AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.

 View Only

Understanding AIX Physical Volume Encryption

By Gary Domrow posted Wed February 08, 2023 04:36 PM

  

Understanding AIX Physical Volume Encryption

 

With AIX 7.3 TL1, IBM continues to address clients’ need to protect data by introducing encrypted physical volumes.   This capability encrypts data at rest on disks, and since the data is encrypted in the OS, the disk data in flight is encrypted as well.

Prior levels of AIX supported encrypted files in Encrypted File System (EFS).  More recently, AIX 7.2 TL 5 added support for logical volume encryption as described in two prior blog posts here and here.   The new support for physical volume encryption allows for encryption of an entire “hdisk” device accessed by the AIX operating system.  This is most useful for applications that do not use volume groups and logical volumes such as some database applications, though it is also possible to create a volume group and logical volumes that reside on encrypted disks.

The physical volume encryption support is based on the infrastructure developed for logical volume encryption.   Thus, much of what is described in the prior blog posts also applies to encrypted physical volumes.  For example, encrypted physical volumes support the same key management functions as encrypted logical volumes.

The encrypted physical volume support also uses the hdcryptmgr command to manage encrypted physical volumes and it uses the same hdcrypt driver to perform the encryption.  Some new options and actions have been added to the hdcryptmgr command.

 

hdcryptmgr command

 

The current usage of the hdcryptmgr command is shown below.   Actions highlighted in red are new, added to support encrypted physical volumes; actions highlighted in blue may be used with both logical and physical volumes.

# hdcryptmgr  
Usage: hdcryptmgr <action> <..options..>

Display :
showlv        : Displays LV encryption status
showvg        : Displays VG encryption capability
showpv        : Displays PV encryption capability
showmd        : Displays encryption metadata related to device
showconv      : Displays status of all active and stopped conversions

Authentication control :
authinit      : Initializes master key for data encryption
authunlock    : Authenticates to unlock master key of the device
authadd       : Adds additional authentication methods
authcheck     : Checks validity of an authentication method
authdelete    : Removes an authentication method
authsetrvgpwd : Adds "initpwd" passphrase method to all rootvg's LVs

PKS management :
pksimport     : Import the PKS keys
pksexport     : Export the PKS keys
pksclean      : Removes a PKS key
pksshow       : Displays PKS keys status

Conversion :
plain2crypt   : Converts a LV to encrypted
crypt2plain   : Converts a LV to not encrypted

PV encryption management :
pvenable      : Enables the Physical Volume Encryption
pvdisable     : Disables the Physical Volume Encryption
pvsavemd      : Save encrypted physical volume metadata to a file
pvrecovmd     : Recover encrypted physical volume metadata from a file

For more details on <..options..> run : hdcryptmgr <action> -h

 

The showpv action lists the encrypted physical volumes.   The pvenable and pvdisable actions are used to create and destroy encrypted physical volumes.   The pvsavemd and pvrecovmd actions are used to make a copy of the physical volume metadata and to attempt to recover the metadata on an encrypted physical volume.

 

Using Encrypted Physical Volumes

 

To use physical volume encryption, the disk must first be formatted for encryption.  This operation erases any data on the disk.  There is no support for directly encrypting existing data on a disk.  Instead, a new disk must be allocated and formatted for encryption and then the data is copied to the new disk.

The command to enable encryption on disk hdisk10 is hdcryptmgr pvenable hdisk10.  This command prompts the user for a passphrase to use to unlock the disk and then reserves some space at the beginning of the disk for metadata.   As with logical volume encryption, a data encryption key is created automatically when the disk is initialized for encryption.  The pvenable action also prompts the user to add a passphrase wrapping key to encrypt the data encryption key.   Additional wrapping keys may be added using the authadd action of the hdcryptmgr command.  Note that since space is reserved for metadata, the space available for user data on an encrypted physical volume is slightly smaller than the total size of the physical volume.

Once the disk is initialized for encryption and unlocked, it may be used just as any other hdisk in AIX, except encrypted disks cannot be used as part of the rootvg volume group.  As the OS writes data to the disk, the data is encrypted; when data is read from the disk it is decrypted before being passed to the user.

If the AIX LPAR is rebooted, encrypted disks that use only the passphrase wrapping key protection method must be manually unlocked using the hdcryptmgr authunlock action.  If one of the other methods, such as using a key server or PKS, has been added to the disk using the authadd action, AIX attempts to automatically unlock the disk during boot.  Any attempt to do I/O to an encrypted disk that is still locked fails.

The following shows the output of the showpv and showmd actions of the hdcryptmgr command.   The showpv output displays three encrypted disks, two that are unlocked (able to be read from or written to) and one that is locked.  The locked disk requires hdcrpytmgr authunlock hdisk32 before it is usable.

# hdcryptmgr showpv         
NAME                 CRYPTO_STATUS    %ENCRYPTED       NOTE           
hdisk30              unlocked         100            
hdisk31              unlocked         100            
hdisk32              locked           100            

 

The showmd action below shows metadata for a disk that is using only the passphrase key method.

# hdcryptmgr showmd  hdisk30
.....
.....    Thu Feb  2 14:32:11 2023
.....    Device type : PV
.....    Device name : hdisk30
.....

=============== B: PV HEADER ================
Version                      : 0
Timestamp                    : Thu Feb  2 14:31:14 2023
Default data crypto algorithm: AES_XTS
Default MasterKey size       : 32 bytes
Auto-auth (during boot)      : Enabled
=============== E: PV HEADER ================

========== B: AUTH METHODS HEADER ==========
Version                      : 1
MasterKey                    : Defined
MasterKey size               : 32 bytes
Encryption status            : Fully encrypted
Data crypto algorithm        : AES_XTS
========== E: AUTH METHODS HEADER ==========

============== B: AUTH METHODS =============
---- Index #0 -------------------------------
Method defined               : yes
Method name                  : initpwd
Authentication type          : Passphrase
Auto-auth method             : no
MasterKey crypto algorithm   : AES_GCM
---- Index #1 -------------------------------
Method defined               : no
---- Index #2 -------------------------------
Method defined               : no
---- Index #3 -------------------------------
Method defined               : no
---- Index #4 -------------------------------
Method defined               : no
---- Index #5 -------------------------------
Method defined               : no
============== E: AUTH METHODS =============

=============== B: PV TRAILER ===============
Timestamp                    : Thu Feb  2 14:31:14 2023
=============== E: PV TRAILER ===============

The pvrecovmd action verifies the metadata of an encrypted disk.  There are some actions it can take on its own to recover metadata that has been corrupted.  But if all of the metadata is destroyed, it may require a metadata file that was previously created with the pvsavemd action of the hdcryptgmr command to fully recover the metadata.

Finally, if the encrypted disk is no longer needed, the pvdisable action may be used to disable encryption on a disk.   This action overwrites the metadata on the disk so that the keys are all destroyed but it does not overwrite other encrypted data on the disk.

Other Limitations of Encrypted Physical Volumes

There are a few limitations to the encrypted physical volume support.   First, this support makes use of two new required disk attributes.  As a result, if the disks are identified using an ODM package from a storage vendor, those disks do not support encryption until a new ODM package is acquired from the vendor that includes the two new attributes.

Second, there are a few other software packages that are implemented by inserting a kernel extension above the SCSI disk driver, similar to the encryption support.  At present, it is not supported to mix those software features with physical volume encryption on an AIX LPAR.  In particular, the AIX “flash cache” feature, managed by cache_mgt, cannot be used in conjunction with encryption.  Likewise, GLVM and encryption cannot be used together on the same AIX LPAR.

Third, the current physical volume encryption support works only with SCSI disks.  There is no support for NVMe disks at this time.  But, AIX 7.3 TL1 supports NVMe SED (Self Encrypting Disks) on internal PCI NVMe disks.

 

AIX Publications

 

The AIX publications have more information about physical volume encryption.   Use the following links.

Introduction to encrypted physical volumes

More information about encrypted physical volumes

hdcryptmgr command

NVME SED -- nvmesed command

0 comments
80 views

Permalink

https://community.ibm.com/community/user/blogs/gary-domrow/2023/02/08/understanding-aix-physical-volume-encryption