Encrypted logical volumes

Edit online

To protect business and personal data, starting with IBM® AIX® 7.2 with Technology Level 5, the Logical Volume Manager (LVM) supports the data encryption at the logical volume (LV) level. By using this feature, you can encrypt the data at rest to protect data exposure due to lost or stolen hard disk drives or inappropriately decommissioned computers. The term data at rest refers to inactive data that is stored physically in any digital form.

Each LV is encrypted with a unique key. The logical volume data is encrypted before the data is written to the physical volume. This data is decrypted when it is read from the physical volume. By default, data encryption is not enabled in logical volumes. The data encryption option must be enabled at the volume group level before you enable the data encryption option at the logical volume level.

The LV encryption creates one data encryption key for each logical volume. The data encryption key is protected by storing the keys separately in other data storage devices. The following types of key protection methods are supported:

Paraphrase
Key file
Cryptographic key server
Platform keystore (PKS) (available in IBM PowerVM® firmware of the IBM Power® System FW950)

The following sections describe the LV encryption feature in detail:

Advantages of LV encryption
LV encryption commands
Prerequisites for using LV encyption
Creating and authenticating an encrypted logical volume
Adding the platform keystore (PKS) authentication method
Adding the key server authentication method
Adding key file authentication method
Adding passphrase authentication method
Migrating the PKS to another LPAR before the volume group is migrated
Changing the encryption policy of the volume group
Changing the encryption policy of the logical volume
Best practices
Limitations of LV encryption
File system consideration for LV encryption

Advantages of LV encryption

Encrypted file system (EFS) provides data encryption at a file system level. The EFS manages the data encryption key at a file level and protects the data encryption key for each user. If you want to avoid the complexity of fine granular control of file system encryption and selective file encryption, you can choose logical volume encryption of data that has the following advantages:

The data owner controls the encryption keys.
The data that is transmitted over the network (Fibre Channel or Ethernet) are encrypted and protected. These characteristics are important for virtual servers that are hosted in the cloud environment.

For more information about the LV encryption architecture, see the blog: AIX 72 TL5: Logical Volume Encryption

LV encryption enhancements

Starting from AIX 7.3, the following enhancements are added to the LV encryption function:

You can encrypt LVs in the root volume group (rootvg) that are used in the boot process. The LV encryption option must be selected during the installation of the base operating system. For more information, see BOS installation options.
After you install the base operating system, you can use the hdcryptmgr conversion commands to change the encryption setting of an LV. However, the conversion of an LV in the rootvg is different from the conversion of an LV in a user volume group. When you run the hdcryptmgr conversion command to change the encryption status of an LV in a rootvg, the hdcryptmgr command creates an LV to store the conversion recovery data. When you run the hdcryptmgr conversion command to change the encryption status of an LV in a user volume group, the hdcryptmgr command stores the conversion recovery data in a file that is in the /var/hdcrypt directory. Therefore, the rootvg must have at least one free logical partition for successful conversion. When the conversion status of the encryption is successful, the LV that contains the conversion recovery data is deleted.
When the rootvg is varied on, the network is not available. Hence, the platform keystore (PKS) authentication method must be available for LVs that are used in the boot process. If the PKS authentication method is not available for an encrypted LV in the rootvg, the LV remains locked and thus not accessible until it is explicitly unlocked later. Also, you cannot delete a valid PKS authentication method from an LV in the rootvg that is used in the boot process. If you convert an unencrypted LV, which is used in the boot process, to an encrypted LV, the PKS authentication method is automatically added to the LV. If the PKS authentication method is not available or is corrupted for an encrypted LV that is used in the boot process, you must boot the operating system in maintenance mode and repair the PKS authentication method before you can resume the normal boot operation.
The following commands are enhanced to support LV encryption: cplv, splitvg, splitlvcopy, chlvcopy, snapshot, savevg, and restvg.
You can encrypt an LV in concurrent mode. If you change the encryption status of an LV in a node that is in concurrent mode, you cannot access the other nodes until the encryption conversion is complete.
AIX 7.3 TL1 supports Hyper Protect Crypto Services (HPCS) for AIX logical volume encryption. To use HPCS with AIX, you must provision Power Systems Virtual Server. The keysvrmgr command provides options to manage the integration.

LV encryption commands

You can use the following commands to manage encryption keys and key server information:

hdcryptmgr command

The hdcryptmgr utility manages the encrypted LVs that includes the tasks such as displaying logical volume and volume encryption information, controlling authentication, and many other functions. The utility and its help messages are built in a hierarchical and self-explanatory manner. The following snippet shows a summary of the command usage. For a detailed manual page, see hdcryptmgr command.

# hdcryptmgr -h
Usage: hdcryptmgr <action> <..options..>

Display :
showlv        : Displays LV encryption status
showvg        : Displays VG encryption capability
showpv        : Displays PV encryption capability
showmd        : Displays encryption metadata related to device
showconv      : Displays status of all active and stopped conversions

Authentication control :
authinit      : Initializes master key for data encryption
authunlock    : Authenticates to unlock master key of the device
authadd       : Adds additional authentication methods
authcheck     : Checks validity of an authentication method
authdelete    : Removes an authentication method
authsetrvgpwd : Adds "initpwd" passphrase method to all rootvg's LVs

PKS management :
pksimport     : Import the PKS keys
pksexport     : Export the PKS keys
pksclean      : Removes a PKS key
pksshow       : Displays PKS keys status

Conversion :
plain2crypt   : Converts a LV to encrypted
crypt2plain   : Converts a LV to not encrypted

PV encryption management :
pvenable      : Enables the Physical Volume Encryption
pvdisable     : Disables the Physical Volume Encryption
pvsavemd      : Save encrypted physical volume metadata to a file
pvrecovmd     : Recover encrypted physical volume metadata from a file

keysvrmgr command

For the key server method, you can use the keysvrmgr utility to manage Object Data Manager (ODM) entries that are associated with the key server information such as the key server hostname or IP address, the connection port, and certification location. The following snippet shows a summary of the command usage. For a detailed manual page, see keysvrmgr command.

# keysvrmgr -h
Usage: keysvrmgr <action> [-h] -t <server_type> <options> server_name
Manage ODM data for key server and HPCS. 

<action> is one of the following: 
add     : Add a new key server or HPCS to ODM. 
modify  : Modify a key server or HPCS ODM record. 
remove  : Remove a keyserver or HPCS ODM record. 
show    : Display key server or HPCS ODM records. 
verify  : Verify a HPCS ODM record (HPCS only). 
rekey   : Generate a new API key for a HPCS ODM record (HPCS only). 

<server_type> is one of the following:
keyserv : For (KMIP compliant) key management server. 
hpcs    : For IBM Cloud Hyper Protect Crypto Services. 

For more details on <options> run : keysvrmgr <action> -h

Prerequisites for using LV encyption

Use AIX 7.2.5 or later to encrypt a logical volume.
Following fileset must be installed to encrypt the LV data. These filesets are included in the base operating system.
- bos.hdcrypt
- bos.kmip_client
- bos.rte.lvm
- security.acf
- openssl.base
- oss.lib.libcurl
- oss.lib.libjson-c
Note: The bos.hdcrypt and bos.kmip_client filesets are not installed automatically when you run the smit update_all command or during an operating system migration operation. You must install it separately from your software source such as a DVD or an ISO image.

Creating and authenticating an encrypted logical volume

To create an encrypted logical volume, complete the following procedures:

Create an encryption-enabled volume group.
Create an encryption-enabled logical volume.
Authenticate the primary encryption key of the logical volume.

Create an encryption-enabled volume group

To create an encryption-enabled volume group, complete the following steps:

Create a volume group in which the data encryption option is enabled by running the following command:
```
mkvg -f -y testvg -k y hdisk2
```
where testvg is the name of the new volume group, hdisk2 is the physical volume that is used for the volume group.

Check the details of the new volume group by running the following command:

# lsvg testvg

VOLUME GROUP:       testvg              VG IDENTIFIER: 00fb294400004c0000000176437c6663
VG STATE:           active              PP SIZE:        8 megabyte(s)
VG PERMISSION:      read/write          TOTAL PPs:      637 (5096 megabytes)
MAX LVs:            256                 FREE PPs:       637 (5096 megabytes)
LVs:                0                   USED PPs:       0 (0 megabytes)
OPEN LVs:           0                   QUORUM:         2 (Enabled)
TOTAL PVs:          1                   VG DESCRIPTORS: 2
STALE PVs:          0                   STALE PPs:      0
ACTIVE PVs:         1                   AUTO ON:        yes
MAX PPs per VG:     32512                                     
MAX PPs per PV:     1016                MAX PVs:        32
LTG size (Dynamic): 512 kilobyte(s)     AUTO SYNC:      no
HOT SPARE:          no                  BB POLICY:      relocatable
PV RESTRICTION:     none                INFINITE RETRY: no
DISK BLOCK SIZE:    512                 CRITICAL VG:    no
FS SYNC OPTION:     no                  CRITICAL PVs:   no
ENCRYPTION:         yes

Check the encryption state of varied on volume groups by running the following command:

# hdcryptmgr showvg

VG NAME / ID         ENCRYPTION ENABLED 
testvg                        yes                
rootvg                        no

Check the volume group encryption metadata by running the following command:

# hdcryptmgr showmd testvg
.....
.....    Mon Dec  7 21:19:00 2020
.....    Device type : VG
.....    Device name : testvg
.....
=============== B: VG HEADER ================
Version                      : 0
Timestamp                    : Mon Dec  7 21:16:04 2020
Default data crypto algorithm: AES_XTS
Default MasterKey size       : 16 bytes
Auto-auth (during varyonvg)  : Enabled
=============== E: VG HEADER ================
=============== B: VG TRAILER ===============
Timestamp        : Mon Dec  7 21:16:04 2020
=============== E: VG TRAILER ===============

Create an encryption-enabled logical volume

To create an encryption-enabled logical volume, complete the following steps:

Create a logical volume in which the data encryption option is enabled by running the following command:

# mklv -k y -y testlv testvg 10
testlv
mklv: Please run :
hdcryptmgr authinit lvname [..] to define LV encryption options.

Check the details of the new volume group by running the following command:

# lslv testlv

LOGICAL VOLUME:     testlv                             VOLUME GROUP:   testvg
LV IDENTIFIER:      00fb294400004c0000000176437c6663.1 PERMISSION:     read/write
VG STATE:           active/complete                    LV STATE:       closed/syncd
TYPE:               jfs                                WRITE VERIFY:   off
MAX LPs:            512                                PP SIZE:        8 megabyte(s)
COPIES:             1                                  SCHED POLICY:   parallel
LPs:                10                                 PPs:            10
STALE PPs:          0                                  BB POLICY:      relocatable
INTER-POLICY:       minimum                            RELOCATABLE:    yes
INTRA-POLICY:       middle                             UPPER BOUND:    32
MOUNT POINT:        N/A                                LABEL:          None
MIRROR WRITE CONSISTENCY: on/ACTIVE                             
EACH LP COPY ON A SEPARATE PV ?: yes                                   
Serialize IO ?:     NO                                    
INFINITE RETRY:     no                                 PREFERRED READ: 0
ENCRYPTION:         yes

Check the authentication state of the logical volume by running the following command:

# hdcryptmgr showlv testlv
LV NAME   CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)  CONVERSION     
testlv         yes              no             100             done

Authenticate the primary encryption key of the logical volume

To authenticate the primary encryption key of the logical volume, complete the following steps:

Initialize the primary key for an encrypted logical volume by running the following command. The logical volume is not accessible until the first passphrase method is initialized.
```
# hdcryptmgr authinit testlv
Enter Passphrase:
Confirm Passphrase:
Passphrase authentication method with name "initpwd" added successfully.
```

Check the authentication status and authentication methods for the logical volume by running the following command:

# hdcryptmgr showlv testlv -v
LV NAME    CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
testlv          yes             yes             100              done           

-- Authentication methods ------------
INDEX         TYPE               NAME
#0            Passphrase         initpwd

Vary off and vary on the volume group by running the following commands:
```
# varyoffvg testvg
# varyonvg testvg
```

Check the authentication status of the logical volume by running the following command:

# hdcryptmgr showlv testlv
LV NAME      CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
testlv            yes              no             100              done

The output shows that the logical volume testlv is not authenticated.

Unlock the authentication of the logical volume by running the following command:

# hdcryptmgr authunlock testlv
Enter Passphrase:
Passphrase authentication succeeded.

Check the authentication state of the logical volume by running the following command:

# hdcryptmgr showlv testlv
LV NAME      CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
testlv           yes              yes             100              done

Adding the platform keystore (PKS) authentication method

To add the Platform keystore (PKS) authentication method, complete the following steps:

Check the LPAR PKS status by running the following command:

# hdcryptmgr pksshow
3020-0349 PKS is not supported or PKS is not activated.
3020-0218 hdcrypt driver service error. QUERY_PKS service failed with error 124: An attempt was made to set an attribute to an unsupported value.

The output in this example shows that the PKS is not activated. The keystore size of a logical partition is set to 0 by default.

Shut down the LPAR and increase the keystore size in the associated HMC. The keystore size is in the range 4 KB – 64 KB. You cannot change the value of the keystore size when the LPAR is active.

Check the LPAR PKS status again by running the following command:

# hdcryptmgr pksshow
PKS uses 32 bytes on a maximum of 4096 bytes.
PKS_Label (LVid)                Status
PKS_Label (objects)

Add the PKS authentication method to the logical volume by running the following command:

# hdcryptmgr authadd -t pks -n pks1 testlv 
PKS authentication method with name "pks1" added successfully.

Check the encryption status of the logical volume by running the following command:

# hdcryptmgr showlv testlv -v
LV NAME        CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
testlv         yes              yes              100              done           
-- Authentication methods ------------
INDEX         TYPE                 NAME
#0            Passphrase           initpwd     
#1            PKS                  pks1

Check the PKS status by running the following command:
```
# hdcryptmgr pksshow
PKS uses 116 bytes on a maximum of 4096 bytes.
PKS_Label (LVid)                         Status
00fb294400004c0000000176437c6663.1       VALID KEY
PKS_Label (objects)
```
PKS is an automatic authentication method that means the varyonvg command automatically unlocks the authentication of the logical volume.
Vary off the volume group by running the following command:
```
# varyoffvg testvg
```

Check the PKS status by running the following command:

# hdcryptmgr pksshow
PKS uses 116 bytes on a maximum of 4096 bytes.
PKS_Label (LVid)                            Status
00fb294400004c0000000176437c6663.1       UNKNOWN
PKS_Label (objects)

Vary on the volume group by running the following command:
```
# varyonvg testvg
```

Check the encryption status of the logical volume by running the following command:

# hdcryptmgr showlv testlv
LV NAME         CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
testlv          yes              yes              100              done

Adding the key server authentication method

You can use any Key Management Interoperability Protocol (KMIP) compliant key management server to use this type of authentication method. In this example, the AIX logical partition is installed and configured with the IBM Security Key Lifecycle Manager (SKLM) V4.0 for AIX. The Security Key Lifecycle Manager key is used as an encryption key server.

To add the key server authentication method, complete the following steps:

Check the key servers in the LPAR by running the following command:
```
# keysvrmgr show
3020-0279 No key server in database
```

Add encryption key server with the name keyserver1 by running the following command:

# keysvrmgr add -i 9.X.X.X -s /tmp/sklm_cert.cer -c /tmp/ssl_client_cer.p12 keyserver1
Key server keyserver1 successfully added

Check the key servers in the LPAR again by running the following command:

# keysvrmgr show                                                                                   
List of key servers:
ID                    PWD            IP:PORT
keyserver1            N              9.X.X.X:5696

Check the encryption key server information that is saved in the ODM KeySvr object class by running the following command:

# odmget KeySvr
KeySvr:
        keysvr_id = "keyserver1"
        ip_addr = "9.X.X.X"
        port = 5696
        svr_cert_path = "/tmp/sklm_cert.cer"
        cli_cert_path = /tmp/ssl_client_cer.p12 "
        flags = 0

Add the key server authentication method to the logical volume by running the following command:

# hdcryptmgr authadd -t keyserv -n key1_testlv -m keyserver1 testlv
Keyserver authentication method with name "key1_testlv" added successfully.

Check the encryption status of the logical volume by running the following command:

#hdcryptmgr showlv -v testlv
LV NAME          CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
testlv           yes              yes              100              done           
-- Authentication methods ------------
INDEX                 TYPE               NAME
#0                    Passphrase         initpwd     
#1                    PKS                pks1        
#2                    Keyserver          key1_testlv

Adding key file authentication method

To add key file authentication method, complete the following steps:

Create a file named testfile that contains the passphrase text by running the following command:
```
# cat /testfile
Add1ng Key f1le authent1cation meth0d
```

Add the key file authentication method to the logical volume by running the following command:

# hdcryptmgr authadd -t keyfile -n key1_file -m /testfile testlv
Keyfile authentication method with name "key1_file" added successfully.

Check the contents of the testfile file by running the following command:

# cat /testfile
Add1ng Key f1le authent1cation meth0d
00fb294400004c0000000176437c6663.1 xdxKjlJvZU+f9lFTgSM63kGoIoKW6Yxc+bKrk5GgCzc=

Check the encryption status of the logical volume by running the following command:

# hdcryptmgr showlv testlv -v
LV NAME          CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION
testlv           yes              yes              100              done          
-- Authentication methods ------------
INDEX              TYPE               NAME
#0                 Passphrase         initpwd     
#1                 PKS                pks1        
#2                 Keyserver          key1_testlv    
#3                 Keyfile            key1_file

Adding passphrase authentication method

To add the passphrase authentication method, complete the following steps:

Add the passphrase authentication method to the logical volume by running the following command:

# hdcryptmgr authadd -t pwd -n test_pwd testlv                 
Enter Passphrase:
Confirm Passphrase:
Passphrase authentication method with name "test_pwd" added successfully.

Check the encryption status of the logical volume by running the following command:

# hdcryptmgr showlv testlv -v
LV NAME              CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
testlv               yes              yes              100              done           
-- Authentication methods ------------
INDEX         TYPE            NAME
#0            Passphrase      initpwd     
#1            PKS             pks1        
#2            Keyserver       key1_testlv    
#3            Keyfile         key1_file   
#4            Passphrase      test_pwd

Migrating the PKS to another LPAR before the volume group is migrated

To migrate the platform keystore (PKS) to another LPAR, complete the following steps:

Export the PKS keys into another file by running the following command:

# hdcryptmgr pksexport -p /tmp/pksexp testvg 
Enter Passphrase:
Confirm Passphrase:
1 PKS keys exported.

Import the volume group to another LPAR by running the following command:
```
# importvg -y testvg hdisk2
```

Check the encryption status of the logical volume by running the following command:

# hdcryptmgr showlv testlv -v
LV NAME          CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
testlv           yes              yes              100              done           
-- Authentication methods ------------
INDEX         TYPE             NAME
#0            Passphrase       initpwd     
#1            PKS              pks1        
#2            Keyserver        key1_testlv    
#3            Keyfile          key1_file   
#4            Passphrase       test_pwd

Check whether the authentication method is valid and accessible by running the following command:

# hdcryptmgr authcheck -n pks1  testlv
3020-0199 Key does not exist in PKS storage.
3020-0127 hdcryptmgr authcheck failed for LV testlv.

Move the PKS key file to a new LPAR and run the following command:

#  hdcryptmgr pksimport -p /tmp/pksexp testvg             
Enter Passphrase:
3020-0341 Key having LVid 00fb294400004c0000000176437c6663.1 is successfully imported in LV testlv.
1 PKS keys imported.

Check whether the authentication method is valid and accessible by running the following command:
```
# hdcryptmgr authcheck -n pks1  testlv
PKS authentication check succeeded.
```

Changing the encryption policy of the volume group

Encryption metadata is saved at the end of each disk in the volume group. Enabling the volume group encryption requires free physical partitions on each disk in the volume group.

Change the data encryption option of the volume group by running the following command:

# chvg -k y testvg
0516-1216 chvg: Physical partitions are being migrated for volume group
                descriptor area expansion.  Please wait.

Check the details of the volume group by running the following command:

# lsvg testvg
VOLUME GROUP:       testvg              VG IDENTIFIER:  00fb294400004c000000017648ff8d32
VG STATE:           active              PP SIZE:        8 megabyte(s)
VG PERMISSION:      read/write          TOTAL PPs:      636 (5088 megabytes)
MAX LVs:            256                 FREE PPs:       506 (4048 megabytes)
LVs:                1                   USED PPs:       130 (1040 megabytes)
OPEN LVs:           0                   QUORUM:         2 (Enabled)
TOTAL PVs:          1                   VG DESCRIPTORS: 2
STALE PVs:          0                   STALE PPs:      0
ACTIVE PVs:         1                   AUTO ON:        yes
MAX PPs per VG:     32512                                     
MAX PPs per PV:     1016                MAX PVs:        32
LTG size (Dynamic): 512 kilobyte(s)     AUTO SYNC:      no
HOT SPARE:          no                  BB POLICY:      relocatable
PV RESTRICTION:     none                INFINITE RETRY: no
DISK BLOCK SIZE:    512                 CRITICAL VG:    no
FS SYNC OPTION:     no                  CRITICAL PVs:   no
ENCRYPTION:         yes

Changing the encryption policy of the logical volume

To change the encryption policy, complete the following steps:

Note: This capability is for experimental use only.

Enable the logical volume encryption by running the following command:

# hdcryptmgr plain2crypt testlv
Enter Passphrase:
Confirm Passphrase:
Passphrase authentication method with name "initpwd" added successfully.
Created recovery file : /var/hdcrypt/conv.004200021607542921
In case of error or if the conversion is canceled, this file may be
necessary to be able to recover the LV. If the conversion is fully
successful, then the file will be removed automatically
Successfully converted LV testlv to an encrypted LV.

This command performs the following operations:

Enables the encryption policy of the logical volume
Initializes the master-key and encryption metadata for an encrypted logical volume
Encrypts the data in the logical volume

Check the details of the logical volume by running the following command:

# lslv testlv
LOGICAL VOLUME:     testlv                              VOLUME GROUP:   testvg
LV IDENTIFIER:      00fb294400004c000000017648ff8d32.2  PERMISSION:     read/write
VG STATE:           active/complete                     LV STATE:       closed/syncd
TYPE:               jfs                                 WRITE VERIFY:   off
MAX LPs:            512                                 PP SIZE:        8 megabyte(s)
COPIES:             1                                   SCHED POLICY:   parallel
LPs:                10                                  PPs:            10
STALE PPs:          0                                   BB POLICY:      relocatable
INTER-POLICY:       minimum                             RELOCATABLE:    yes
INTRA-POLICY:       middle                              UPPER BOUND:    32
MOUNT POINT:        N/A                                 LABEL:          None
MIRROR WRITE CONSISTENCY: on/ACTIVE                             
EACH LP COPY ON A SEPARATE PV ?: yes                                   
Serialize IO ?:     NO                                    
INFINITE RETRY:     no                                  PREFERRED READ: 0
ENCRYPTION:         yes

Check the encryption status of the logical volume by running the following command:

# hdcryptmgr showlv testlv -v
LV NAME              CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
testlv               yes              yes              100              done           
-- Authentication methods ------------
INDEX         TYPE                 NAME
#0                 Passphrase    initpwd

Best practices

Use an inline log device for the file system that is created from encrypted logical volume.
If the file system is created with an external log device and the log device is shared across multiple file systems, unlock the authentication (hdcryptmgr authunlock) for all encrypted logical volumes before you mount the file system.
Use non-PKS authentication method to unlock the authentication of the snapshot volume group.
To copy an encrypted logical volume by using the cplv command, create a logical volume in which encryption is enabled and use the logical volume as a destination logical volume to copy the source logical volume.

Limitations of LV encryption

If an LV is encrypted, the following LV commands or functions are not supported:

AIX Live Update: The Live Update operation is not supported if the LV encryption is enabled.
I/O serialization: The I/O serialization is not guaranteed while the LV encryption conversion is in progress.

File system consideration for LV encryption

Consider the following items when you create or modify file systems that are associated with an encrypted LV:

When you create or mount a file system on to an encrypted LV, ensure that the encrypted LV is unlocked and activated.
If an encrypted LV, which is hosting a file system by using the Network File System (NFS) /etc/exports file, is not unlocked during system boot, the mount operation of the file system fails and the table of physical file systems in the /etc/exports file is not updated. After the encrypted LV is unlocked and the file system is mounted, you can run the exportfs -a command to update the /etc/exports file.
In Enhanced Journaled File System (JFS2), you can use a single log device across multiple file systems. If the log device is shared across multiple file systems and if the LV that is used by file systems is encrypted, the LV must be unlocked before mounting the file systems.