Encrypted logical volumes

Edit online

Logical volume (LV) encryption protects data exposure because of lost or stolen hard disk drives or because of inappropriately decommissioned computers. The base operating system performs LV data encryption and decryption during I/O operations. Applications that perform the I/O operations by using the file system interfaces or logical volume device interfaces can use the protected data without any modifications.

You must have the following filesets installed to encrypt the LV data. These fileset are included in the base operating system.

  • bos.hdcrypt
  • bos.kmip_client
  • bos.rte.lvm
  • security.acf
  • openssl.base

Configuring LV encryption

Starting from IBM® AIX® 7.2 with Technology Level 5, you can manage all the LV encryption operations by using the hdcryptmgr command.

Limitations of encrypted LV

If an LV is encrypted, the following LV commands or functions are not supported:

cplv command
When the cplv command creates a logical volume, the LV is not encrypted. As a workaround, you can create a logical volume in which encryption is enabled by using the mkvg -k y command and initialize it. You can then use the cplv command to copy the contents of the source LV into the LV in which encryption is enabled.
splitvg command and joinvg command
When you use the splitvg command, the mirrored volume group (VG) is split into a primary VG and a snapshot VG. The platform keystore (PKS) and key file authentication methods cannot be used on the snapshot VG. But these authentication methods can be used on the primary VG.

You cannot remove an authentication method of a logical volume in a primary volume group. Also, you cannot add or delete an authentication method of a logical volume in a snapshot VG.

splitlvcopy command
The splitlvcopy command is not supported on an encrypted logical volume.
chlvcopy command
The chlvcopy command is not supported on an encrypted logical volume.
snapshot command
When you create a snapshot of a file system that uses an encrypted LV, and if the destination LV does not exist, an LV is created in which encryption is not enabled. The source LV must be unlocked to copy the data to the destination LV.
savevg command and restvg command
When you use the savevg command or the restvg command, the VG-level encryption option is preserved. However, the LV-level encryption option is not preserved when you run the savevg command. Therefore, the restvg command re-creates logical volumes without enabling the encryption option. You can use the hdcryptmgr plain2crypt command to convert the restored LVs into encrypted LVs.
Concurrent mode
The LV encryption function is not supported when a volume group is varied on in concurrent mode.
Boot partition
LV encryption is not supported for a VG that contains the boot partition.
AIX Live Update
The Live Update operation is not supported if the LV encryption is enabled.
I/O serialization
The I/O serialization is not guaranteed while the LV encryption conversion is in progress.

File system consideration for encrypted LV

Consider the following items when you create or modify file systems associated with an encrypted LV:

  • When you create or mount a file system on to an encrypted LV, ensure that the encrypted LV is unlocked and activated.
  • If an encrypted LV, which is hosting a file system by using the Network File System (NFS) /etc/exports file, is not unlocked during system boot, the mount operation of the file system fails and the table of physical file systems in the /etc/exports file is not updated. After the encrypted LV is unlocked and the file system is mounted, you can run the exportfs -a command to update the /etc/exports file.
  • In Enhanced Journaled File System (JFS2), you can use a single log device across multiple file systems. If the log device is shared across multiple file systems and if the LV that is used by file systems is encrypted, the LV must be unlocked before file systems can be mounted.