hdcryptmgr Command

Edit online

Purpose

Provides cryptographic management of logical and physical volumes.

Syntax

hdcryptmgr action [ -h ] [ flags ] devicename

Description

The hdcryptmgr command manages encrypted logical volumes. Starting from the IBM® AIX® 7.3 Technology Level 1, you can run the hdcryptmgr command to manage encrypted logical volumes and encrypted physical volumes. The encrypted logical volumes or physical volumes are managed by specifying the action parameter to perform one of the following operations:

Note: Some of the attributes of the action parameter are specific to either logical volumes or physical volumes. However, some attributes of the action parameter can be used for both logical volumes and physical volumes.
Table 1. hdcryptmgr command operations
Category action parameter Description
Display encryption settings showvg Displays the data encryption status of the volume group.
showlv Displays the data encryption status of the logical volume.
showmd Displays encryption metadata for a specific volume.
showconv Displays the status of active and stopped conversion operations of encrypted logical volumes to decrypted logical volumes, and decrypted logical volumes to logical volumes.
showpv Displays the status of encrypted physical volumes.
Control authentication methods authinit Initializes a primary key for data encryption in the volume.
authunlock or authunl Authenticates to the encrypted volume to unlock the primary key of the volume.
authadd Adds more authentication methods.
authcheck or authchk Checks the validity of an authentication method.
authdelete or authdel Removes an authentication method.
authmod Modifies the password for the passphrase key-protection method.
authsetrvgpwd or setrvgpwd Sets the recovery password for the root volume group (rootvg) after the BOS installation.
Manage Platform keystore (PKS) keys pksimport Imports the PKS keys.
pksexport Exports the PKS keys.
pksclean Removes a PKS key.
pksshow Displays the status of the PKS keys.
Convert the encryption status of the logical volume plain2crypt Enables the encryption in a logical volume and encrypts the logical volume data.
crypt2plain Decrypts the logical volume data and disables encryption in a logical volume.
Physical volume encryption pvenable Enables the encryption of a physical volume.
pvdisable Disables the encryption of a physical volume.
pvsavemd Saves the physical volume metadata to a specified file.
pvrecovmd Recovers the physical volume metadata.
Note: The Non-Volatile Memory Express (NVMe) and Virtual Persistent Memory (vPMem) disk does not support encryption.

Displaying the encryption settings

You can run the following actions with the hdcryptmgr command to display the encryption settings:

showvg
Syntax: 
hdcryptmgr showvg [ -h ] [ device ]
Displays the data encryption status of the specified volume groups. If you do not specify a volume group, the hdcryptmgr command shows the encryption status of the volume groups. 
# hdcryptmgr showvg
VG NAME / ID          ENCRYPTION ENABLED  
EVG1                      yes                 
INSTALLVG                 yes                 
rootvg                    no
showlv
Syntax: 
hdcryptmgr showlv [ -h ] [ -v ] device
Displays the data encryption status of a logical volume. Specify the device name of a volume group or a logical volume. When you specify a volume group, the hdcryptmgr command displays the data encryption status of the logical volumes in the volume group. When you specify a logical volume, this command displays the data encryption status of the specified logical volume. If the capability of the data encryption for the volume group is not enabled, a message is displayed, which that indicates that the encryption is not enabled on the volume group. 
# hdcryptmgr showlv vg00
NAME                 CRYPTO_STATUS    %ENCRYPTED       NOTE            
lv00                 unlocked         100             
lv01                 unlocked         100             
lv03                 not_enabled      0               
lv04                 locked           100             
lv02                 uninitialized    0               
lv06                 uninitialized    n/a              not_accessible  
lv07                 locked           100             
fslv00               locked           1                encrypting
showmd
Syntax 
hdcryptmgr showmd [ -h ] [ -v ] device
Displays encryption metadata for a specific logical volume, volume group, or physical volume. Specify the device name of a logical volume, volume group, or a physical volume. When you specify a volume group, only the header and trailer encryption metadata of the specified volume group are displayed. When you specify an encrypted physical volume, the metadata that is associated with the physical volume is displayed. If the specified physical volume is not encrypted and if it is part of a volume group that contains the encrypted logical volumes, the metadata of encrypted logical volumes is displayed. The metadata is displayed even if the corresponding volume group is not varied on. When you specify a logical volume, the entire encryption metadata of the specific logical volume is displayed. 
# hdcryptmgr showmd ELV1
.....
.....    Wed Jun 17 13:25:46 2020
.....    Device type : LV
.....    Device name : ELV1
.....

=============== B: LV HEADER ================
Version                      : 0
MasterKey                    : Defined
MasterKey size               : 16 bytes
Encryption status            : Fully encrypted
Data crypto algorithm        : AES_XTS
=============== E: LV HEADER ================

============= B: LV AUTH METHODS ============
---- Index #0 -------------------------------
Method defined               : yes
Method name                  : initpwd
Authentication type          : Passphrase
Auto-auth method             : no
MasterKey crypto algorithm   : AES_GCM
---- Index #1 -------------------------------
Method defined               : no
---- Index #2 -------------------------------
Method defined               : no
---- Index #3 -------------------------------
Method defined               : no
---- Index #4 -------------------------------
Method defined               : no
---- Index #5 -------------------------------
Method defined               : no
============= E: LV AUTH METHODS ============
showconv
Syntax 
hdcryptmgr showconv [ -h ]
Displays the status of active and stopped processes of logical volume that are being converted. 
# hdcryptmgr showconv
NAME          TID/STATUS       %ENCRYPTED       DIRECTION        START_TIME      
lv03          29557045         3                plain2crypt      Sun Feb 14 09:43:10 2021
fslv00        stopped/dirty    1                plain2crypt
showpv
Syntax:
hdcryptmgr showpv [ -h ] [ -v ] [ device ]
-h
Prints the help message.
-v
Specifies the verbose mode. Prints more detailed output if the physical volume device name is specified.
device
Specifies the device name of the encrypted physical volume. The device attribute is optional.

Displays information about one or all encrypted physical volumes. If the encrypted physical volume name is specified, information about the specific physical volume is displayed. If the device name is not specified, information about the encrypted physical volumes is displayed.

# hdcryptmgr showpv
NAME                    CRYPTO_STATUS       %ENCRYPTED     NOTE
hdisk24                 unlocked             100
hdisk25                 unlocked             100

Controlling authentication methods

The encryption function of the logical and physical volumes support the key-protection methods such as passphrase, key file, key server management solution (IBM Security Key Lifecycle Manager (keyserv), Key Protect (IBM Key Protect for IBM Cloud®), HPCS (IBM Cloud® Hyper Protect Crypto Services (HPCS), and PKS. Manually specify a password or a key file location for the passphrase and key file protection methods. You can use the key server management and PKS protection methods to automatically unlock and activate the encrypted volume. To qualify the key server authentication method as an automatic method, store the client certificate password in PKS or choose no password for the client certificate. To control authentication methods, you can run the following actions with the hdcryptmgr command:
authinit
Syntax
hdcryptmgr authinit [ -h ] [ -e algo_detail ] [ -n name ] device
Initializes the primary key and encryption metadata for an encrypted volume. For each encrypted volume, the primary key and encrypted metadata must be initialized only once. A first passphrase that is obtained from the key-protection method is added to the encryption metadata of the volume. The pvenable action parameter also runs the authinit action parameter to initialize authentication on a physical volume. You can specify the following flags or values for the authinit action parameter:
-e
Specifies the data encryption algorithm, mode, and key length. The following are the valid values of the -e flag:
prompt
Specifies that the encryption algorithm details are prompted when the command runs.
[algorithm]:[b|B][key_len][:w]
Specifies the encryption algorithm details. The supported algorithms are Advanced Encryption Standard XTS mode (AES-XTS) 128 bits or 256 bits. By default, the character b is bits of the key, the character B is bytes of the key, and the key_len variable is the length of the key. The :w parameter overwrites the default values of the volume group with the specified values. By default, when a volume group or physical volume in which encryption is enabled is created, the default encryption algorithm is AES-XTS 128 bits.
-n
Specifies a name for the key-protection method. The name can change in the range 1 to 15 characters and can contain only the characters such as A - Z, a - z, 0 - 9, underscore (_), minus sign (-), or period (.). All other characters are considered invalid.
device
Specifies the device name of the logical volume or the volume group or the physical volume for which the key-protection method must be initialized.
authadd
Syntax 
hdcryptmgr authadd [ -h ] [ -t type [ -m method_detail ] ] [ -n name ] device
Adds more key-protection method to an encrypted volume in which a key-protection method is already initialized. To activate the authentication method that you added to an encrypted volume, the encrypted volume must be unlocked. This action parameter can be specified with the following flags or values:
-t
Specifies the key-protection type. The valid values are pwd, keyfile, keyserv, hpcs, and pks.
-m
Specifies any additional information about the key-protection method that might include the following details:
  • Input path to the authentication key file
  • Key server ID in the KeySvr Object Data Manager (ODM) class
  • Key server name in the HpcsSvr ODM class
-n
Specifies a name for the key-protection method. Name can be in the range 1 to 15 characters and can contain only the characters such as A - Z, a - z, 0 - 9, underscore (_), minus sign (-), or period (.). All other characters are considered invalid.
device
Specifies the device name of the logical volume or physical volume for which the key-protection method must be added.

If you do not specify the required flags or values when you run the hdcryptmgr authadd command, you are prompted to specify the same. For information about registering key server information, see the keysvrmgr command.

authunlock or authunl
Syntax: 
hdcryptmgr authunlock [ -h ] [ -t type [ -m method_detail ] ] [ -A] device
Authenticates to the encrypted volume and unlocks the encrypted volumes. This action parameter can be specified with the following flags or values:
-A
Authenticates to the encrypted logical volume by using the automatic key-protection methods that do not require any user inputs. Use this flag at a volume group level only if the volume group uses automatic key-protection methods such as a key server management solution or the PKS.
-t
Specifies the type of the key-protection method. The valid values are pwd, keyfile, keyserv, hpcs, and pks.
-m
Specifies any additional information about the key-protection method that might include the following details:
  • Input path to the authentication key file
  • Key server ID in the KeySvr ODM class
  • Key server name in the HpcsSvr ODM class
device
Specifies the device name of the logical volume or physical volume that must be authenticated and then the key-protection method must be unlocked. Specify this value with the -A flag.

When you specify a device name, you can specify the key-protection method by using the -t and -m flags. If more than one key-protection methods meet the criteria, you are prompted to select a specific key-protection method.

Note: For encrypted logical volumes that use key server authentication methods during the boot operation to decrypt the logical volume, the server or the client certificate must be located in the /etc directory or in the file systems that are mounted early in the boot operation sequence.
authcheck or authchk
Syntax 
hdcryptmgr authcheck [ -h ] [ -t <type> [ -m <method_detail> ] ] [ -i <index> ] [ -n <name> ] <device>
Checks the validity of an authentication method. You can specify this action parameter with the following flags or values:
-h
Displays the help information.
-t
Specifies the type of the key-protection method. The valid values are pwd, keyfile, keyserv, hpcs, and pks.
-m
Specifies any additional information about the key-protection method that might include the following details:
  • Input path to the authentication key file
  • Key server ID in the KeySvr ODM class
  • Key server name in the HpcsSvr ODM class
-i
Checks the authentication of only the specified index. An authentication type is automatically forced according to the selected index.
-n
Specifies the name of the key-protection method that must be checked. A name can be in the range 1 to 15 characters and can contain only the characters such as A - Z, a - z, 0 - 9, underscore (_), minus sign (-), or period (.). All other characters are considered invalid.
device
Specifies the device name of the logical volume or physical volume that must be checked.
authdelete or authdel
Syntax 
hdcryptmgr authdelete [ -h ] [ -t type [ -m method_detail ] ] [ -i index] [ -n name ] [ -f ] device
Removes an initiated key-protection method. You can specify this action parameter with the following flags or values:
-t
Specifies the key-protection type. The valid values are pwd, keyfile, keyserv, hpcs, and pks.
-m
Specifies any additional information about the key-protection method that might include the following details:
  • Input path to the authentication key file
  • Key server ID in the KeySvr ODM class
  • Key server name in the HpcsSvr ODM class
-i
Specifies the index of the key-protection method that must be deleted.
-n
Specifies the name of the key-protection method that must be deleted. Name can be in the range 1 to 15 characters and can contain only the characters such as A - Z, a - z, 0 - 9, underscore (_), minus sign (-), or period (.). All other characters are considered invalid.
-f
Specifies the force option. This flag bypasses the authentication method checks to remove the key-protection method.
device
Specifies the device name of the logical volume or physical volume for which the key-protection method must be deleted.

Only one key-protection method can be removed at a time. If you know the correct index or name of the key-protection method, you can specify the key-protection method by using the -i or -n flags. You can use the -t and -m flags to filter the list of existing key-protection methods. If multiple entries match the specified criteria, you are prompted to choose the key-protection method that must be removed.

Before the key-protection method is removed, the validity of the key-protection method is checked, unless the -f flag is used. Authenticate to the volume with the selected key-protection method.

Note: Ensure that the volume has at least a passphrase key-protection method after you perform the authdelete operation.
authsetrvgpwd or setrvgpwd
Syntax 
hdcryptmgr authsetrvgpwd [-h]
Sets a recovery password for the rootvg. When you install the operating system in an LPAR, if you enable the encryption of logical volumes, only the PKS authentication method is created for the encrypted logical volumes. After the installation is complete and the LPAR boots up in normal mode, you must run the hdcryptmgr authsetrvgpwd command to add a recovery password for the rootvg.
start of changeauthmodend of change
start of changeSyntax 
hdcryptmgr authmod [ -h ] [ -t <type> ] [ -i <index> ] [ -n <name> ] <device>
end of change
start of changeModifies selected key-protection method. You can specify this action parameter with the following flags:
-h
Displays the help information.
-t
Specifies the type of the key-protection method. The valid value is pwd.
Note: By default, the key-protection method is set to pwd if you do not specify -t pwd when you run the hdcryptmgr authmod command. You can specify the key-protection method by using the -i or -n flags if you know the index or name of the key-protection method.
-i
Targets the modification of only the specified index.
-n
Specifies the name that is given to the authentication method. A name can be 1 to 15 characters long and can contain only the characters A-Z, a-z, 0-9, underscore (_), minus sign (-), or period (.). All the other characters are considered invalid.
device
Specifies the device name of the logical volume or physical volume that must be checked.
end of change

Managing PKS keys

The PKS is a secure key-protection method that is available in the IBM PowerVM® firmware of the IBM Power® E950. You can add the PKS key-protection method to an encrypted logical volume. You can use the following action parameters to manage the PKS keys for authentication:

pksshow
Syntax 
hdcryptmgr pksshow [-h]
Displays the PKS label of volume that is associated with the PKS keys and the status of the PKS keys. The PKS labels that are stored in both the PKS and in the volume metadata are displayed. 
# hdcryptmgr pksshow

Total PKS size: 65536 bytes 
Used  PKS size: 479 bytes
Estimated encryption key slots: 747

PKS_Label (LVid)                         Status		Device
00fb293100004c0000000174c0a994b7.1       VALID		 testlv
00fb293100004c0000000174c0a994b7.2       UNKNOWN	      
00fb293100004c0000000174c0a994b7.3       UNKNOWN	      

PKS_Label (PVuuid)                           status           Device          
pvuuid:706aa87a-e4d0-f2ec-3999-2631162226d2  VALID KEY        hdisk3

PKS_Label (objects)
ksvr:gpfs-pw-t2
pksclean
Syntax 
hdcryptmgr pksclean [ -h ] <pks_label>
Removes an invalid key from the PKS. Specify the PKS label that is associated with the invalid key that you want to remove. This command must be used to remove the keys that are listed in the hdcryptmgr pksshow command output with the status as UNKNOWN.
pksexport
Syntax 
hdcryptmgr pksexport [-h] -p ExportFile device
Exports the PKS keys into the specified file. If you specify a logical volume or physical volume device name, the PKS key that is associated with the specified logical volume or physical volume is exported. If you specify a VG device name, all PKS keys that are associated with the logical volumes in the volume group are exported.
Note: You can export the PKS keys of multiple devices into the same file. In AIX 7.3.0, the existing file content is overwritten by the newly exported content. Therefore, using different passwords does not cause any problems. In AIX 7.3.1, and later, the new content is appended to the end of the existing file content. Therefore, you must use the same password for all the devices otherwise the pksimport command fails.
pksimport
Syntax 
hdcryptmgr pksimport [-h] -p ExportFile [device]
Imports the PKS keys into the specified file. If you specify a logical volume or physical volume device name, the PKS key that is associated with the specified logical volume or physical volume is imported. If you specify a VG device name, all PKS keys that are associated with the logical volumes in the volume group are imported. If you do not specify a device name, all PKS keys are imported.

Converting the encryption status of the logical volume

You can convert a regular logical volume to an encrypted logical volume, and an encrypted logical volume to a regular logical volume. You can perform this conversion operation only on the logical volume that is active and online.
Warning: Back up your data before you run the following conversion commands.
Note: Converting the encryption status of a logical volume is not supported on active boot, dump, paging, and aio_cache logical volume type.
The rootvg must have at least one free partition for converting the encryption status of logical volumes from encrypted to decrypted, and from decrypted to encrypted. When you convert the encryption status of a logical volume in the rootvg, the hdcryptmgr command creates a recovery logical volume to store the recovery data that is generated during the encryption status change. Whereas for encryption of logical volumes in user volume groups, the hdcryptmgr command uses a recovery file to store the recovery data. Do not interrupt the conversion process that received the SIGKILL signal as your action might leave the logical volume in a dirty state. If the logical volume that is required for the boot process is in a dirty state, the logical partition might not start. The logical partition must be repaired or recovered in maintenance mode. You can use the following action parameters to change the encryption status:
plain2crypt
Syntax 
hdcryptmgr plain2crypt [-h] [-e algo_detail] [-n name] [-f] device
Enables encryption in a logical volume, configures the encryption settings, and encrypts the logical volume data. This action parameter can be specified with the following flags and values:
-e
Specifies the data encryption algorithm, mode, and key length. The following are the valid values of the -e flag:
prompt
Specifies that the encryption algorithm details are prompted when the command runs.
[algorithm]:[b|B][key_len][:w]
Specifies the encryption algorithm details. The supported algorithms are Advanced Encryption Standard XTS mode (AES-XTS) 128 bits or 256 bits. By default, the character b is bits of the key, the character B is bytes of the key, and the key_len variable is the length of the key. The :w parameter overwrites the default values of the volume group with the specified values. By default, when a volume group or physical volume in which encryption is enabled is created, the default encryption algorithm is AES-XTS 128 bits.
-n
Specifies a name for the key-protection method. A name can be 1 to 15 characters long and can contain only the characters A - Z, a - z, 0 - 9, underscore (_), minus sign (-), or period (.). All the other characters are considered invalid.
-f
Specifies the force option. If you do not use this flag, the hdcryptmgr command prompts you to confirm that data is backed up. The force option suppresses this prompt.
device
Specifies the device name of the logical volume for which the encryption status must be converted.
crypt2plain
Syntax 
hdcryptmgr crypt2plain [ -h ] [ -f ] device
Decrypts the encrypted data of the specified logical volume and disables the encryption status of the specified logical volume. This action parameter can be specified with the following flags and values:
-f
Specifies the force option. If you do not use this flag, the hdcryptmgr command prompts you to confirm that data is backed up. The force option suppresses this prompt.
device
Specifies the device name of the logical volume for which the encryption status must be converted.

Managing the physical volume encryption

A physical volume encryption protects user data by encrypting data that is written to the physical volume. The base operating system performs physical volume data encryption and decryption during I/O operations. For more information about the physical volume encryption, see Encrypted physical volumes.

Note: If encryption of a shared physical volume is enabled or disabled, by using the pvenable or pvdisable action parameters on one logical partition (LPAR), run the rmdev and mkdev command for the shared physical volume on the other LPARs or reboot the other LPARs to recognize the changes to the encryption state of the shared physical volume.

You can run the following action parameters of the hdcryptmgr command on encrypted physical volumes:

pvenable
Syntax:
hdcrpytmgr pvenable [ -h ] [e algo detail ] [ -n <name> ] [ -f ] device
Enables encryption on a physical volume, configures the primary key, and initializes the first authentication method.
-h
Displays help information.
-e
Specifies the data encryption algorithm, mode, and key length. The following are the valid values of the -e flag:
prompt
Indicates that the encryption algorithm details are displayed when the command runs.
[algorithm]:[b|B][key_len][:w]
Specifies the encryption algorithm details. The supported algorithms for physical volumes are Advanced Encryption Standard XTS mode (AES-XTS) 128 bits or 256 bits. By default, character b is bits (default) of the key, character B is bytes of the key, and the key_len variable indicates to the length of the key. The :w parameter overwrites the default values of the volume group with the specified values. By default, when you create a volume group or physical volume for which data encryption is enabled, the default encryption algorithm is set to AES-XTS 128 bits.
-n
Specifies the name of the key-protection method that must be checked. Name can be 1 to 15 characters long and can contain only the characters such as A - Z, a - z, 0 - 9, underscore (_), minus sign (-), or period (.). All other characters are invalid.
-f
Specifies the force option. If you do not use the -f flag, the hdcryptmgr command prompts you to confirm that the data in the physical volume on which data encryption is enabled can be deleted.
device
Specifies the name of the physical volume on which encryption is enabled.
pvdisable
Syntax:
hdcryptmgr pvdisable [ -h ] [ -f ] device
Disables the physical volume encryption.
-h
Displays the help information.
-f
Specifies the force option. If you do not use the -f flag, the hdcryptmgr command prompts you to confirm that the data in the physical volume on which data encryption is disabled can be deleted.
device
Specifies the name of the physical volume on which encryption is disabled.
pvsavemd
Syntax:
hdcryptmgr pvsavemd [-h] -p file device
Saves the physical volume encryption metadata to a file. When encryption is enabled on a physical volume by using the pvenable action parameter, the AIX operating system reserves space on the physical volume to store encryption metadata. The encryption metadata is used when the physical volume is unlocked for I/O operations. The pvsavemd action parameter saves a copy of the encryption metadata. The pvrecovmd action parameter validates the encryption metadata and boot record and also restores encryption metadata from a previously saved file.
Note: The pvsavemd and pvrecovmd action parameters save and recover only the encryption metadata on the physical volume. The pvsavemd action parameter does not save external data such as the encryption details stored in PKS keys or in an external key server. The encryption details must be backed up separately.
-h
Displays the help information.
-p
Specifies the file path to save the encryption metadata.
device
Specifies the name of the physical volume from which the encryption metadata is copied to a specified file.
pvrecovmd
Syntax:
hdcryptmgr pvrecovmd [-h] [-c] [-f] [-v] [-p File] device
The pvrecovmd action parameter verifies the encryption metadata on an encrypted physical volume and attempts to restore any corrupted encryption metadata.

The encrypted physical volume has two copies of the encryption metadata. The pvrecovmd action parameter validates and compares the copies of the encryption metadata in the physical volume. If one of the encryption metadata copy is incorrect, the pvrecovmd action parameter overwrites the incorrect encryption metadata with the correct encryption metadata. The pvrecovmd action parameter verifies the boot record and includes the correct tag in the boot record to indicate that the physical disk is encrypted. If you specify a file with previously saved encryption metadata, the pvrecovmd action parameter uses the content of the specified file to restore the encryption metadata on the physical volume.

-h
Displays the help information.
-f
Specifies the force option. If the encryption metadata has issues that can be corrected, the pvrecovmd action parameter prompts you to confirm before the hdcryptmgr command corrects the corrupted encryption metadata. If the –f option is specified, the pvrecovmd action parameter writes to the physical volume without the prompt.
-v
Specifies a verbose mode. Prints a more detailed output if the physical volume device name is specified.
-p
Specifies the file path of the file that contains metadata that is saved by the pvsavemd command.
-c
Checks the encryption metadata on the physical volume, but does not update the physical volume.
device
Specifies the name of the physical volume for which encryption metadata is verified.
The pvrecovmd action parameter must be used only with an encryption-enabled physical volume. If you use the pvrecovmd action parameter on an unencrypted physical volume, the hdcryptmr command might overwrite the user data on the unencrypted physical volume.

Commands and function restrictions for encrypted logical volume

For more information about the logical volume commands or functions that are not supported when the logical volume is encrypted, see the Limitations section in Encrypting logical volumes.

Examples

Scenario: Creating an encrypted logical volume with the passphrase key-protection method
  1. Create a volume group in which encryption is enabled. 
    # mkvg -k y hdisk1 hdisk2
vg00
  2. Create an encrypted logical volume with a size of 32 MB.
    # mklv -k y vg00 32M
mklv: Please run :
# hdcryptmgr authinit lvname [..] to define LV encryption options.
lv00
  3. Initialize the encryption configuration on the logical volume by using a primary key and the passphrase key-protection method. 
    # hdcryptmgr authinit -n default lv00
Enter Passphrase:
Confirm Passphrase:
Password authentication method added successfully
Scenario: Creating a file system in an encrypted logical volume
  1. Create a volume group in which encryption is enabled, and then create a logical volume with a size of 32 MB, and then initialize the encryption configuration for the logical volume.
    # mkvg -k y hdisk1 hdisk2
vg00
# mklv -t jfs2 -k y vg00 32M
mklv: Please run :
# hdcryptmgr authinit lvname [..] to define LV encryption options.
fslv00
# hdcryptmgr authinit -n default fslv00
Enter Passphrase:
Confirm Passphrase:
Password authentication method added successfully
  2. Create a file system in the encrypted logical volume similar to creating it in a regular logical volume. 
    # crfs -v jfs2 -d fslv00 -m /mnt/myfs -A no
File system created successfully.
32560 kilobytes total disk space.
New File System size is 65536
Scenario: Authenticating to a logical volume in which encryption is enabled
When the volume group is varied off or the system is restarted, the authentication to the encrypted logical volume expires. Authenticate to the encrypted logical volume to access its data. Use the configured key-protection method for the encrypted logical volume. To authenticate an encryption-enabled logical volume, complete the following steps:
  1. Vary on the VG. 
    # varyonvg vg00
varyonvg: 1 encrypted LV defined in VG vg00.
To check if a LV is encrypted and if it is unlocked, use:
        hdcryptmgr showlv vgname    or
        hdcryptmgr showlv lvname
In order to unlock a LV, use:
        hdcryptmgr authunlock lvname
  2. Authenticate by using the passphrase key-protection method.
    # hdcryptmgr authunlock -t pwd fslv00
Enter Passphrase:
Password authentication succeeded
Scenario: Repairing corrupted PKS keys in encrypted logical volumes that are required to boot the operating system

If an encrypted logical volume is required to boot the operating system, the logical volume must have a valid PKS key. Otherwise, the boot process is not successful. In such a scenario, you must boot the LPAR in maintenance mode. The following instructions are applicable if you are booting the operating system in maintenance mode by using the NIM server. The hdisk0 disk contains the rootvg and the PKS keys in the hd3 logical volume is corrupted.
  1. Select 3 in the following screen:
           Maintenance 

Type the number of your choice and press Enter.

    1 Access a Root Volume Group 
    2 Copy a System Dump to Removable Media
>>> 3 Access Advanced Maintenance Functions
    4 Erase Disks
    5 Configure Network Disks (iSCSI)
    6 Select Storage Adapters
  2. Select 0 in the following screen:
    Information for Advanced Maintenance Functions

-------------------------------------------------------------------------------
 To return to the Maintenance Menu after completing maintenance
 activities, type exit on the command line and press Enter.

-------------------------------------------------------------------------------

 Type the number of your choice and press Enter.

>>> 0 Enter the Limited Function Maintenance Shell
  3. Run the following command to repair the encrypted logical volume:
    # LIBPATH=/SPOT/usr/lib:$LIBPATH
# importvg hdisk0
# hdcryptmgr32 authunlock hd3
# hdcryptmgr32 authdel -t pks hd3
# hdcryptmgr32 authadd -t pks -n initpks hd3
  4. Repeat steps 1 to 3 for all encrypted logical volumes that need repair.
Scenario: Recovering an aborted conversion operation of an logical volume that is required to boot the operating system


If the conversion of a regular logical volume to an encrypted logical volume, and from an encrypted logical volume to a regular logical volume is stopped, you can resume the conversion operation by rerunning the same hdcryptmgr conversion command that you issued earlier. The hdcryptmgr conversion command reads the conversion recovery information and picks up the conversion process from where it had stopped in the previous run. This hdcryptmgr conversion command runs regardless of whether the logical volume is used in the boot process or not. However, if the LPAR restarts when the conversion operation is in progress, and if the LPAR turns into a dirty state the restart operation might fail. For example, the data block that is being converted is partially encrypted and the logical volume that is being converted is required to boot the operating system. In such a scenario, you must boot the LPAR in maintenance mode and resume the conversion operation.

The following instructions assume that you are booting the operating system in maintenance mode by using the NIM server. The hdisk0 disk contains the rootvg, and the hd3 logical volume has turned into a dirty state because of an aborted conversion process.
  1. Select 3 Access Advanced Maintenance Functions in the Maintenance menu.
  2. Select 0 Enter the Limited Function Maintenance Shell in the Advanced Maintenance Functions.
  3. Run the following commands:
    # LIBPATH=/SPOT/usr/lib:$LIBPATH
# importvg hdisk0
# hdcryptmgr32 plain2crypt hd3
Scenario: Creating an encrypted physical volume
When you create an encrypted physical volume, by default a passphrase key protection method is added to the encrypted physical volume. You can enable encryption for a physical volume (hdisk3) by using the following command:
# hdcryptmgr pvenable -f hdisk3
Enter Passphrase: 
Confirm Passphrase: 
Passphrase authentication method with name "initpwd" added successfully.

The -f flag indicates that the hdcryptmgr pvenable command can overwrite the data in the physical volume without prompting for a confirmation. After the hdcryptmgr pvenable command runs successfully, the physical volume is enabled for encryption and is unlocked for I/O operations. Any data that is written to the encrypted physical volume is encrypted and any data that is read from the encrypted physical volume is decrypted.

Scenario: Checking and correcting encrypted volume metadata
The hdcryptmgr pvrecovmd -c command validates the encryption metadata on an encrypted physical volume. If the physical volume has two copies of the encryption metadata, the pvrecovmd action parameter validates and compares both copies of the encryption metadata.
To validate the encryption metadata on a physical volume (hdisk24), enter the following command:
# hdcryptmgr pvrecovmd -cv hdisk24
If both copies of encryption metadata on the physical volume (hdisk24) are valid, the following message is displayed:
Metadata area 1 is valid.
Metadata area 2 is valid.
IPL record is valid for an encrypted disk.
All encryption fields for disk hdisk24 are valid.
Check of metadata on PV hdisk24 is complete.
pvrecovmd action complete.
If any copy of the encryption metadata on the physical volume (hdisk24) is corrupted, the following message is displayed:
Metadata area 1 is valid.
Disk metadata copy #2 is corrupt.
IPL record is valid for an encrypted disk.
Check of metadata on PV hdisk24 is complete.
pvrecovmd action complete.
To overwrite the corrupted encryption metadata with the correct encryption metadata on the physical volume (hdisk24), enter the following command:
# hdcryptmgr pvrecovmd hdisk24 -v
The hdcryptmgr pvrecovmd command displays the following message and prompts you to confirm whether the corrupted encryption metadata can be overwritten:
Metadata area 1 is valid.
Disk metadata copy #2 is corrupt.
IPL record is valid for an encrypted disk.
Preparing to write the following fields to the disk:
    Backup metadata
Warning, about to write to disk hdisk25
Do you wish to continue?  y(es) or n(o)?
if you want to overwrite the corrupted encryption metadata, enter y. The hdcryptmgr pvrecovmd command overwrites the corrupted encryption metadata with the correct encryption metadata and displays the following message:
Encrypted disk recovery attempt complete.
pvrecovmd action complete.

Files

/usr/sbin/hdcryptmgr
Contains the hdcryptmgr command.