Encrypted logical volumes

Logical volume (LV) encryption protects data exposure because of lost or stolen hard disk drives or because of inappropriately decommissioned computers. The base operating system performs LV data encryption and decryption during I/O operations. Applications that perform the I/O operations by using the file system interfaces or LV device interfaces can use the protected data without any modifications.

You must have the following filesets installed to encrypt the LV data. These filesets are included in the base operating system.

  • bos.hdcrypt
  • bos.kmip_client
  • bos.rte.lvm
  • security.acf
  • openssl.base

Configuring LV encryption

Starting from IBM® AIX® 7.2 with Technology Level 5, you can manage all the LV encryption operations by using the hdcryptmgr command.

start of change

LV encryption enhancements

Starting from AIX 7.3, the following enhancements are added to the LV encryption function:
  • You can encrypt LVs in the root volume group (rootvg) that are used in the boot process. You must select the LV encryption option during the installation of the base operating system. For more information, see BOS installation options.
  • After the base operating system installation, you can use the hdcryptmgr conversion commands to change the encryption setting of an LV. However, the conversion of an LV in the rootvg is different from the conversion of an LV in a user volume group. When you run the hdcryptmgr conversion command to change the encryption status of an LV in a rootvg, the hdcryptmgr command creates an LV to store the conversion recovery data. When you run the hdcryptmgr conversion command to change the encryption status of an LV in a user volume group, the hdcryptmgr command stores the conversion recovery data in a file in the /var/hdcrypt directory. Therefore, the rootvg must have at least one free partition for successful conversion. When the conversion of the encryption status completes successfully, the LV that contains the conversion recovery data is deleted.
  • When the rootvg is varied on, the network is not available. Hence, the Platform Keystore (PKS) authentication method must be available for LVs that are used in the boot process. If the PKS authentication method is not available for an encrypted LV in the rootvg, the LV remains locked and thus, will not be accessible until it is unlocked explicitly later. Also, you cannot delete a valid PKS authentication method from an LV in the rootvg that are used in the boot process. If you convert an unencrypted LV, which is used in the boot process, to an encrypted LV, the PKS authentication method is automatically added to the LV. If the PKS authentication method is not available or is corrupted for an encrypted LV that is used in the boot process, you must boot the operating system in maintenance mode and repair the PKS authentication method before you can resume the normal boot operation.
  • The following commands are enhanced to support LV encryption: cplv, splitvg, splitlvcopy, chlvcopy, snapshot, savevg, and restvg.
  • You can encrypt an LV in concurrent mode. If you change the encryption status of an LV in a node that is in concurrent mode, you cannot access the other nodes until the encryption conversion is complete.
end of change

Limitations of encrypted LV

If an LV is encrypted, the following LV commands or functions are not supported:
AIX Live Update
The Live Update operation is not supported if the LV encryption is enabled.
I/O serialization
The I/O serialization is not guaranteed while the LV encryption conversion is in progress.

File system consideration for encrypted LV

Consider the following items when you create or modify file systems associated with an encrypted LV:

  • When you create or mount a file system on to an encrypted LV, ensure that the encrypted LV is unlocked and activated.
  • If an encrypted LV, which is hosting a file system by using the Network File System (NFS) /etc/exports file, is not unlocked during system boot, the mount operation of the file system fails and the table of physical file systems in the /etc/exports file is not updated. After the encrypted LV is unlocked and the file system is mounted, you can run the exportfs -a command to update the /etc/exports file.
  • In Enhanced Journaled File System (JFS2), you can use a single log device across multiple file systems. If the log device is shared across multiple file systems and if the LV that is used by file systems is encrypted, the LV must be unlocked before file systems can be mounted.