AIX

 View Only

Understanding of Logical Volume Encryption

By Lakshmi Yadlapati posted Wed December 16, 2020 12:27 PM

  

Understanding of Logical Volume Encryption

A simple handbook for beginners

 

AIX 7.2 TL 5 introduces the support for Logical Volume encryption, providing data-at-rest encryption solution that performs efficient encryption and decryption of data within a Logical Volume.

The contents of this blog:

Overview
How to create Encrypted Logical Volume
Authentication Methods

PKS
Key Server
Keyfile
Passphrase

Migration of PKS
How to change the encryption policy of Volume Group
How to change the encryption policy of Logical Volume
Best Practices
Limitations

Overview of Logical Volume Encryption

  • Encryption is per Logical volume.
  • Encryption metadata is saved on each disk in the volume group.
  • Four key protection methods:
    • Paraphrase
    • Keyfile
    • PKS (Platform Key Store) – available in IBM PowerVM® firmware of the IBM Power® System FW950.
    • Key Server- Key Management Interoperability Protocol (KMIP) compliant key management servers
  • The key server and PKS protection methods can be used to automatically unlock and activate the encrypted logical volume during varyonvg.
  • Six key slots per LV
  • The supported algorithms are Advanced Encryption Standard XTS mode (AES-XTS) 128 bits or 256 bits. AES-XTS 128 bits is the default.
  • Enable the encryption of existing logical volume when the LV is in an open state and in-place conversion of the data.

Use the following two commands to manage encryption keys and key server information:
hdcryptmgr  Provides the cryptographic management of logical volume.
keysvrmgr   Manages the encryption key server information.

Two new filesets: 

  • bos.hdcrypt
  • bos.kmip_client

These filesets are not installed automatically when you run the smit update_all command or during an operating system migration operation. You must install it separately from your software source such as a DVD or an ISO image.

Creating Encrypted Logical Volume:
Create a volume group with encryption enabled:
# mkvg -f -y evg -k y hdisk2
evg

# lsvg evg
VOLUME GROUP:       evg                      VG IDENTIFIER: 00fb294400004c0000000176437c6663
VG STATE:           active                           PP SIZE:        8 megabyte(s)
VG PERMISSION:      read/write          TOTAL PPs:      637 (5096 megabytes)
MAX LVs:            256                               FREE PPs:       637 (5096 megabytes)
LVs:                      0                                    USED PPs:       0 (0 megabytes)
OPEN LVs:           0                                   QUORUM:         2 (Enabled)
TOTAL PVs:          1                                  VG DESCRIPTORS: 2
STALE PVs:          0                                  STALE PPs:      0
ACTIVE PVs:         1                                AUTO ON:        yes
MAX PPs per VG:     32512                                     
MAX PPs per PV:     1016                     MAX PVs:        32
LTG size (Dynamic): 512 kilobyte(s)  AUTO SYNC:      no
HOT SPARE:          no                              BB POLICY:      relocatable
PV RESTRICTION:     none                   INFINITE RETRY: no
DISK BLOCK SIZE:    512                     CRITICAL VG:    no
FS SYNC OPTION:     no                        CRITICAL PVs:   no
ENCRYPTION:         yes   

Check the encryption state of varied on volume groups:
# hdcryptmgr showvg
VG NAME / ID         ENCRYPTION ENABLED
evg                             yes                
rootvg                        no

 
Show the volume group encryption metadata:
# hdcryptmgr showmd evg
.....
.....    Mon Dec  7 21:19:00 2020
.....    Device type : VG
.....    Device name : evg
.....
=============== B: VG HEADER ================
Version                      : 0
Timestamp                    : Mon Dec  7 21:16:04 2020
Default data crypto algorithm: AES_XTS
Default MasterKey size       : 16 bytes
Auto-auth (during varyonvg)  : Enabled
=============== E: VG HEADER ================

 =============== B: VG TRAILER ===============
Timestamp                    : Mon Dec  7 21:16:04 2020
=============== E: VG TRAILER ===============
 

Create a logical volume with encryption enabled:
# mklv -k y -y elv evg 10
elv
mklv: Please run :
hdcryptmgr authinit lvname [..] to define LV encryption options.

# lslv elv
LOGICAL VOLUME:     elv                                              VOLUME GROUP:   evg
LV IDENTIFIER:      00fb294400004c0000000176437c6663.1 PERMISSION:     read/write
VG STATE:           active/complete                              LV STATE:       closed/syncd
TYPE:               jfs                                                             WRITE VERIFY:   off
MAX LPs:            512                                                      PP SIZE:        8 megabyte(s)
COPIES:             1                                                            SCHED POLICY:   parallel
LPs:                10                                                               PPs:            10
STALE PPs:          0                                                          BB POLICY:      relocatable
INTER-POLICY:       minimum                                     RELOCATABLE:    yes
INTRA-POLICY:       middle                                          UPPER BOUND:    32
MOUNT POINT:        N/A                                               LABEL:          None
MIRROR WRITE CONSISTENCY: on/ACTIVE                             
EACH LP COPY ON A SEPARATE PV ?: yes                                   
Serialize IO ?:     NO                                    
INFINITE RETRY:     no                                                PREFERRED READ: 0
ENCRYPTION:         yes


Check the authentication state of the logical volume:
# hdcryptmgr showlv elv
LV NAME              CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)  CONVERSION     
elv                                 yes                                no                                  100                    done           

Initialize the primary key for an encrypted logical volume. The logical volume is not accessible until the first passphrase method is initialized:
# hdcryptmgr authinit elv
Enter Passphrase:
Confirm Passphrase:
Passphrase authentication method with name "initpwd" added successfully.

Check the Authentication status and authentication methods:
# hdcryptmgr showlv elv -v
LV NAME              CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
elv                          yes                                 yes                              100                              done           
-- Authentication methods ------------
INDEX         TYPE                        NAME
#0                 Passphrase            initpwd     

varyoff and varyon the volume group and check the authentication status:
# varyoffvg evg
# varyonvg evg

# hdcryptmgr showlv elv
LV NAME              CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
elv                           yes                                 no                                 100                               done    

Logical volume elv is not authenticated. This requires authunlock before accessing the Logical Volume:
# hdcryptmgr authunlock elv
Enter Passphrase:
Passphrase authentication succeeded.

# hdcryptmgr showlv elv
LV NAME              CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
elv                           yes                                  yes                               100                               done  


Authentication methods for Encrypted Logical Volume:
Use hdcryptmgr authadd command to add authentication method for an encrypted logical volume.  Each authentication method requires a name and an authentication type.

Adding the Platform Key Store (PKS) authentication method:
LPAR KeyStore size by default is set to 0.  Use HMC to change the LPAR KeyStore size. KeyStore size cannot be changed when the LPAR is active.

Check the LPAR PKS status:
# hdcryptmgr pksshow
3020-0349 PKS is not supported or PKS is not activated.
3020-0218 hdcrypt driver service error. QUERY_PKS service failed with error 124: An attempt was made to set an attribute to an unsupported value.

Shutdown the LPAR and increase the KeyStore size. The KeyStore size range is 4k - 64k:
 

PKS Create

 



pksshow shows the current KeyStore size and number of bytes used:

# hdcryptmgr pksshow
PKS uses 32 bytes on a maximum of 4096 bytes.
PKS_Label (LVid)                         Status
PKS_Label (objects)

Add the pks authentication method:
# hdcryptmgr authadd -t pks -n pks1 elv 
PKS authentication method with name "pks1" added successfully.

# hdcryptmgr showlv elv -v
LV NAME              CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
elv                           yes                                yes                              100                             done           
-- Authentication methods ------------
INDEX         TYPE                        NAME
#0                 Passphrase           initpwd     
#1                 PKS                         pks1        

# hdcryptmgr pksshow
PKS uses 116 bytes on a maximum of 4096 bytes.
PKS_Label (LVid)                                                         Status
00fb294400004c0000000176437c6663.1       VALID KEY
PKS_Label (objects)

PKS is an automatic authentication method which means varyonvg command will authunlock the logical volume:
# varyoffvg evg
# hdcryptmgr pksshow
PKS uses 116 bytes on a maximum of 4096 bytes.
PKS_Label (LVid)                                                         Status
00fb294400004c0000000176437c6663.1       UNKNOWN
PKS_Label (objects) 

# varyonvg evg
# hdcryptmgr showlv elv  
LV NAME              CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
elv                           yes                                yes                              100                             done           

Adding key server authentication method:
Any KMIP compliant key management server can be used.
In this example, installed and configured the IBM Security Key Lifecycle Manager (SKLM) V4.0
for AIX in one of AIX LPAR and used that as an encryption key server.  Use keysvrmgr command to add encryption key server to the client LPAR.

Check key servers in the LPAR:
# keysvrmgr show
3020-0279 No key server in database

Add encryption key server with the name keyserver1:
# keysvrmgr add -i 9.X.X.X -s /tmp/sklm_cert.cer -c /tmp/ssl_client_cer.p12 keyserver1
Key server keyserver1 successfully added

# keysvrmgr show                                                                                  
List of key servers:
ID                              PWD             IP:PORT
keyserver1                 N              9.X.X.X:5696

Encryption key server information will be saved in the ODM KeySvr object class:
# odmget KeySvr
KeySvr:
        keysvr_id = "keyserver1"
       
ip_addr = "9.X.X.X"
       
port = 5696
       
svr_cert_path = "/tmp/sklm_cert.cer"
       
cli_cert_path = /tmp/ssl_client_cer.p12 "
       
flags = 0

Add keyserv authentication method to the logical volume:
# hdcryptmgr authadd -t keyserv -n key1_elv -m keyserver1 elv
Keyserver authentication method with name "key1_elv" added successfully.

#hdcryptmgr showlv -v elv
LV NAME              CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
elv                           yes                                yes                              100                             done           
-- Authentication methods ------------
INDEX                 TYPE                    NAME
#0                         Passphrase       initpwd     
#1                         PKS                     pks1        
#2                         Keyserver          key1_elv

Adding key file authentication method:
Create a file testfile with passphrase:
# cat /testfile
Add1ng Key f1le authent1cation meth0d

Add keyfile authentication method:
# hdcryptmgr authadd -t keyfile -n key1_file -m /testfile elv
Keyfile authentication method with name "key1_file" added successfully.

# cat /testfile
Add1ng Key f1le authent1cation meth0d
00fb294400004c0000000176437c6663.1 xdxKjlJvZU+f9lFTgSM63kGoIoKW6Yxc+bKrk5GgCzc=

# hdcryptmgr showlv elv -v
LV NAME              CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION
elv                           yes                                yes                              100                             done         
-- Authentication methods ------------
INDEX         TYPE                      NAME
#0                 Passphrase         initpwd     
#1                 PKS                       pks1        
#2                 Keyserver            key1_elv    
#3                 Keyfile                  key1_file 

Adding passphrase authentication method:
# hdcryptmgr authadd -t pwd -n test_pwd elv                 
Enter Passphrase:
Confirm Passphrase:
Passphrase authentication method with name "test_pwd" added successfully.

# hdcryptmgr showlv elv -v
LV NAME              CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
elv                  yes              yes              100              done           
-- Authentication methods ------------
INDEX         TYPE              NAME
#0            Passphrase      initpwd     
#1            PKS                    pks1        
#2            Keyserver         key1_elv    
#3            Keyfile               key1_file   
#4            Passphrase      test_pwd   

Migrate the PKS to another LPAR when the volume group is migrated:
Export the PKS keys into a file:
# hdcryptmgr pksexport -p /tmp/pksexp evg 
Enter Passphrase:
Confirm Passphrase:
1 PKS keys exported.

Import the volume group in another LPAR:
# importvg -y evg hdisk2

# hdcryptmgr showlv elv -v
LV NAME              CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
elv                          yes                               yes                               100                             done           
-- Authentication methods ------------
INDEX         TYPE               NAME
#0            Passphrase       initpwd     
#1            PKS                     pks1        
#2            Keyserver          key1_elv    
#3            Keyfile                key1_file   
#4            Passphrase       test_pwd  

Check if the authentication method is valid and accessible:
# hdcryptmgr authcheck -n pks1  elv
3020-0199 Key does not exist in PKS storage.
3020-0127 hdcryptmgr authcheck failed for LV elv.

Move the PKS keyfile to new LPAR and run:
#  hdcryptmgr pksimport -p /tmp/pksexp evg             
Enter Passphrase:
3020-0341 Key having LVid 00fb294400004c0000000176437c6663.1 is succesfully imported in LV elv.
1 PKS keys imported.

# hdcryptmgr authcheck -n pks1  elv
PKS authentication check succeeded.

Change the encryption policy of the volume group:
Encryption metadata is saved at the end of each disk in the volume group. Enabling of the volume group encryption requires free physical partitions on each disk in the volume group.

# chvg -k y testvg
0516-1216 chvg: Physical partitions are being migrated for volume group
        descriptor area expansion.  Please wait.

# lsvg testvg
VOLUME GROUP:       testvg                  VG IDENTIFIER:  00fb294400004c000000017648ff8d32
VG STATE:           active                           PP SIZE:        8 megabyte(s)
VG PERMISSION:      read/write          TOTAL PPs:      636 (5088 megabytes)
MAX LVs:            256                                 FREE PPs:       506 (4048 megabytes)
LVs:                1                                           USED PPs:       130 (1040 megabytes)
OPEN LVs:           0                                    QUORUM:         2 (Enabled)
TOTAL PVs:          1                                   VG DESCRIPTORS: 2
STALE PVs:          0                                   STALE PPs:      0
ACTIVE PVs:         1                                 AUTO ON:        yes
MAX PPs per VG:     32512                                     
MAX PPs per PV:     1016                             MAX PVs:        32
LTG size (Dynamic): 512 kilobyte(s)         AUTO SYNC:      no
HOT SPARE:          no                                      BB POLICY:      relocatable
PV RESTRICTION:     none                           INFINITE RETRY: no
DISK BLOCK SIZE:    512                             CRITICAL VG:    no
FS SYNC OPTION:     no                                CRITICAL PVs:   no
ENCRYPTION:         yes  

Change the encryption policy of the Logical Volume:
This capability is delivered as proof of concept in AIX 7.2 TL 5.

Command to enable Logical Volume encryption:
hdcryptmgr  plain2crypt <lvname>

  • Enables the encryption policy of the logical volume
  • Initializes the master key and encryption metadata for an encrypted logical volume
  • Encrypts the data in the logical volume

Command to disable Logical Volume encryption:
hdcryptmgr  crypt2plain <lvname>

  • The logical volume  must be unlocked
  • Decrypts the logical volume data
  • Disables the encryption policy of the logical volume


Enable the encryption policy of the logical volume, ex:

# hdcryptmgr plain2crypt testlv
Enter Passphrase:
Confirm Passphrase:
Passphrase authentication method with name "initpwd" added successfully.
Created recovery file : /var/hdcrypt/conv.004200021607542921
In case of error or if the conversion is canceled, this file may be
necessary to be able to recover the LV. If the conversion is fully
successful, then the file will be removed automatically
Successfully converted LV testlv to an encrypted LV.

# lslv testlv
LOGICAL VOLUME:     testlv                                      VOLUME GROUP:   testvg
LV IDENTIFIER:      00fb294400004c000000017648ff8d32.2 PERMISSION:     read/write
VG STATE:           active/complete                            LV STATE:       closed/syncd
TYPE:               jfs                                                          WRITE VERIFY:   off
MAX LPs:            512                                                    PP SIZE:        8 megabyte(s)
COPIES:             1                                                          SCHED POLICY:   parallel
LPs:                10                                                             PPs:            10
STALE PPs:          0                                                        BB POLICY:      relocatable
INTER-POLICY:       minimum                                   RELOCATABLE:    yes
INTRA-POLICY:       middle                                        UPPER BOUND:    32
MOUNT POINT:        N/A                                             LABEL:          None
MIRROR WRITE CONSISTENCY: on/ACTIVE                             
EACH LP COPY ON A SEPARATE PV ?: yes                                   
Serialize IO ?:     NO                                    
INFINITE RETRY:     no                                              PREFERRED READ: 0
ENCRYPTION:         yes                                   

# hdcryptmgr showlv testlv -v

LV NAME              CRYPTO ENABLED   AUTHENTICATED    ENCRYPTION (%)   CONVERSION     
testlv                       yes                                yes                              100                              done           
-- Authentication methods ------------
INDEX         TYPE                 NAME
#0                 Passphrase    initpwd     

Best practices:

  • Use inline log for the filesystem that created with encrypted logical volume.
  • If the file system is created with an external log device and the log device is shared across multiple file systems, then authunlock all encrypted logical volumes before mounting the filesystem.
  • Use non-PKS authentication method to authunlock the snapshot volume group.
  • To copy an encrypted logical volume using cplv command, create a new logical volume with encryption enabled and use that as destination logical volume to copy source logical volume.


Limitations:

  • Encryption of logical volume is not recommended if serialization of overlapping I/Os policy is set. When encryption is enabled, hdcrypt driver intercepts the I/Os to encrypt the data and that may change the order of the I/O’s.
  • The Live Update operation is not supported if the logical volume encryption is enabled.
  • Logical volume encryption is not supported on rootvg.
  • Logical volume encryption function is not supported when a volume group is varied on in Concurrent mode.

 All limitations are described at https://www.ibm.com/support/knowledgecenter/fr/ssw_aix_72/security/lv_encryption.html

Logical Volume Encryption Design Blog.

0 comments
71 views

Permalink