Understanding of Logical Volume Encryption
A simple handbook for beginners
AIX 7.2 TL 5 introduces the support for Logical Volume encryption, providing data-at-rest encryption solution that performs efficient encryption and decryption of data within a Logical Volume.
The contents of this blog:
Overview
How to create Encrypted Logical Volume
Authentication Methods
PKS
Key Server
Keyfile
Passphrase
Migration of PKS
How to change the encryption policy of Volume Group
How to change the encryption policy of Logical Volume
Best Practices
Limitations
Overview of Logical Volume Encryption
- Encryption is per Logical volume.
- Encryption metadata is saved on each disk in the volume group.
- Four key protection methods:
- Paraphrase
- Keyfile
- PKS (Platform Key Store) – available in IBM PowerVM® firmware of the IBM Power® System FW950.
- Key Server- Key Management Interoperability Protocol (KMIP) compliant key management servers
- The key server and PKS protection methods can be used to automatically unlock and activate the encrypted logical volume during varyonvg.
- Six key slots per LV
- The supported algorithms are Advanced Encryption Standard XTS mode (AES-XTS) 128 bits or 256 bits. AES-XTS 128 bits is the default.
- Enable the encryption of existing logical volume when the LV is in an open state and in-place conversion of the data.
Use the following two commands to manage encryption keys and key server information:
hdcryptmgr Provides the cryptographic management of logical volume.
keysvrmgr Manages the encryption key server information.
Two new filesets:
- bos.hdcrypt
- bos.kmip_client
These filesets are not installed automatically when you run the smit update_all command or during an operating system migration operation. You must install it separately from your software source such as a DVD or an ISO image.
Creating Encrypted Logical Volume:
Create a volume group with encryption enabled:
# mkvg -f -y evg -k y hdisk2
evg
# lsvg evg
VOLUME GROUP: evg VG IDENTIFIER: 00fb294400004c0000000176437c6663
VG STATE: active PP SIZE: 8 megabyte(s)
VG PERMISSION: read/write TOTAL PPs: 637 (5096 megabytes)
MAX LVs: 256 FREE PPs: 637 (5096 megabytes)
LVs: 0 USED PPs: 0 (0 megabytes)
OPEN LVs: 0 QUORUM: 2 (Enabled)
TOTAL PVs: 1 VG DESCRIPTORS: 2
STALE PVs: 0 STALE PPs: 0
ACTIVE PVs: 1 AUTO ON: yes
MAX PPs per VG: 32512
MAX PPs per PV: 1016 MAX PVs: 32
LTG size (Dynamic): 512 kilobyte(s) AUTO SYNC: no
HOT SPARE: no BB POLICY: relocatable
PV RESTRICTION: none INFINITE RETRY: no
DISK BLOCK SIZE: 512 CRITICAL VG: no
FS SYNC OPTION: no CRITICAL PVs: no
ENCRYPTION: yes
Check the encryption state of varied on volume groups:
# hdcryptmgr showvg
VG NAME / ID ENCRYPTION ENABLED
evg yes
rootvg no
Show the volume group encryption metadata:
# hdcryptmgr showmd evg
.....
..... Mon Dec 7 21:19:00 2020
..... Device type : VG
..... Device name : evg
.....
=============== B: VG HEADER ================
Version : 0
Timestamp : Mon Dec 7 21:16:04 2020
Default data crypto algorithm: AES_XTS
Default MasterKey size : 16 bytes
Auto-auth (during varyonvg) : Enabled
=============== E: VG HEADER ================
=============== B: VG TRAILER ===============
Timestamp : Mon Dec 7 21:16:04 2020
=============== E: VG TRAILER ===============
Create a logical volume with encryption enabled:
# mklv -k y -y elv evg 10
elv
mklv: Please run :
hdcryptmgr authinit lvname [..] to define LV encryption options.
# lslv elv
LOGICAL VOLUME: elv VOLUME GROUP: evg
LV IDENTIFIER: 00fb294400004c0000000176437c6663.1 PERMISSION: read/write
VG STATE: active/complete LV STATE: closed/syncd
TYPE: jfs WRITE VERIFY: off
MAX LPs: 512 PP SIZE: 8 megabyte(s)
COPIES: 1 SCHED POLICY: parallel
LPs: 10 PPs: 10
STALE PPs: 0 BB POLICY: relocatable
INTER-POLICY: minimum RELOCATABLE: yes
INTRA-POLICY: middle UPPER BOUND: 32
MOUNT POINT: N/A LABEL: None
MIRROR WRITE CONSISTENCY: on/ACTIVE
EACH LP COPY ON A SEPARATE PV ?: yes
Serialize IO ?: NO
INFINITE RETRY: no PREFERRED READ: 0
ENCRYPTION: yes
Check the authentication state of the logical volume:
# hdcryptmgr showlv elv
LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION
elv yes no 100 done
Initialize the primary key for an encrypted logical volume. The logical volume is not accessible until the first passphrase method is initialized:
# hdcryptmgr authinit elv
Enter Passphrase:
Confirm Passphrase:
Passphrase authentication method with name "initpwd" added successfully.
Check the Authentication status and authentication methods:
# hdcryptmgr showlv elv -v
LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION
elv yes yes 100 done
-- Authentication methods ------------
INDEX TYPE NAME
#0 Passphrase initpwd
varyoff and varyon the volume group and check the authentication status:
# varyoffvg evg
# varyonvg evg
# hdcryptmgr showlv elv
LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION
elv yes no 100 done
Logical volume elv is not authenticated. This requires authunlock before accessing the Logical Volume:
# hdcryptmgr authunlock elv
Enter Passphrase:
Passphrase authentication succeeded.
# hdcryptmgr showlv elv
LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION
elv yes yes 100 done
Authentication methods for Encrypted Logical Volume:
Use hdcryptmgr authadd command to add authentication method for an encrypted logical volume. Each authentication method requires a name and an authentication type.
Adding the Platform Key Store (PKS) authentication method:
LPAR KeyStore size by default is set to 0. Use HMC to change the LPAR KeyStore size. KeyStore size cannot be changed when the LPAR is active.
Check the LPAR PKS status:
# hdcryptmgr pksshow
3020-0349 PKS is not supported or PKS is not activated.
3020-0218 hdcrypt driver service error. QUERY_PKS service failed with error 124: An attempt was made to set an attribute to an unsupported value.
Shutdown the LPAR and increase the KeyStore size. The KeyStore size range is 4k - 64k:
pksshow shows the current KeyStore size and number of bytes used:
# hdcryptmgr pksshow
PKS uses 32 bytes on a maximum of 4096 bytes.
PKS_Label (LVid) Status
PKS_Label (objects)
Add the pks authentication method:
# hdcryptmgr authadd -t pks -n pks1 elv
PKS authentication method with name "pks1" added successfully.
# hdcryptmgr showlv elv -v
LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION
elv yes yes 100 done
-- Authentication methods ------------
INDEX TYPE NAME
#0 Passphrase initpwd
#1 PKS pks1
# hdcryptmgr pksshow
PKS uses 116 bytes on a maximum of 4096 bytes.
PKS_Label (LVid) Status
00fb294400004c0000000176437c6663.1 VALID KEY
PKS_Label (objects)
PKS is an automatic authentication method which means varyonvg command will authunlock the logical volume:
# varyoffvg evg
# hdcryptmgr pksshow
PKS uses 116 bytes on a maximum of 4096 bytes.
PKS_Label (LVid) Status
00fb294400004c0000000176437c6663.1 UNKNOWN
PKS_Label (objects)
# varyonvg evg
# hdcryptmgr showlv elv
LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION
elv yes yes 100 done
Adding key server authentication method:
Any KMIP compliant key management server can be used.
In this example, installed and configured the IBM Security Key Lifecycle Manager (SKLM) V4.0 for AIX in one of AIX LPAR and used that as an encryption key server. Use keysvrmgr command to add encryption key server to the client LPAR.
Check key servers in the LPAR:
# keysvrmgr show
3020-0279 No key server in database
Add encryption key server with the name keyserver1:
# keysvrmgr add -i 9.X.X.X -s /tmp/sklm_cert.cer -c /tmp/ssl_client_cer.p12 keyserver1
Key server keyserver1 successfully added
# keysvrmgr show
List of key servers:
ID PWD IP:PORT
keyserver1 N 9.X.X.X:5696
Encryption key server information will be saved in the ODM KeySvr object class:
# odmget KeySvr
KeySvr:
keysvr_id = "keyserver1"
ip_addr = "9.X.X.X"
port = 5696
svr_cert_path = "/tmp/sklm_cert.cer"
cli_cert_path = /tmp/ssl_client_cer.p12 "
flags = 0
Add keyserv authentication method to the logical volume:
# hdcryptmgr authadd -t keyserv -n key1_elv -m keyserver1 elv
Keyserver authentication method with name "key1_elv" added successfully.
#hdcryptmgr showlv -v elv
LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION
elv yes yes 100 done
-- Authentication methods ------------
INDEX TYPE NAME
#0 Passphrase initpwd
#1 PKS pks1
#2 Keyserver key1_elv
Adding key file authentication method:
Create a file testfile with passphrase:
# cat /testfile
Add1ng Key f1le authent1cation meth0d
Add keyfile authentication method:
# hdcryptmgr authadd -t keyfile -n key1_file -m /testfile elv
Keyfile authentication method with name "key1_file" added successfully.
# cat /testfile
Add1ng Key f1le authent1cation meth0d
00fb294400004c0000000176437c6663.1 xdxKjlJvZU+f9lFTgSM63kGoIoKW6Yxc+bKrk5GgCzc=
# hdcryptmgr showlv elv -v
LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION
elv yes yes 100 done
-- Authentication methods ------------
INDEX TYPE NAME
#0 Passphrase initpwd
#1 PKS pks1
#2 Keyserver key1_elv
#3 Keyfile key1_file
Adding passphrase authentication method:
# hdcryptmgr authadd -t pwd -n test_pwd elv
Enter Passphrase:
Confirm Passphrase:
Passphrase authentication method with name "test_pwd" added successfully.
# hdcryptmgr showlv elv -v
LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION
elv yes yes 100 done
-- Authentication methods ------------
INDEX TYPE NAME
#0 Passphrase initpwd
#1 PKS pks1
#2 Keyserver key1_elv
#3 Keyfile key1_file
#4 Passphrase test_pwd
Migrate the PKS to another LPAR when the volume group is migrated:
Export the PKS keys into a file:
# hdcryptmgr pksexport -p /tmp/pksexp evg
Enter Passphrase:
Confirm Passphrase:
1 PKS keys exported.
Import the volume group in another LPAR:
# importvg -y evg hdisk2
# hdcryptmgr showlv elv -v
LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION
elv yes yes 100 done
-- Authentication methods ------------
INDEX TYPE NAME
#0 Passphrase initpwd
#1 PKS pks1
#2 Keyserver key1_elv
#3 Keyfile key1_file
#4 Passphrase test_pwd
Check if the authentication method is valid and accessible:
# hdcryptmgr authcheck -n pks1 elv
3020-0199 Key does not exist in PKS storage.
3020-0127 hdcryptmgr authcheck failed for LV elv.
Move the PKS keyfile to new LPAR and run:
# hdcryptmgr pksimport -p /tmp/pksexp evg
Enter Passphrase:
3020-0341 Key having LVid 00fb294400004c0000000176437c6663.1 is succesfully imported in LV elv.
1 PKS keys imported.
# hdcryptmgr authcheck -n pks1 elv
PKS authentication check succeeded.
Change the encryption policy of the volume group:
Encryption metadata is saved at the end of each disk in the volume group. Enabling of the volume group encryption requires free physical partitions on each disk in the volume group.
# chvg -k y testvg
0516-1216 chvg: Physical partitions are being migrated for volume group
descriptor area expansion. Please wait.
# lsvg testvg
VOLUME GROUP: testvg VG IDENTIFIER: 00fb294400004c000000017648ff8d32
VG STATE: active PP SIZE: 8 megabyte(s)
VG PERMISSION: read/write TOTAL PPs: 636 (5088 megabytes)
MAX LVs: 256 FREE PPs: 506 (4048 megabytes)
LVs: 1 USED PPs: 130 (1040 megabytes)
OPEN LVs: 0 QUORUM: 2 (Enabled)
TOTAL PVs: 1 VG DESCRIPTORS: 2
STALE PVs: 0 STALE PPs: 0
ACTIVE PVs: 1 AUTO ON: yes
MAX PPs per VG: 32512
MAX PPs per PV: 1016 MAX PVs: 32
LTG size (Dynamic): 512 kilobyte(s) AUTO SYNC: no
HOT SPARE: no BB POLICY: relocatable
PV RESTRICTION: none INFINITE RETRY: no
DISK BLOCK SIZE: 512 CRITICAL VG: no
FS SYNC OPTION: no CRITICAL PVs: no
ENCRYPTION: yes
Change the encryption policy of the Logical Volume:
This capability is delivered as proof of concept in AIX 7.2 TL 5.
Command to enable Logical Volume encryption:
hdcryptmgr plain2crypt <lvname>
- Enables the encryption policy of the logical volume
- Initializes the master key and encryption metadata for an encrypted logical volume
- Encrypts the data in the logical volume
Command to disable Logical Volume encryption:
hdcryptmgr crypt2plain <lvname>
- The logical volume must be unlocked
- Decrypts the logical volume data
- Disables the encryption policy of the logical volume
Enable the encryption policy of the logical volume, ex:
# hdcryptmgr plain2crypt testlv
Enter Passphrase:
Confirm Passphrase:
Passphrase authentication method with name "initpwd" added successfully.
Created recovery file : /var/hdcrypt/conv.004200021607542921
In case of error or if the conversion is canceled, this file may be
necessary to be able to recover the LV. If the conversion is fully
successful, then the file will be removed automatically
Successfully converted LV testlv to an encrypted LV.
# lslv testlv
LOGICAL VOLUME: testlv VOLUME GROUP: testvg
LV IDENTIFIER: 00fb294400004c000000017648ff8d32.2 PERMISSION: read/write
VG STATE: active/complete LV STATE: closed/syncd
TYPE: jfs WRITE VERIFY: off
MAX LPs: 512 PP SIZE: 8 megabyte(s)
COPIES: 1 SCHED POLICY: parallel
LPs: 10 PPs: 10
STALE PPs: 0 BB POLICY: relocatable
INTER-POLICY: minimum RELOCATABLE: yes
INTRA-POLICY: middle UPPER BOUND: 32
MOUNT POINT: N/A LABEL: None
MIRROR WRITE CONSISTENCY: on/ACTIVE
EACH LP COPY ON A SEPARATE PV ?: yes
Serialize IO ?: NO
INFINITE RETRY: no PREFERRED READ: 0
ENCRYPTION: yes
# hdcryptmgr showlv testlv -v
LV NAME CRYPTO ENABLED AUTHENTICATED ENCRYPTION (%) CONVERSION
testlv yes yes 100 done
-- Authentication methods ------------
INDEX TYPE NAME
#0 Passphrase initpwd
Best practices:
- Use inline log for the filesystem that created with encrypted logical volume.
- If the file system is created with an external log device and the log device is shared across multiple file systems, then authunlock all encrypted logical volumes before mounting the filesystem.
- Use non-PKS authentication method to authunlock the snapshot volume group.
- To copy an encrypted logical volume using cplv command, create a new logical volume with encryption enabled and use that as destination logical volume to copy source logical volume.
Limitations:
- Encryption of logical volume is not recommended if serialization of overlapping I/Os policy is set. When encryption is enabled, hdcrypt driver intercepts the I/Os to encrypt the data and that may change the order of the I/O’s.
- The Live Update operation is not supported if the logical volume encryption is enabled.
- Logical volume encryption is not supported on rootvg.
- Logical volume encryption function is not supported when a volume group is varied on in Concurrent mode.
All limitations are described at https://www.ibm.com/support/knowledgecenter/fr/ssw_aix_72/security/lv_encryption.html
Logical Volume Encryption Design Blog.