Encrypted Volume and File System v1.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

100

1. If you are moving the volume to another system, add an authorized user key pair for the

administrator on the destination system. You will use this key pair on the destination system.

a. Create a new key pair for the administrator on the destination system using the following

criteria:

• The user account for the key owner must exist on the destination system.

• The key name must be unique for the owner on the destination system.

• You must know the passphrase for the private key, so do not specify the -s option

for the evfspkey command. When you use the -s option, EVFS generates and

stores the passphrase for you, and you cannot retrieve the passphrase. Stored

passphrase files are encrypted with system-specific information, so a stored

passphrase created on one system is unusable on any other system.

Use the following evfspkey keygen command syntax:

evfspkey keygen [-c cipher] [-u user] [-k keyname]

where:

-c cipher Specifies the type of public/private keys to create.

Valid values:

rsa-1024 (RSA 1024-bit keys)

rsa-1536 (RSA 1536-bit keys)

rsa-2048 (RSA 2048-bit keys)

Default: rsa-1536

-u user Specifies the user name of the key owner. This must be a valid user

name on the destination system. If you do not specify -u user,

evfspkey uses your user name as the key owner. You must have

superuser or the appropriate privileges to create a key pair for another

user.

-k keyname Specifies the key name. Specify a key name that does not already exist

for the key owner on the destination system. If you do not specify -k

keyname, evfspkey uses the user name as the key name.

Valid value: An ASCII string, 1 to 255 characters long.

The evfspkey utility prompts you for a passphrase to protect the private key.

IMPORTANT: Make a note of this passphrase, because you must specify it when you

administer the EVFS volume on the target system.

b. Use the following command to add the key to the EVFS volume:

evfsvol add -u user [-k keyname] evfs_volume_path

where:

-k keyname Specifies the name of the key to add. If you do not specify -k

keyname, evfsvol uses your user name as the key name.

evfs_volume_path Specifies the absolute pathname for the EVFS volume device

file, such as /dev/evfs/vg01/lvol5,

/dev/evfs/vx/dsk/rootdg/vol05, or

/dev/evfs/dsk/c2t0d1.

2. Copy the owner's public and private keys files to removable media. You must restore these

files on the destination system.

By default, EVFS stores the user key database in subdirectories below /etc/evfs/pkey,

with a subdirectory for each user. The administrator can configure alternate database

directories using the pub_key, priv_key, and pass_key attributes in the

92 Administering EVFS