 
    2 Copy a System Dump to Removable Media
>>> 3 Access Advanced Maintenance Functions
    4 Erase Disks
    5 Configure Network Disks (iSCSI)
    6 Select Storage Adapters

In the following screen, select 0:

Information for Advanced Maintenance Functions

-------------------------------------------------------------------------------
 To return to the Maintenance Menu after completing maintenance
 activities, type exit on the command line and press Enter.

-------------------------------------------------------------------------------

 Type the number of your choice and press Enter.

>>> 0 Enter the Limited Function Maintenance Shell

Run the following commands:

# LIBPATH=/SPOT/usr/lib:$LIBPATH
# importvg hdisk0
# hdcryptmgr32 authunlock hd3
# hdcryptmgr32 authdel -t pks hd3
# hdcryptmgr32 authadd -t pks -n initpks hd3

Repeat steps 1 - 3 for all encrypted LVs that need repair.

Scenario: Recovering an aborted conversion operation of an LV that is required to boot the operating system

If the conversion of a regular logical volume to an encrypted logical volume, and vice versa has stopped, you can resume the conversion operation by rerunning the same hdcryptmgr conversion command that you issued earlier. The hdcryptmgr conversion command reads the conversion recovery information and picks up the conversion process from where it had stopped in the previous run. This hdcryptmgr conversion command runs regardless of whether the LV is used in the boot process or not. However, if the LPAR reboots when the conversion operation is in progress, and if the LPAR turns into a dirty state, for example, the data block that is being converted is partially encrypted, and if the LV that is being converted is required to boot the operating system, the reboot operation might fail. In such a scenario, you must boot the LPAR in maintenance mode and resume the conversion operation.

The following instructions assume that you are booting the operating system in maintenance mode by using the NIM server. The hdisk0 disk contains the rootvg, and the hd3 LV has turned into a dirty state because of an aborted conversion process.

In the Maintenance menu, select 3 Access Advanced Maintenance Functions.
In Advanced Maintenance Functions, select 0 Enter the Limited Function Maintenance Shell.

Run the following commands:

# LIBPATH=/SPOT/usr/lib:$LIBPATH
# importvg hdisk0
# hdcryptmgr32 plain2crypt hd3

Scenario: Creating an encrypted physical volume

When you create an encrypted physical volume, by default a passphrase key protection method is added to the encrypted physical volume. You can enable encryption for a physical volume (hdisk3) by using the following command:

# hdcryptmgr pvenable -f hdisk3
Enter Passphrase: 
Confirm Passphrase: 
Passphrase authentication method with name "initpwd" added successfully.

The -f flag indicates that the hdcryptmgr pvenable command can overwrite the data in the physical volume without prompting for a confirmation. After the hdcryptmgr pvenable command runs successfully, the physical volume is enabled for encryption and is unlocked for I/O operations. Any data that is written to the encrypted physical volume is encrypted and any data that is read from the encrypted physical volume is decrypted.

Scenario: Checking and correcting encrypted volume metadata

The hdcryptmgr pvrecovmd -c command validates the encryption metadata on an encrypted physical volume. If the physical volume has two copies of the encryption metadata, the pvrecovmd action parameter validates and compares both copies of the encryption metadata.

To validate the encryption metadata on a physical volume (hdisk24), enter the following command:

# hdcryptmgr pvrecovmd -cv hdisk24

If both copies of encryption metadata on the physical volume (hdisk24) are valid, the following message is displayed:

Metadata area 1 is valid.
Metadata area 2 is valid.
IPL record is valid for an encrypted disk.
All encryption fields for disk hdisk24 are valid.
Check of metadata on PV hdisk24 is complete.
pvrecovmd action complete.

If any of the encryption metadata copy on the physical volume (hdisk24) is corrupted, the following message is displayed:

Metadata area 1 is valid.
Disk metadata copy #2 is corrupt.
IPL record is valid for an encrypted disk.
Check of metadata on PV hdisk24 is complete.
pvrecovmd action complete.

To overwrite the corrupted encryption metadata with the correct encryption metadata on the physical volume (hdisk24), enter the following command:

# hdcryptmgr pvrecovmd hdisk24 -v

The hdcryptmgr pvrecovmd command displays the following message and prompts you to confirm whether the corrupted encryption metadata can be overwritten:

Metadata area 1 is valid.
Disk metadata copy #2 is corrupt.
IPL record is valid for an encrypted disk.
Preparing to write the following fields to the disk:
    Backup metadata
Warning, about to write to disk hdisk25
Do you wish to continue?  y(es) or n(o)?

If you want to overwrite the corrupted encryption metadata, enter y. The hdcryptmgr pvrecovmd command overwrites the corrupted encryption metadata with the correct encryption metadata and displays the following message:

Encrypted disk recovery attempt complete.
pvrecovmd action complete.

Files

/usr/sbin/hdcryptmgr: Contains the hdcryptmgr command.