Manualshelf

Encrypted Volume and File System v1.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software
41424344454647484950
Step 5: Creating User Key Pairs
Each user key pair has a key name. The default key name is name of the user for whom the key
pair is created.
This section addresses the following topics:
“Guidelines for Creating User Keys” (page 44)
“Creating Keys for EVFS Volume Owners” (page 44)
“Creating Recovery Keys” (page 45)
“Creating Keys for authorized users” (page 46)
Guidelines for Creating User Keys
Use the following guidelines to determine the number and types of user keys to create. The user
key types and privileges are described in “User Key Privileges” (page 24).
At a minimum, you must create one user key pair (public/private key pair) for the EVFS
volume owner.
You can use one key pair for multiple EVFS volumes, but using a unique key pair for each
EVFS volume is more secure.
HP recommends that you create at least one recovery key pair. You can use a recovery key
to assign a new owner to a volume if the owner key pair is lost or compromised. HP
recommends that you store the private recovery key off line.
To use the autostart feature, you must create a passphrase file. Passphrase files are a security
risk. If you use a passphrase file, you can reduce the security risk by creating a user key pair
for an authorized user and creating the passphrase file for the authorized user key pair
instead of the owner key pair.
To create encrypted backup media on a tape device, a user must have an authorized user
key pair for the volume. (The user must execute the evfsvol disable command as part
of the backup procedure, which requires an EVFS authorized user key or owner key pair.)
Creating and configuring an authorized user key pair will enable a non-owner to create
encrypted backup media.
You can create multiple key pairs for each user. For example, if a user is the owner of multiple
EVFS volumes, you can create a unique key pair for each volume that the user owns.
Creating Keys for EVFS Volume Owners
Use the following evfspkey keygen command to create key pairs for EVFS volume owners:
evfspkey keygen [-p|-s] [-c cipher] [-u user] [-k keyname]
where:
-p Causes evfspkey to prompt for passphrase. The evfspkey utility prompts
you for a passphrase and store the passphrase in an encrypted file. The
passphrase must contain at least eight characters.
CAUTION: A stored passphrase enables you to use the EVFS autostart feature
but it is a security risk.
-s Causes evfspkey to generate a passphrase automatically. The evfspkey
utility generates a passphrase for you and stores the passphrase in an encrypted
file.
-c cipher
Specifies the type of public/private (cipher) keys to create.
Valid values:
rsa-1024 (RSA 1024-bit keys)
rsa-1536 (RSA 1536-bit keys)
44 Preparing EVFS for Configuration