Manualshelf

Encrypted Volume and File System v1.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software
11121314151617181920
1 EVFS Introduction
This chapter provides introductory information about the Encrypted Volume and File System
(EVFS) product. This chapter addresses the following topics:
“Features and Benefits” (page 17)
“EVFS Architecture” (page 19)
“Supported Software” (page 26)
“Product Limitations and Precautions” (page 27)
“Known Problems” (page 29)
“Feedback and Enhancement Requests” (page 30)
Features and Benefits
EVFS protects data by encrypting data volumes to protect data at rest – data on disks. You can
also use EVFS to create encrypted backup media. EVFS prevents anyone who gains unauthorized
physical access to storage media from reading or using the data.
EVFS creates EVFS volumes, which are pseudo-devices (or virtual devices) layered on Logical
Volume Manager (LVM), Veritas Volume Manager (VxVM), or physical volume devices. You
can use the newfs command to create a file system on an EVFS volume just as you would create
a file system on an LVM, VxVM, or physical volume. The EVFS subsystem encrypts data written
to an EVFS volume and decrypts data read from an EVFS volume as needed.
EVFS provides the following features:
Data protection that is file-system independent.
EVFS supports all disk file system types that can be mounted on a LVM, VxVM, or physical
volume, including High Performance File System (HFS) and Veritas File System (VxFS, also
referred to as Journaled File System, or JFS).
Application transparency.
EVFS volumes are implemented as pseudo-devices below the HP-UX file system. No changes
to applications are necessary. EVFS is compatible with network file sharing utilities, such
as Network File System (NFS) and Common Internet File System (CIFS), and with network
file access utilities, such as File Transfer Protocol (FTP) and remote copy (rcp).
High-performance bulk data encryption using symmetric keys.
EVFS encrypts volume data using a symmetric encryption key, referred to as the volume
encryption key. EVFS supports the following symmetric key algorithms for encrypting
volume data:
128-bit key Advanced Encryption Standard Cipher Block Chaining (AES CBC) mode
192-bit key AES CBC mode
256-bit key AES CBC mode
Public/private keys for symmetric key storage.
EVFS uses public/private encryption key to store volume encryption keys. EVFS supports
the following public/private key encryption algorithms:
1024-bit key Rivest-Shamir-Adelman (RSA)
1536-bit key RSA
2048-bit key RSA
Passphrase storage and retrieval for automatic start (autostart).
EVFS encrypts private keys with passphrases. In normal operation, EVFS prompts the user
for the passphrase to decrypt and retrieve the private key. To enable EVFS operation during
system startup without human intervention, EVFS provides a mechanism to store a user's
Features and Benefits 17