Encrypted logical volumes
To protect business and personal data, starting with IBM® AIX® 7.2 with Technology Level 5, the Logical Volume Manager (LVM) supports the data encryption at the logical volume (LV) level. By using this feature, you can encrypt the data at rest to protect data exposure due to lost or stolen hard disk drives or inappropriately decommissioned computers. The term data at rest refers to inactive data that is stored physically in any digital form.
Each LV is encrypted with a unique key. The logical volume data is encrypted before the data is written to the physical volume. This data is decrypted when it is read from the physical volume. By default, data encryption is not enabled in logical volumes. The data encryption option must be enabled at the volume group level before you enable the data encryption option at the logical volume level.
- Paraphrase
- Key file
- Cryptographic key server
- Platform keystore (PKS) (available in IBM PowerVM® firmware of the IBM Power® System FW950)
- Advantages of LV encryption
- LV encryption commands
- Prerequisites for using LV encyption
- Creating and authenticating an encrypted logical volume
- Adding the platform keystore (PKS) authentication method
- Adding the key server authentication method
- Adding key file authentication method
- Adding passphrase authentication method
- Migrating the PKS to another LPAR before the volume group is migrated
- Changing the encryption policy of the volume group
- Changing the encryption policy of the logical volume
- Best practices
- Limitations of LV encryption
- File system consideration for LV encryption
Advantages of LV encryption
- The data owner controls the encryption keys.
- The data that is transmitted over the network (Fibre Channel or Ethernet) are encrypted and protected. These characteristics are important for virtual servers that are hosted in the cloud environment.
For more information about the LV encryption architecture, see the blog: AIX 72 TL5: Logical Volume Encryption
- LV encryption enhancements
- Starting from AIX 7.3, the following enhancements are added to the LV encryption function:
- You can encrypt LVs in the root volume group (rootvg) that are used in the boot process. The LV encryption option must be selected during the installation of the base operating system. For more information, see BOS installation options.
- After you install the base operating system, you can use the hdcryptmgr conversion commands to change the encryption setting of an LV. However, the conversion of an LV in the rootvg is different from the conversion of an LV in a user volume group. When you run the hdcryptmgr conversion command to change the encryption status of an LV in a rootvg, the hdcryptmgr command creates an LV to store the conversion recovery data. When you run the hdcryptmgr conversion command to change the encryption status of an LV in a user volume group, the hdcryptmgr command stores the conversion recovery data in a file that is in the /var/hdcrypt directory. Therefore, the rootvg must have at least one free logical partition for successful conversion. When the conversion status of the encryption is successful, the LV that contains the conversion recovery data is deleted.
- When the rootvg is varied on, the network is not available. Hence, the platform keystore (PKS) authentication method must be available for LVs that are used in the boot process. If the PKS authentication method is not available for an encrypted LV in the rootvg, the LV remains locked and thus not accessible until it is explicitly unlocked later. Also, you cannot delete a valid PKS authentication method from an LV in the rootvg that is used in the boot process. If you convert an unencrypted LV, which is used in the boot process, to an encrypted LV, the PKS authentication method is automatically added to the LV. If the PKS authentication method is not available or is corrupted for an encrypted LV that is used in the boot process, you must boot the operating system in maintenance mode and repair the PKS authentication method before you can resume the normal boot operation.
- The following commands are enhanced to support LV encryption: cplv, splitvg, splitlvcopy, chlvcopy, snapshot, savevg, and restvg.
- You can encrypt an LV in concurrent mode. If you change the encryption status of an LV in a node that is in concurrent mode, you cannot access the other nodes until the encryption conversion is complete.
- AIX 7.3 TL1 supports Hyper Protect Crypto Services (HPCS) for AIX logical volume encryption. To use HPCS with AIX, you must provision Power Systems Virtual Server. The keysvrmgr command provides options to manage the integration.
LV encryption commands
- hdcryptmgr command
-
The hdcryptmgr utility manages the encrypted LVs that includes the tasks such as displaying logical volume and volume encryption information, controlling authentication, and many other functions. The utility and its help messages are built in a hierarchical and self-explanatory manner. The following snippet shows a summary of the command usage. For a detailed manual page, see hdcryptmgr command.
# hdcryptmgr -h Usage: hdcryptmgr <action> <..options..> Display : showlv : Displays LV encryption status showvg : Displays VG encryption capability showpv : Displays PV encryption capability showmd : Displays encryption metadata related to device showconv : Displays status of all active and stopped conversions Authentication control : authinit : Initializes master key for data encryption authunlock : Authenticates to unlock master key of the device authadd : Adds additional authentication methods authcheck : Checks validity of an authentication method authdelete : Removes an authentication method authsetrvgpwd : Adds "initpwd" passphrase method to all rootvg's LVs PKS management : pksimport : Import the PKS keys pksexport : Export the PKS keys pksclean : Removes a PKS key pksshow : Displays PKS keys status Conversion : plain2crypt : Converts a LV to encrypted crypt2plain : Converts a LV to not encrypted PV encryption management : pvenable : Enables the Physical Volume Encryption pvdisable : Disables the Physical Volume Encryption pvsavemd : Save encrypted physical volume metadata to a file pvrecovmd : Recover encrypted physical volume metadata from a file
- keysvrmgr command
-
For the key server method, you can use the keysvrmgr utility to manage Object Data Manager (ODM) entries that are associated with the key server information such as the key server hostname or IP address, the connection port, and certification location. The following snippet shows a summary of the command usage. For a detailed manual page, see keysvrmgr command.
# keysvrmgr -h Usage: keysvrmgr <action> [-h] -t <server_type> <options> server_name Manage ODM data for key server and HPCS. <action> is one of the following: add : Add a new key server or HPCS to ODM. modify : Modify a key server or HPCS ODM record. remove : Remove a keyserver or HPCS ODM record. show : Display key server or HPCS ODM records. verify : Verify a HPCS ODM record (HPCS only). rekey : Generate a new API key for a HPCS ODM record (HPCS only). <server_type> is one of the following: keyserv : For (KMIP compliant) key management server. hpcs : For IBM Cloud Hyper Protect Crypto Services. For more details on <options> run : keysvrmgr <action> -h
Prerequisites for using LV encyption
- Use AIX 7.2.5 or later to encrypt a logical volume.
- Following fileset must be installed to encrypt the LV data. These filesets are included in the
base operating system.
- bos.hdcrypt
- bos.kmip_client
- bos.rte.lvm
- security.acf
- openssl.base
- oss.lib.libcurl
- oss.lib.libjson-c
Note: The bos.hdcrypt and bos.kmip_client filesets are not installed automatically when you run the smit update_all command or during an operating system migration operation. You must install it separately from your software source such as a DVD or an ISO image.
Creating and authenticating an encrypted logical volume
- Create an encryption-enabled volume group.
- Create an encryption-enabled logical volume.
- Authenticate the primary encryption key of the logical volume.
- Create an encryption-enabled volume group
- To create an encryption-enabled volume group, complete the following steps:
- Create a volume group in which the data encryption option is enabled by running the following
command:
where testvg is the name of the new volume group, hdisk2 is the physical volume that is used for the volume group.mkvg -f -y testvg -k y hdisk2
- Check the details of the new volume group by running the following
command:
# lsvg testvg VOLUME GROUP: testvg VG IDENTIFIER: 00fb294400004c0000000176437c6663 VG STATE: active PP SIZE: 8 megabyte(s) VG PERMISSION: read/write TOTAL PPs: 637 (5096 megabytes) MAX LVs: 256 FREE PPs: 637 (5096 megabytes) LVs: 0 USED PPs: 0 (0 megabytes) OPEN LVs: 0 QUORUM: 2 (Enabled) TOTAL PVs: 1 VG DESCRIPTORS: 2 STALE PVs: 0 STALE PPs: 0 ACTIVE PVs: 1 AUTO ON: yes MAX PPs per VG: 32512 MAX PPs per PV: 1016 MAX PVs: 32 LTG size (Dynamic): 512 kilobyte(s) AUTO SYNC: no HOT SPARE: no BB POLICY: relocatable PV RESTRICTION: none INFINITE RETRY: no DISK BLOCK SIZE: 512 CRITICAL VG: no FS SYNC OPTION: no CRITICAL PVs: no ENCRYPTION: yes
- Check the encryption state of varied on volume groups by running the following
command:
# hdcryptmgr showvg VG NAME / ID ENCRYPTION ENABLED testvg yes rootvg no
- Check the volume group encryption metadata by running the following
command:
# hdcryptmgr showmd testvg ..... ..... Mon Dec 7 21:19:00 2020 ..... Device type : VG ..... Device name : testvg ..... =============== B: VG HEADER ================ Version : 0 Timestamp : Mon Dec 7 21:16:04 2020 Default data crypto algorithm: AES_XTS Default MasterKey size : 16 bytes Auto-auth (during varyonvg) : Enabled =============== E: VG HEADER ================ =============== B: VG TRAILER =============== Timestamp : Mon Dec 7 21:16:04 2020 =============== E: VG TRAILER ===============
- Create a volume group in which the data encryption option is enabled by running the following
command:
- Create an encryption-enabled logical volume
- To create an encryption-enabled logical volume, complete the following steps:
- Create a logical volume in which the data encryption option is enabled by running the following
command:
# mklv -k y -y testlv testvg 10 testlv mklv: Please run : hdcryptmgr authinit lvname [..] to define LV encryption options.
- Check the details of the new volume group by running the following
command:
# lslv testlv LOGICAL VOLUME: testlv VOLUME GROUP: testvg LV IDENTIFIER: 00fb294400004c0000000176437c6663.1 PERMISSION: read/write VG STATE: active/complete LV STATE: closed/syncd TYPE: jfs WRITE VERIFY: off MAX LPs: 512 PP SIZE: 8 megabyte(s) COPIES: 1 SCHED POLICY: parallel LPs: 10 PPs: 10 STALE PPs: 0 BB POLICY: relocatable INTER-POLICY: minimum RELOCATABLE: yes INTRA-POLICY: middle UPPER BOUND: 32 MOUNT POINT: N/A LABEL: None MIRROR WRITE CONSISTENCY: on/ACTIVE EACH LP COPY ON A SEPARATE PV ?: yes Serialize IO ?: NO INFINITE RETRY: no PREFERRED READ: 0 ENCRYPTION: yes
- Check the authentication state of the logical volume by running the following
command:
# hdcryptmgr showlv testlv LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION testlv yes no 100 done
- Create a logical volume in which the data encryption option is enabled by running the following
command:
- Authenticate the primary encryption key of the logical volume
- To authenticate the primary encryption key of the logical volume, complete the following steps:
- Initialize the primary key for an encrypted logical volume by running the following command. The
logical volume is not accessible until the first passphrase method is
initialized.
# hdcryptmgr authinit testlv Enter Passphrase: Confirm Passphrase: Passphrase authentication method with name "initpwd" added successfully.
- Check the authentication status and authentication methods for the logical volume by running the
following command:
# hdcryptmgr showlv testlv -v LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION testlv yes yes 100 done -- Authentication methods ------------ INDEX TYPE NAME #0 Passphrase initpwd
- Vary off and vary on the volume group by running the following
commands:
# varyoffvg testvg # varyonvg testvg
- Check the authentication status of the logical volume by running the following
command:
The output shows that the logical volume testlv is not authenticated.# hdcryptmgr showlv testlv LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION testlv yes no 100 done
- Unlock the authentication of the logical volume by running the following command:
# hdcryptmgr authunlock testlv Enter Passphrase: Passphrase authentication succeeded.
- Check the authentication state of the logical volume by running the following
command:
# hdcryptmgr showlv testlv LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION testlv yes yes 100 done
- Initialize the primary key for an encrypted logical volume by running the following command. The
logical volume is not accessible until the first passphrase method is
initialized.
Adding the platform keystore (PKS) authentication method
- Check the LPAR PKS status by running the following command:
# hdcryptmgr pksshow 3020-0349 PKS is not supported or PKS is not activated. 3020-0218 hdcrypt driver service error. QUERY_PKS service failed with error 124: An attempt was made to set an attribute to an unsupported value.
The output in this example shows that the PKS is not activated. The keystore size of a logical partition is set to 0 by default.
- Shut down the LPAR and increase the keystore size in the associated HMC. The keystore size is in the range 4 KB – 64 KB. You cannot change the value of the keystore size when the LPAR is active.
- Check the LPAR PKS status again by running the following
command:
# hdcryptmgr pksshow PKS uses 32 bytes on a maximum of 4096 bytes. PKS_Label (LVid) Status PKS_Label (objects)
- Add the PKS authentication method to the logical volume by running the following
command:
# hdcryptmgr authadd -t pks -n pks1 testlv PKS authentication method with name "pks1" added successfully.
- Check the encryption status of the logical volume by running the following
command:
# hdcryptmgr showlv testlv -v LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION testlv yes yes 100 done -- Authentication methods ------------ INDEX TYPE NAME #0 Passphrase initpwd #1 PKS pks1
- Check the PKS status by running the following command:
# hdcryptmgr pksshow PKS uses 116 bytes on a maximum of 4096 bytes. PKS_Label (LVid) Status 00fb294400004c0000000176437c6663.1 VALID KEY PKS_Label (objects)
PKS is an automatic authentication method that means the varyonvg command automatically unlocks the authentication of the logical volume.
- Vary off the volume group by running the following
command:
# varyoffvg testvg
- Check the PKS status by running the following command:
# hdcryptmgr pksshow PKS uses 116 bytes on a maximum of 4096 bytes. PKS_Label (LVid) Status 00fb294400004c0000000176437c6663.1 UNKNOWN PKS_Label (objects)
- Vary on the volume group by running the following
command:
# varyonvg testvg
- Check the encryption status of the logical volume by running the following
command:
# hdcryptmgr showlv testlv LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION testlv yes yes 100 done
Adding the key server authentication method
You can use any Key Management Interoperability Protocol (KMIP) compliant key management server to use this type of authentication method. In this example, the AIX logical partition is installed and configured with the IBM Security Key Lifecycle Manager (SKLM) V4.0 for AIX. The Security Key Lifecycle Manager key is used as an encryption key server.
- Check the key servers in the LPAR by running the following
command:
# keysvrmgr show 3020-0279 No key server in database
- Add encryption key server with the name keyserver1 by running the
following
command:
# keysvrmgr add -i 9.X.X.X -s /tmp/sklm_cert.cer -c /tmp/ssl_client_cer.p12 keyserver1 Key server keyserver1 successfully added
- Check the key servers in the LPAR again by running the following
command:
# keysvrmgr show List of key servers: ID PWD IP:PORT keyserver1 N 9.X.X.X:5696
- Check the encryption key server information that is saved in the ODM KeySvr object class by
running the following command:
# odmget KeySvr KeySvr: keysvr_id = "keyserver1" ip_addr = "9.X.X.X" port = 5696 svr_cert_path = "/tmp/sklm_cert.cer" cli_cert_path = /tmp/ssl_client_cer.p12 " flags = 0
- Add the key server authentication method to the logical volume by running the following
command:
# hdcryptmgr authadd -t keyserv -n key1_testlv -m keyserver1 testlv Keyserver authentication method with name "key1_testlv" added successfully.
- Check the encryption status of the logical volume by running the following
command:
#hdcryptmgr showlv -v testlv LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION testlv yes yes 100 done -- Authentication methods ------------ INDEX TYPE NAME #0 Passphrase initpwd #1 PKS pks1 #2 Keyserver key1_testlv
Adding key file authentication method
- Create a file named testfile that contains the passphrase text by running
the following command:
# cat /testfile Add1ng Key f1le authent1cation meth0d
- Add the key file authentication method to the logical volume by running the following
command:
# hdcryptmgr authadd -t keyfile -n key1_file -m /testfile testlv Keyfile authentication method with name "key1_file" added successfully.
- Check the contents of the testfile file by running the following
command:
# cat /testfile Add1ng Key f1le authent1cation meth0d 00fb294400004c0000000176437c6663.1 xdxKjlJvZU+f9lFTgSM63kGoIoKW6Yxc+bKrk5GgCzc=
- Check the encryption status of the logical volume by running the following
command:
# hdcryptmgr showlv testlv -v LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION testlv yes yes 100 done -- Authentication methods ------------ INDEX TYPE NAME #0 Passphrase initpwd #1 PKS pks1 #2 Keyserver key1_testlv #3 Keyfile key1_file
Adding passphrase authentication method
- Add the passphrase authentication method to the logical volume by running the following
command:
# hdcryptmgr authadd -t pwd -n test_pwd testlv Enter Passphrase: Confirm Passphrase: Passphrase authentication method with name "test_pwd" added successfully.
- Check the encryption status of the logical volume by running the following
command:
# hdcryptmgr showlv testlv -v LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION testlv yes yes 100 done -- Authentication methods ------------ INDEX TYPE NAME #0 Passphrase initpwd #1 PKS pks1 #2 Keyserver key1_testlv #3 Keyfile key1_file #4 Passphrase test_pwd
Migrating the PKS to another LPAR before the volume group is migrated
- Export the PKS keys into another file by running the following
command:
# hdcryptmgr pksexport -p /tmp/pksexp testvg Enter Passphrase: Confirm Passphrase: 1 PKS keys exported.
- Import the volume group to another LPAR by running the following
command:
# importvg -y testvg hdisk2
- Check the encryption status of the logical volume by running the following
command:
# hdcryptmgr showlv testlv -v LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION testlv yes yes 100 done -- Authentication methods ------------ INDEX TYPE NAME #0 Passphrase initpwd #1 PKS pks1 #2 Keyserver key1_testlv #3 Keyfile key1_file #4 Passphrase test_pwd
- Check whether the authentication method is valid and accessible by running the following
command:
# hdcryptmgr authcheck -n pks1 testlv 3020-0199 Key does not exist in PKS storage. 3020-0127 hdcryptmgr authcheck failed for LV testlv.
- Move the PKS key file to a new LPAR and run the following
command:
# hdcryptmgr pksimport -p /tmp/pksexp testvg Enter Passphrase: 3020-0341 Key having LVid 00fb294400004c0000000176437c6663.1 is successfully imported in LV testlv. 1 PKS keys imported.
- Check whether the authentication method is valid and accessible by running the following
command:
# hdcryptmgr authcheck -n pks1 testlv PKS authentication check succeeded.
Changing the encryption policy of the volume group
- Change the data encryption option of the volume group by running the following
command:
# chvg -k y testvg 0516-1216 chvg: Physical partitions are being migrated for volume group descriptor area expansion. Please wait.
- Check the details of the volume group by running the following
command:
# lsvg testvg VOLUME GROUP: testvg VG IDENTIFIER: 00fb294400004c000000017648ff8d32 VG STATE: active PP SIZE: 8 megabyte(s) VG PERMISSION: read/write TOTAL PPs: 636 (5088 megabytes) MAX LVs: 256 FREE PPs: 506 (4048 megabytes) LVs: 1 USED PPs: 130 (1040 megabytes) OPEN LVs: 0 QUORUM: 2 (Enabled) TOTAL PVs: 1 VG DESCRIPTORS: 2 STALE PVs: 0 STALE PPs: 0 ACTIVE PVs: 1 AUTO ON: yes MAX PPs per VG: 32512 MAX PPs per PV: 1016 MAX PVs: 32 LTG size (Dynamic): 512 kilobyte(s) AUTO SYNC: no HOT SPARE: no BB POLICY: relocatable PV RESTRICTION: none INFINITE RETRY: no DISK BLOCK SIZE: 512 CRITICAL VG: no FS SYNC OPTION: no CRITICAL PVs: no ENCRYPTION: yes
Changing the encryption policy of the logical volume
- Enable the logical volume encryption by running the following
command:
# hdcryptmgr plain2crypt testlv Enter Passphrase: Confirm Passphrase: Passphrase authentication method with name "initpwd" added successfully. Created recovery file : /var/hdcrypt/conv.004200021607542921 In case of error or if the conversion is canceled, this file may be necessary to be able to recover the LV. If the conversion is fully successful, then the file will be removed automatically Successfully converted LV testlv to an encrypted LV.
This command performs the following operations:- Enables the encryption policy of the logical volume
- Initializes the master-key and encryption metadata for an encrypted logical volume
- Encrypts the data in the logical volume
- Check the details of the logical volume by running the following
command:
# lslv testlv LOGICAL VOLUME: testlv VOLUME GROUP: testvg LV IDENTIFIER: 00fb294400004c000000017648ff8d32.2 PERMISSION: read/write VG STATE: active/complete LV STATE: closed/syncd TYPE: jfs WRITE VERIFY: off MAX LPs: 512 PP SIZE: 8 megabyte(s) COPIES: 1 SCHED POLICY: parallel LPs: 10 PPs: 10 STALE PPs: 0 BB POLICY: relocatable INTER-POLICY: minimum RELOCATABLE: yes INTRA-POLICY: middle UPPER BOUND: 32 MOUNT POINT: N/A LABEL: None MIRROR WRITE CONSISTENCY: on/ACTIVE EACH LP COPY ON A SEPARATE PV ?: yes Serialize IO ?: NO INFINITE RETRY: no PREFERRED READ: 0 ENCRYPTION: yes
- Check the encryption status of the logical volume by running the following
command:
# hdcryptmgr showlv testlv -v LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION testlv yes yes 100 done -- Authentication methods ------------ INDEX TYPE NAME #0 Passphrase initpwd
Best practices
- Use an inline log device for the file system that is created from encrypted logical volume.
- If the file system is created with an external log device and the log device is shared across multiple file systems, unlock the authentication (hdcryptmgr authunlock) for all encrypted logical volumes before you mount the file system.
- Use non-PKS authentication method to unlock the authentication of the snapshot volume group.
- To copy an encrypted logical volume by using the cplv command, create a logical volume in which encryption is enabled and use the logical volume as a destination logical volume to copy the source logical volume.
Limitations of LV encryption
- AIX Live Update
- The Live Update operation is not supported if the LV encryption is enabled.
- I/O serialization
- The I/O serialization is not guaranteed while the LV encryption conversion is in progress.
File system consideration for LV encryption
- When you create or mount a file system on to an encrypted LV, ensure that the encrypted LV is unlocked and activated.
- If an encrypted LV, which is hosting a file system by using the Network File System (NFS) /etc/exports file, is not unlocked during system boot, the mount operation of the file system fails and the table of physical file systems in the /etc/exports file is not updated. After the encrypted LV is unlocked and the file system is mounted, you can run the exportfs -a command to update the /etc/exports file.
- In Enhanced Journaled File System (JFS2), you can use a single log device across multiple file systems. If the log device is shared across multiple file systems and if the LV that is used by file systems is encrypted, the LV must be unlocked before mounting the file systems.