Encrypting logical volumes
Starting with IBM® AIX® 7.2 with Technology Level 5, the Logical Volume Manager (LVM) supports the data encryption at the logical volume (LV) level. Using this feature, you can encrypt the data at rest to protect data exposure because of lost or stolen hard disk drives or because of inappropriately decommissioned computers. The term data at rest refers to an inactive data that is stored physically in any digital form.
Each LV is encrypted with a unique key. The logical volume data is encrypted before the data is written to the physical volume. This data is decrypted when it is read from the physical volume. By default, data encryption is not enabled in logical volumes. You must enable the data encryption option at the volume group level before you enable the data encryption option at the logical volume level.
The hdcryptmgr command manages the encryption keys, data encryption, and data decryption of the logical volume.
- To create a volume group with the data encryption option enabled, run the following
mkvg -f -k y -y testvg hdisk1 hdisk2
testvgis the name of the new volume group,
hdisk2are the physical volumes that are used for the volume group.
- To create a logical volume with the data encryption option enabled, run the following
mklv -k y -y testlv testvg 10
testlvis the name of the new logical volume and
testvgis the volume group in which the logical volume must be created.
- To initialize the primary encryption key of the logical volume, run the following
hdcryptmgr authinit testlv