How to create an Encrypted Volume File System

From Wiki-UX.info
Jump to: navigation, search

Abstract

This article provides a detail example of the installation of the basic install and configuration procedure of the HP-UX 11i Encrypted Volume File System or EVS for short.

Install EVFS product

EVFS v1.1.1 is supported on HP-UX 11i v2 Update 2 and 11i v3. Software can be obtained at:

For systems running 11i v2 Update 2, the following information may apply:

On systems with PHCO_32488 installed, you must install the patch PHCO_37228. HP strongly recommends that you install the patch PHKL_37146.

Patches on your system from a previous installation of EVFS remain valid.

After you have completed the install of all prerequisites, install the HP-UX 11i Encrypted Volume and File System Software. 

# swinstall -s /var/tmp/EVFS_A.01.01.01_HP-UX_B.11.23_IA_PA.depot \*

=======  12/03/08 14:18:53 PST  BEGIN install AGENT SESSION (pid=4468)
         (jobid=<hostname>-0696)

       * Agent session started for user "root@<hostname>".
         (pid=4468)

       * Beginning Analysis Phase.
       * Source:
         <hostname>:/var/tmp/EVFS_A.01.01.01_HP-UX_B.11.23_IA_PA.depot

       * Target:           <hostname>:/
       * Target logfile:   <hostname>:/var/adm/sw/swagent.log
       * Reading source for product information.
       * Reading source for file information.
       * Executing preDSA command.
NOTE:    The used disk space on filesystem "/" is estimated to increase
         by 152 Kbytes.
         This will leave 1337704 Kbytes of available user disk space
         after the installation.
NOTE:    The used disk space on filesystem "/stand" is estimated to
         increase by 12393 Kbytes.
         This will leave 206055 Kbytes of available user disk space
         after the installation.
NOTE:    The used disk space on filesystem "/usr" is estimated to
         increase by 6992 Kbytes.
         This will leave 5214912 Kbytes of available user disk space
         after the installation.
NOTE:    The used disk space on filesystem "/var" is estimated to
         increase by 50 Kbytes.
         This will leave 8500737 Kbytes of available user disk space
         after the installation.

       * Summary of Analysis Phase:
       * 5 of 5 filesets had no Errors or Warnings.
       * The Analysis Phase succeeded.


       * Beginning the Install Execution Phase.
       * Filesets:         5
       * Files:            52
       * Kbytes:           6916
       * Installing bundle "EVFS,r=A.01.01.01" .
NOTE:    Saving the current system file at "/stand/system" to
         "/stand/system.prev"
       * The current configuration (including any changes being held for
         next boot) has been exported to /tmp/get_sysfile.4521.
NOTE:    The template file has been extracted from "/stand/vmunix"
         It has been placed in "/stand/system" where it will be used
         to build a new kernel.
       * Installing fileset "EVFS-KRN.EVFS-KRN-RUN,r=A.01.01.01" (1 of
         5).
       * The automatic 'backup' configuration has been updated.
       * /stand/system has been imported.  The changes have been applied
         to the currently running system.
       * Installing fileset "EVFS-EVS.EVFS-EVS-64SLIB,r=A.01.01.01" (2
         of 5).
       * Installing fileset "EVFS-EVS.EVFS-EVS-MAN,r=A.01.01.01" (3 of
         5).
       * Installing fileset "EVFS-EVS.EVFS-EVS-RUN,r=A.01.01.01" (4 of
         5).
NOTE:    A new version of "/etc/evfs/evfs.conf" has been installed on
         the system.
NOTE:    A new version of "/etc/evfs/evfs_cryptx.conf" has been
         installed on the system.
NOTE:    A new version of "/etc/evfs/evfstab" has been installed on the
         system.
NOTE:    A new version of "/etc/rc.config.d/evfs" has been installed on
         the system.
       * Installing fileset "EVFS-SG.EVFS-SG-RUN,r=A.01.01.01" (5 of
         5).
       * Running install clean command /usr/lbin/sw/install_clean.
NOTE:    tlinstall is searching filesystem - please be patient
NOTE:    Successfully completed

       * Beginning the Configure Execution Phase.

       * Summary of Execution Phase:
       * 5 of 5 filesets had no Errors or Warnings.
       * The Execution Phase succeeded.


=======  12/03/08 14:20:07 PST  END install AGENT SESSION (pid=4468)
         (jobid=<hostname>-0696)

Configuring an EVFS pseudouser

Ccheck if EVFS is installed. Check that the evfs user and group exist on the system. In addition, you will configure an alternative EVFS pseudo user if require.

In a rare instance, if you need to reinstall the evfs application, you cannot use the existing user name and group evfs. You will need to create the new user and group, and configure the user attribute in the /etc/evfs/evfs.conf file. In this article, tasks 3 to 5 will give you the opportunity to do this.

Task 1: Verify EVFS installation

1. Verify the installation of evfs using the swlist command. 

# swlist -l product EVFS
# Initializing...
# Contacting target "rx26-209"...
#
# Target: rx26-209:/
#
# EVFS A.01.00.01 HP-UX Encrypted Volume and File System (EVFS)
EVFS.EVFS-EVS A.01.00.01 HP-UX Encrypted Volume System
EVFS.EVFS-SG A.01.00.01 HP-UX EVFS Toolkit for MC/ServiceGuard
EVFS.EVFS-KRN A.01.00.01 HP-UX EVFS Kernel Pseudo-Device Driver

Task 2: Check evfs user and group on the system

When you install EVFS, it attempts to create a user evfs and a group evfs. The evfs application uses the evfs user name and evfs internal group.

1. Verify if the user evfs exists on the system. 

# pwget –n evfs
evfs:*:107:101:EVFS pseudo-user -- Do not delete or use -- Needed by HP-UX EVFS:/home/evfs:/sbin/false

# grget -g 101
evfs::101:

Task 3: Create the group

1. Create a user group reserved for the EVFS pseudouser. 

# groupadd my_evfs_group

Task 4: Create the EVFS pseudouser account

1. Create a user to be used exclusively for the evfs subsystem. 

# useradd -g my_evfs_group -c "EVFS pseudo-user" -d /home/my_evfs_user -s /usr/bin/false  my_evfs_usr

Task 5: Set the evfs_user attribute

1. Verify the default evfs_user attribute in the /etc/evfs/evfs.conf file. 

# grep evfs_user /etc/evfs/evfs.conf evfs_user = evfs_usr

2. Set the evfs_user attribute to my_evfs_user using the vi editor or any suitable editor.

Locate the evfs_user parameter in the /etc/evfs/evfs.conf file and change its value to my_evfs_user. Save the file. 

# vi /etc/evfs/evfs.conf
...
evfs_user = my_evfs_user

Configuring alternative key database directories

This section, shows you how to check the default key locations for the public and private keys, and the passphrase for the owner and the users. Also how to get the structure of the configuration parameters for public/private key and the passphrase, and how to configure them.

Task 1: Examine the default public and private key directories

1. Examine the default directory and the action for the public key in the /etc/evfs/evfs.conf file using the grep command. 

# grep pub_key /etc/evfs/evfs.conf 
  pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:continue]

2. Examine the default directory and the action for the private key in the /etc/evfs/evfs.conf file using the grep command. 

# grep priv_key /etc/evfs/evfs.conf 
  priv_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:continue]

3. Verify the default public key in the /etc/evfs/evfs.conf file using the grep command. 

# grep pass_key /etc/evfs/evfs.conf 
  pass_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:continue]

4. Check and understand the format of the three parameters. 

pub_key = library[pkeydir:key_directory,onfail:action]...
priv_key = library[pkeydir:key_directory,onfail:action]...
pass_key = library[pkeydir:key_directory,onfail:action]...

The following lists the definitions of these parameters.

pub_key Indicates that the attribute statement specifies EVFS behavior for the user.s public keys.
priv_key Indicates that the attribute statement specifies EVFS behavior for the user.s private keys.
pass_key Indicates that the attribute statement specifies EVFS behavior for the passphrases that secure the users private keys.
Library Specifies the fully qualified pathname of the encryption and storage library. The valid values are:
  • /usr/lib/evfs/hpux64/libevfs_pkey.so (HP Integrity servers)
  • /usr/lib/evfs/pa20_64/libevfs_pkey.sl (HP 9000 servers)
[ Literal left square bracket.
key_directory Specifies the fully qualified pathname of the base directory in which to store key data, such as /etc/evfs/pkey.
action Specifies the EVFS action if attempts to write to or read from the key_directory fail. There are two actions, as described below.
  • Continue: Causes EVFS to continue to the next library[specifications...] term.
  • Stop: Causes EVFS to stop processing and return an error.
] Literal right square bracket

Task 2: Create fallback directories for nonprivileged users

1. Create the directory /opt/evfskeys. 

# mkdir /opt/evfskeys

2. Save the evfs.conf file as evfs.conf.org. 

# cp /etc/evfs/evfs.conf /etc/evfs/evfs.conf.org

3. Edit the /etc/evfs/evfs.conf file using vi and change the parameters for the three keys as shown below. Library specifications should be separated by a space. After making the changes, save the configuration file. 

pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:
continue] /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/opt/evfskeys,onfail:stop]
priv_key =/usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:
continue] /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/opt/evfskeys,onfail:stop]
pass_key =/usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:
continue] /usr/lib/evfs/hpux64/libevfs_pkey.sopkeydir:/opt/evfskeys,onfail:stop]

Notice that we configured two pkeydir so that nonprivileged users can store their public and private keys in the /opt/evfskeys directory.

4. Verify the changes. 

# egrep "pub_key| priv_key| pass_key" /etc/evfs/evfs.conf

pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:
continue] /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/opt/evfskeys,onfail:stop]
priv_key =/ usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:
continue] /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/opt/evfskeys,onfail:stop]
pass_key =/usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:
continue] /usr/lib/evfs/hpux64/libevfs_pkey.sopkeydir:/opt/evfskeys,onfail:stop]

Checking EVFS global parameters

To check the global parameters follow this tasks:

Task 1: Examine the Encryption algorithm

1. Examine the default value of the data_cipher parameter in the /etc/evfs/evfs.conf file. 

# grep data_cipher /etc/evfs/evfs.conf
data_cipher = aes-128-cbc #aes-192-cbc or aes-256-cbc

Task 2: Examine the EMD location

1. Examine the default EMD backup location set using the emd_backup parameter in the /etc/evfs/evfs.conf file. 

# grep emd_backup /etc/evfs/evfs.conf
emd_backup = /etc/evfs/emd/

For a complete list of global parameters, see evfs.conf(4).

Starting the EVFS subsystem

This section will help you to start the evfs subsystem properly.

Task 1: Start the EVFS subsystem

1. Check the number of processors in the system. 

# ioscan –fnkC processor
Class I H/W Path Driver S/W State H/W Type Description
===================================================================
processor 0 120 processor CLAIMED PROCESSOR Processor
processor 1 121 processor CLAIMED PROCESSOR Processor

2. Start evfs with the # processor -1 as the argument as in the multiprocessor environment.

The number of threads for the evfs process is the same as the number of processors in system -1. 

# evfsadm start –n 1
EVFS subsystem started.

On single-processor systems, 1 is the only valid thread value. In contrast, on multiprocessor systems, the maximum number of threads is the number of processors in the system minus 1.

Task 2: Verify if the EVFS subsystem is running

1. Check if evfsevold is running on the system. 

# ps –ef |grep evfsevold
root 11438 11419 0 17:40:05 pts/0 0:00 grep evfs
root 25741 0 0 Aug 9 ? 0:02 evfsevold 
#

Creating user key pairs

Task1: Create keys for EVFS volume owners

1. For creating the key pair for volume owners you can use root as the volume owner.

After you enter the following command, enter the passphrase twice. Then, when prompted to enter a unique passphrase, you can enter the passphrase “evfsevfs”. 

# evfspkey keygen –k rootkey1
Enter passphrase:(enter a passphrase) evfsevfs and press <Enter>
Re-enter passphrase:(re-enter the passphrase to confirm it)evfsevfs
Public/Private key pair "root.rootkey1" has been successfully generated

2. Display the key pair. 

# evfspkey lookup –k rootkey1
Key ID: root.rootkey1
Key Cipher: rsa-1536
Public Key Fingerprint: 0f75b8b03f348791bb204e656ac281063ce70a96
Private Key Keywrap: evfs-pbe1
Private Key Fingerprint: 3945e2406f6d95f4ef551d64a595a26d78bc0cc5
Passphrase Keywrap: n/a
Passphrase Fingerprint: n/a

Task 2: Create recovery keys

1. It is optional to create a recovery key but safe to create one.

Storing the user's private key is essential because, by default, the key is stored in the present working directory. Copy the key to offline media for safety. When prompted, use the passphrase "evfsevfs". 

# evfspkey keygen –c rsa-2048 –r
Enter passphrase:(enter a passphrase) evfsevfs and press <Enter>
Re-enter passphrase:(re-enter the passphrase to confirm
# -r option signifies recovery key and –c option signifies cipher type
Public/Private key pair "evfs_usr.evfs_usr" has been successfully generated

Task 3: Create keys for authorized users

You need to create key pairs for evfs volumes so that other users can access, mount, and modify these volumes. The evfs volumes are useful for autostarting the evfs at boot time.

1. Create the key for the user bin. 

# evfspkey keygen -s -u bin -k binkey
# -s option created a passphrase automatically and stores in the passphrase directory
since key is created for user bin we can use auto passphrase generate and store feature of 
this command.
Public/Private key pair "bin.binkey" has been successfully generated
Encrypted Volume and File System

Configuring an EVFS volume

You need to identify an unused available disk. You will use this disk to create an LVM logical volume and an evfs volume, and then add the evfs keys into the emd area.

Task 1: Create an LVM or VxVM volume for EVFS

Identify an available unused disk from the system because converting a volume or disk with data to evfs will render it unusable (there are other ways to convert regular vxfs filseystems to evfs); also, evfs cannot encrypt /root, /boot, /stand and swap and dump.

1. Identify available disks in the system using the ioscan command. 

# ioscan –fnkC disk
Class I H/W Path Driver S/W State H/W Type Description
============================================================================
disk 0 0/0/2/0.0.0.0 sdisk CLAIMED DEVICE TEAC DV-28E-C
/dev/dsk/c0t0d0 /dev/rdsk/c0t0d0
disk 1 0/1/1/0.0.0 sdisk CLAIMED DEVICE HP 73.4GST373453LC
/dev/dsk/c2t0d0 /dev/rdsk/c2t0d0
disk 2 0/1/1/0.1.0 sdisk CLAIMED DEVICE HP 73.4GST373453LC
/dev/dsk/c2t1d0 /dev/rdsk/c2t1d0
/dev/dsk/c2t1d0s1 /dev/rdsk/c2t1d0s1
/dev/dsk/c2t1d0s2 /dev/rdsk/c2t1d0s2
/dev/dsk/c2t1d0s3 /dev/rdsk/c2t1d0s3
disk 3 0/1/1/1.2.0 sdisk CLAIMED DEVICE HP 73.4GST373454LC
/dev/dsk/c3t2d0 /dev/rdsk/c3t2d0

2. Determine which disk is used in vg00 if LVM is used using the vgdisplay command.

  1. vgdisplay –v vg00 |grep "PV Name"

PV Name /dev/dsk/c2t1d0s2

3. Identify the swap disk using the swapinfo command. 

# swapinfo
Kb Kb Kb PCT START/ Kb
TYPE AVAIL USED FREE USED LIMIT RESERVE PRI NAME
dev 8388608 0 8388608 0% 0 - 1 /dev/vg00/lvol2
reserve - 520980 -520980
memory 4181816 927308 3254508 22%

It seems that swap is on the same disk as the root disk, and there is no other disk used as swap or dump.

4. From the above output, using an elimination process, identify a potential empty available disk, and then verify that using the pvdisplay command. 

# pvdisplay –l /dev/dsk/c3t2d0
/dev/dsk/c3t2d0:LVM_Disk=no

This disk is available, so use it for the volume creation.

5. Create a volume group vg01 using an appropriate series of commands. 

# mkdir /dev/vg01
# mknod /dev/vg01/group c 64 0x010000
# pvcreate /dev/rdsk/c3t2d0
# vgcreate /dev/vg01 /dev/dsk/c3t2d0

The c column on the previous the device special file name specifies that the group is a character device file. The 64 column is the major number for the group device file; it will always be 64. The 0xnn0000 column is the minor number for the group file in hexadecimal. Each particular nn must be a unique number across all volume groups.

6. Create a 64MB logical volume on the disk. 

# lvcreate –L 64 –n lvol1 vg01
Logical volume "/dev/vg01/lvol1" has been successfully created with
character device "/dev/vg01/rlvol1".
Volume Group configuration for /dev/vg01 has been saved in
/etc/lvmconf/vg01.conf

Task 2: Create EVFS volume device files

EVFS uses its own device files to access the logical volumes. Therefore, you need to map each evfs device file to the respective logical volume.

1. Map the evfs device files to the logical volume lvol1 on the volume group vg01. 

# evfsadm map /dev/vg01/lvol1
Logical volume "/dev/vg01/lvol1" has been successfully mapped
to encrypted volume "/dev/evfs/vg0l/lvol1".

2. Verify the device files created by evfs in the device directory. 

# ls /dev/evfs/*
/dev/evfs/admin
/dev/evfs/vg01:
lvol1 rlvol1

Task 3: Create the EMD

1. Create the EMD area on the EVFS volume and specify the owner key pair. When prompted, enter the owner/root passphrase "evfsevfs". 

# evfsvol create –k rootkey1 /dev/evfs/vg01/lvol1
Enter owner passphrase:(Enter the passphrase for rootkey1.)
Encrypted volume "/dev/evfs/vg01/lvol1" has been successfully created.

Task 4: Add recovery keys and authorized user keys

1. Add the recovery key to the emd area on the evfs volume using the evfsvol command. 

# evfsvol add –r /dev/evfs/vg01/lvol1
# -r option to evfsvol command indicates a recovery key.
Enter owner passphrase:(Enter owner passphrase.)
Encrypted volume "/dev/evfs/vg01/lvol1" has been successfully created

2. Add the authorized user key to the evfs volume. When prompted, give the passphrase for the owner ("evfsevfs"). 

# evfsvol add –u bin –k binkey /dev/evfs/vg01/lvol1
Enter owner passphrase:
(Enter the passphrase for the owner's key.)
Key ID "init.initkey" has been successfully added to encrypted volume
"/dev/evfs/vg01/lvol1"

Task 5: Enable the EVFS volume

1. Enable the evfs volume using the root user, which is also the owner. To do this, you need to provide the key id and the passphrase "evfsevfs". 

# evfsvol enable -k rootkey1 /dev/evfs/vg01/lvol1
Enter passphrase:
(Enter the passphrase for the key rootkey1.)
Encrypted volume "/dev/evfs/vg01/lvol1" has been successfully enabled.

Creating and mounting a file system on an EVFS volume

Create a file system on the evfs volume and mount it on the mount point created specifically for the volume.

Task 1: Create a new file system with newfs

1. You can create a file system using the standard newfs command, and use the supported file system type. For the purpose of this article, a vxfs is used. 

# newfs -F vxfs /dev/evfs/vg01/rlvol1

Task 2: Create the mount point

1. Create the mount point. 

# mkdir /opt/encrypted_data

Task 3: Mount the file system on the EVFS volume

1. Mount the file system using the standard mount command. 

# mount –F vxfs /dev/evfs/vg01/lvol1 /opt/encrypted_data

2. Add the following entry to the /etc/fstab to automount the evfs volume at boot time. Assuming that evfs is configured to auto start, add this entry using the vi command and save the file. 

/dev/evfs/vg01/lvol1 /opt/encrypted_data vxfs defaults 0 2

Verifying the configuration and the data encryption

Verify the configuration and the data encryption of the evfs volume by creating a file on an encrypted volume and trying to access it from a raw device.

Task 1: Verify the configuration

1. After you access data or mount a file system on an EVFS volume that is correctly configured, the output for the evfsadm stat -a command shows nonzero values for the number of blocks read (bpr), written (bpw), decrypted (bpd), and encrypted (bpe). 

# evfsadm stat –a
Total EVFS Volumes: 1
EVFS Subsystem Status: up
Active Encryption Threads: 1
---- EVFS Volume Name ----|--- State ---|---------------- Queues -------------|
orr owr odr oer
/dev/evfs/vg01/lvol1 enabled 0 0 0 0
---- EVFS Volume Name ----|--- State ---|-------------- Counters -------------|
bpr bpw bpd bpe
/dev/evfs/vg01/lvol1 enabled 214 721 150 1833
---- EVFS Volume Name ----|--- State ---|---------------- Rates --------------|
kbpsr kbpsw dkbps ekbps
/dev/evfs/vg01/lvol1 enabled 30 16 0 166

2. The evfsvol display evfs_volume_path command displays information about the EVFS volume, including the name of the underlying LVM, VxVM, or physical volume device file, and the names of the keys configured for the EVFS volume. 

# evfsvol display /dev/evfs/vg01/lvol1
EVFS Volume Name: /dev/evfs/vg01/lvol1
Mapped Volume Name: /dev/vg01/lvol1
EVFS Volume State: enabled
EMD Size (Kbytes): 520
Max User Envelopes: 1024
Data Encryption Cipher: aes-128-cbc
Digest: sha1
Owner Key ID: root.rootkey1
Recovery Agent Key IDs: evfs_usr.evfs_usr
Total Recovery Agent Keys: 1
User Key IDs: bin.binkey
Total User Keys: 1

Task 2: Verify the data encryption

1. Create a file and write text string into the file on the evfs volume mounted on /opt/encrypted_data. 

# echo "EVFS TEST LAB" > /opt/encrypted_data/my_evfs_test

2. Use the strings utility to search the EVFS volume device file.

The text is stored in the underlying LVM, VxVM, or physical volume as encrypted data, but the strings utility reads from the EVFS volume. The EVFS subsystem provides decrypted data to the strings utility, and the strings find and display the text string you wrote. 

# strings /dev/evfs/vg01/lvol1 | grep "EVFS TEST LAB"
EVFS TEST LAB

3. Verify that applications that bypass EVFS receive encrypted data.

To do this, you must disable EVFS on the volume. Use the following procedure to disable EVFS on the volume.

A. For data consistency, stop all applications accessing the EVFS volume. You can use the fuser -cu command to determine the processes accessing files, and the fuser –cku command to terminate these processes. If the data is used by system processes, you might need to terminate the processes by changing the system runlevel to a single-user level with the shutdown utility.
# fuser -cku /opt/encrypted_data
B. Use the umount command to unmount the file system.
# umount /opt/encrypted_data
C. Use the following command to disable encryption and decryption access to the volume, and enter the passphrase “evfsevfs” when prompted.
# evfsvol disable -k rootkey1 /dev/evfs/vg01/lvol1
Enter passphrase: (enter the passphrase)

4. Use the following command to open the EVFS volume for raw access, and when prompted by the question "yes / no", type yes and press Enter. 

# evfsvol raw /dev/evfs/vg01/lvol1
Are you sure you want to enable raw access to "/dev/evfs/vg01/lvol1"?
Raw access returns encrypted data to the user.
Answer [yes/no]: yes <Enter>
Successfully enabled raw access to EVFS volume "/dev/evfs/vg01/lvol1"
Encrypted Volume and File System

5. Use the strings utility and try to find the text. The strings utility will not find the text because it receives data from the EVFS volume in encrypted form. 

# strings /dev/vg01/lvol1 | grep "EVFS TEST LAB"

6. Return the EVFS volume to a working state. Close the raw access using the following command. 

# evfsvol close /dev/evfs/vg01/lvol1
Successfully closed raw access to EVFS volume "/dev/evfs/vg01/lvol1"

7. Enable the volume using the following command, and then enter the passphrase for rootkey1 "evfsevfs" when prompted. 

# evfsvol enable -k rootkey1 /dev/evfs/vg01/lvol1
Enter passphrase: (Enter the passphrase for the key rootkey1.)
Encrypted volume "/dev/evfs/vg01/lvol1" has been successfully enabled.

8. Mount the file system. 

# mount -F vxfs /dev/evfs/vg01/lvol1 /opt/encrypted_data

The EVFS volume is ready for use.

Reference

Authors

Retrieved from "http://wiki-ux.info/w/index.php?title=How_to_create_an_Encrypted_Volume_File_System&oldid=16221"