Encrypting logical volumes
Starting with IBM® AIX® 7.2 with Technology Level 5, the Logical Volume Manager (LVM) supports the data encryption at the logical volume (LV) level. Using this feature, you can encrypt the data at rest to protect data exposure because of lost or stolen hard disk drives or because of inappropriately decommissioned computers. The term data at rest refers to an inactive data that is stored physically in any digital form.
Each LV is encrypted with a unique key. The logical volume data is encrypted before the data is written to the physical volume. This data is decrypted when it is read from the physical volume. By default, data encryption is not enabled in logical volumes. You must enable the data encryption option at the volume group level before you enable the data encryption option at the logical volume level.
The hdcryptmgr command manages the encryption keys, data encryption, and data decryption of the logical volume.
- To create a volume group with the data encryption option enabled, run the following
command:
wheremkvg -f -k y -y testvg hdisk1 hdisk2
testvg
is the name of the new volume group,hdisk1
andhdisk2
are the physical volumes that are used for the volume group. - To create a logical volume with the data encryption option enabled, run the following
command:
wheremklv -k y -y testlv testvg 10
testlv
is the name of the new logical volume andtestvg
is the volume group in which the logical volume must be created. - To initialize the primary encryption key of the logical volume, run the following
command:
hdcryptmgr authinit testlv