IBM Developer

Tutorial

Enable encryption for rootvg logical volumes with alt_disk_copy command

Enhancing IBM AIX root volume security with alt_disk_copy command and Platform Key Store facility

By

Srikanth Thanneeru,

Syed Sajjad Haider

On this page

Introduction

The rootvg is the primary volume group in IBM AIX that contains the operating system, boot-related files, and other critical data required for system operation. The alt_disk_copy command is a powerful utility in AIX that clones the root volume group (rootvg) and its logical volumes (LVs) to a secondary disk. This creates a bootable mirror of the rootvg, named altinst_rootvg, often used for migration, backup, or system recovery.

By default, alt_disk_copy encrypts only logical volumes that were previously encrypted. However, the process can be adapted to encrypt unencrypted LVs by modifying the image.data file, a configuration file that defines the properties of logical volumes and filesystems within rootvg. This file allows fine-grained control over how the cloned environment is set up.

Encryption is implemented using the AIX encryption facility, which relies on Platform Key Store (PKS), a hardware feature available starting from the IBM Power 9 series of processors. PKS is a hardware backed nonvolatile random access memory (NVRAM) that offers secured storage for sensitive material.

This tutorial explains how to modify the image.data file to enable encryption for additional rootvg LVs, enhancing data security without requiring a full system reinstall or downtime.

Background

As data security becomes increasingly critical, encryption provides a safeguard against unauthorized access to sensitive information. LVs within rootvg can contain system-critical or user-specific data, making encryption essential for compliance with security standards and risk mitigation.

The alt_disk_copy command offers a seamless way to integrate encryption into an existing system by creating a secure, cloned environment. This approach avoids the challenges of rebuilding the system or disrupting operations, making it an ideal solution for retrofitting encryption onto existing LVs.

Steps for enabling encryption

Perform the following steps to enable encryption.

Prerequisites:
Ensure that the following prerequisites are met before proceeding with this method:

  1. Enable PKS:
    Enable PKS on the Logical Partition (LPAR) through the Hardware Management Console (HMC). Verify that sufficient PKS slots are available by running the hdcryptmgr pksshow command.
    Example:
    bash-5.2# hdcryptmgr pksshow
Total PKS size: 4096 bytes
Used PKS size: 2978 bytes
Estimated encryption key slots: 12
  2. Ensure supported AIX version:
    This method is supported starting from AIX version 7.3D. Ensure your system meets this requirement.
  3. Generate image.data file:
    The image.data file contains metadata about rootvg logical volumes and filesystems. If this file does not exist, create it using the mkszfile command.

Steps

  1. Backup image.data file:
    Create a copy of /image.data in a specific folder (example: /home) for modification without altering the original file.
  2. Modify image.data file:
    Open the file and update the configuration for the LVs you want(excluding hd5 and hd8) to enable encryption:
    Set the following fields to yes:
    • ENCRYPTLV= yes
    • EAM_PKS= yes
  3. Run alt_disk_copy command:
    Use the modified image.data file as an argument to the alt_disk_copy command to apply encryption.
    alt_disk_copy -d hdisk1 -i /home/image.data

Example

   bash-5.2# alt_disk_copy -d hdisk1 -i /home/image.data 
   Checking disk sizes.
   Creating cloned rootvg volume group and associated logical volumes.
   Creating logical volume alt_hd5
   Creating logical volume alt_hd6
   Creating logical volume alt_hd8
   Creating logical volume alt_hd4
   Creating logical volume alt_hd2
   Creating logical volume alt_hd9var
   Creating logical volume alt_hd3
   Creating logical volume alt_hd1
   Creating logical volume alt_hd10opt
   Creating logical volume alt_hd11admin
   Creating logical volume alt_lg_dumplv
   Creating logical volume alt_livedump
   Creating logical volume alt_user_lv
   Enter Passphrase: 
   Trying to use unsecure passphrase. Constraints preceded by * are not met.
   Passphrase must contain at least :
        * 12 characters
          1 lower case letters
        * 1 upper case letters
        * 1 digits
        * 1 special characters from list "~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/ */"
   Please confirm usage of an unsecure passphrase (y|n): y
   Confirm Passphrase: 
   hdcryptmgr authinit successfully initialized 11 LVs.
   Creating /alt_inst/ file system.
   Creating /alt_inst/admin file system.
   Creating /alt_inst/home file system.
   Creating /alt_inst/opt file system.
   Creating /alt_inst/tmp file system.
   Creating /alt_inst/usr file system.
   Creating /alt_inst/var file system.
   Creating /alt_inst/var/adm/ras/livedump file system.
   Generating a list of files
   for backup and restore into the alternate file system...
   Backing-up the rootvg files and restoring them to the 
   alternate file system...
   Modifying ODM on cloned disk.
   Building boot image on cloned disk.
   forced unmount of /alt_inst/var/adm/ras/livedump
   forced unmount of /alt_inst/var/adm/ras/livedump
   forced unmount of /alt_inst/var
   forced unmount of /alt_inst/var
   forced unmount of /alt_inst/usr
   forced unmount of /alt_inst/usr
   forced unmount of /alt_inst/tmp
   forced unmount of /alt_inst/tmp
   forced unmount of /alt_inst/opt
   forced unmount of /alt_inst/opt
   forced unmount of /alt_inst/home
   forced unmount of /alt_inst/home
   forced unmount of /alt_inst/admin
   forced unmount of /alt_inst/admin
   forced unmount of /alt_inst
   forced unmount of /alt_inst
   Changing logical volume names in volume group descriptor area.
   Fixing LV control blocks...
   Fixing file system superblocks...
   Bootlist is set to the boot disk: hdisk1 blv=hd5

Verification

  1. Check disk status:
    Confirm the cloned rootvg and its LVs:
    bash-5.2# lspv
hdisk0          00cb5e98a4385d47                    rootvg          active
hdisk1          00c58d28490eba58                    altinst_rootvg
hdisk2          00cb5e98ac65bcb6                    None

  2. Validate PKS configuration:
    Verify the encryption keys and their associated logical volumes:

    bash-5.2# hdcryptmgr pksshow
Total PKS size: 4096 bytes 
Used  PKS size: 2978 bytes
Estimated encryption key slots: 12

PKS_Label (LVid)                             status           Device
00c58d2800004c00000001931c4481c7.2           VALID KEY        hd6
00c58d2800004c00000001931c4481c7.4           VALID KEY        hd4
00c58d2800004c00000001931c4481c7.5           VALID KEY        hd2
00c58d2800004c00000001931c4481c7.6           VALID KEY        hd9var
00c58d2800004c00000001931c4481c7.7           VALID KEY        hd3
00c58d2800004c00000001931c4481c7.8           VALID KEY        hd1
00c58d2800004c00000001931c4481c7.9           VALID KEY        hd10opt
00c58d2800004c00000001931c4481c7.10          VALID KEY        hd11admin
00c58d2800004c00000001931c4481c7.11          VALID KEY        lg_dumplv
00c58d2800004c00000001931c4481c7.12          VALID KEY        livedump
00c58d2800004c00000001931c4481c7.13          VALID KEY        user_lv

bash-5.2#

Summary

This tutorial demonstrated how to leverage alt_disk_copy command for securing additional LVs within rootvg by enabling encryption through a modified image.data file. It ensures data protection while avoiding system downtime or complex reinstallations.


02 December 2024

Legend