Encrypted physical volumes

Edit online

Physical volume (PV) encryption protects user data by encrypting data that is written to the physical volume. The base operating system performs physical volume data encryption and decryption during I/O operations. The data is encrypted before it is sent to an external storage area network (SAN) device to protect data on the SAN. Physical volume encryption also protects data exposure because of lost or stolen hard disk drives or because of inappropriately decommissioned computers or storage devices. Applications that perform I/O operations can use the protected data without any modifications. The encrypted physical volumes can be used in the same way as unencrypted physical volumes. However, the rootvg volume group cannot contain any encrypted physical volumes.

You must install the following filesets to encrypt the physical volume data. These filesets are included in the base operating system.

  • bos.hdcrypt
  • bos.kmip_client
  • security.acf
  • openssl.base

Configuring PV encryption

Starting from IBM® AIX® 7.3 with Technology Level 1, you can manage physical volume encryption operations by using the hdcryptmgr command.

The size of the encrypted physical volume is smaller than the size of the physical volume before encryption because the encryption feature reserves some space on the physical volume for the encryption process. When encryption is enabled for a physical volume, any data that is stored on that physical volume is deleted and new data that is written to that physical volume is encrypted. For read operations, data from the encrypted physical volume is first decrypted. To encrypt existing data, you can allocate a new physical volume, enable encryption on the new physical volume, and then copy the existing data to the new physical volume.

Encrypted physical volume supports the same methods of key storage and retrieval as encrypted logical volume (LV). The key can be a typed passphrase, can be obtained from platform keystore (PKS), or can be obtained from a network key manager. When the key is stored in a PKS or in a network key manager, the physical volume is unlocked automatically during the boot process. The authunlock action parameter of the hdcryptmgr command can be used to manually unlock an encrypted physical volume. Any attempts to perform I/O operation on a locked encrypted physical volume fails with a permission denied error until that physical volume is unlocked.

Limitations of encrypted PV

The encrypted physical volumes have the following restrictions:
  • The rootvg volume group must not contain any encrypted physical volume. If rootvg contains one or more encrypted physical volumes, the AIX boot process fails. The mkvg and extendvg commands prevent using encrypted physical volumes with rootvg.
  • The existing physical volumes cannot be converted from unencrypted physical volumes to encrypted physical volumes, or vice versa. Enabling encryption on a physical volume deletes all the existing data on that disk.
  • Physical volume encryption requires additional disk attributes that are provided by the AIX operating system. If a disk is defined by using object data manager (ODM) definitions from another storage vendor, new ODM definitions from that vendor must be acquired to support physical volume encryption.
  • Encrypted physical volumes can be shared with other AIX logical partitions that are running AIX 7.3 Technology Level 1, or later. Sharing an encrypted physical volume with an older level of AIX corrupts data because the older level of AIX does not recognize that the physical volume is encrypted.
  • Physical volumes that are encrypted with PKS authentication can be used as a traditional dump device if it does not belong to the rootvg volume group.
  • Encrypted physical volumes cannot be used as the destination disk when you use the alt_disk_copy and alt_disk_mksysb commands because the rootvg volume group does not support the encrypted physical volumes.
  • Only SCSI physical volumes can be encrypted. You cannot encrypt NVMe or vPMEM disks.
  • The same AIX operating system image cannot use geographical logical volume manager (GLVM) or AIX storage data caching (cache_mgt command) with other SCSI disks while using encrypted physical volumes. GLVM or storage data caching can be used with NVMe disks or with vPMEM disks.

Disk backup considerations for encrypted PV

The various methods of backing up data on the physical disk have different characteristics when encrypted physical volumes are used.

If the data backup operation is running in the operating system instance, the operating system reads data and decrypts that data before sending it to the backup software. The backup media contains the decrypted user data. The metadata related to encryption is not stored in the backup media. If this backup data is restored to another physical volume, data is encrypted only if encryption is enabled for that physical volume. If encryption is not enabled for the destination physical volume, the restored data is not encrypted and can be used directly even by older levels of AIX.

If data is backed up by using a storage device such as snapshot or FlashCopy®, data that is backed up is encrypted. The backup data in the storage device includes both the encryption metadata and the encrypted user data. The storage-based backup is a block-for-block copy of the encrypted data and the storage cannot determine that the data is encrypted by the operating system.