Encrypted Volume and File System v1.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

Volume Encryption Keys

EVFS uses symmetric keys to encrypt data, referred to as volume encryption keys. In symmetric

key cryptography, the same key (bit string) is used to encrypt and decrypt the data. EVFS stores

the volume encryption keys in the EMD area of a volume, as part of key records. Each key record

contains the volume encryption key, encrypted with a user's public key. Because the volume

encryption key is encrypted with a public key, this data is also referred to as a “digital envelope.”

The digital envelope must be “opened,” or decrypted with the user's private key to retrieve the

volume encryption key. Figure 1-2 illustrates how EVFS uses and stores volume encryption kesy.

Figure 1-2 Encryption Metadata (EMD) and Volume Encryption Keys

Encryption Metadata (EMD)

Encrypted Data

EVFS Volume

Key

Records

Volume Encryption Key

User 1’s public key encrypts the

volume encryption key

User 1’s private key decrypts

the volume encryption key

Volume encryption

key encrypts/decrypts

the data

“my_passphrase”

encrypts private key

Stored Passphrase:

System-specific data

encrypts “my_passphrase”

“my_passphrase”

User Keys

EVFS uses public/private encryption key pairs with passphrases to securely store volume

encryption keys. Each public/private key pair is owned by a user, and the key pairs are also

referred to as user keys.

Public/private key cryptography systems use pairs of related but different keys. The public and

private key pairs are mathematically related so that data encrypted with the public key requires

the private key to decrypt it. In public/private key systems, the public key does not have to be

kept secret.

Passphrases

For added protection, EVFS encrypts each private key with a passphrase before storing it. You

can specify the passphrase or have EVFS generate a passphrase for you.

Stored Passphrases

As an option, you can store a passphrase in a file. EVFS encrypts the passphrase with

system-specific information before storing it. Stored passphrases enable EVFS to retrieve a user's

private key without prompting for the passphrase. If you want to enable EVFS volumes at system

startup without manual intervention, you must use stored passphrases.

CAUTION: A stored passphrase enables you to use the EVFS autostart feature, but it is a security

risk.

Using HP-UX Trusted Computing Services with EVFS

On systems with HP-UX Trusted Computing Services (TCS), you can use TCS to secure EVFS

private keys. For more information, see the HP-UX TCS product documentation.

EVFS Architecture 21