Encrypted Volume and File System v2.0 Administrator Guide HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

121

122

123

124

125

126

127

128

129

130

groupmod command is issued to modify the group name while the group already has a key, the

old group key becomes inaccessible and there will be no group key for the new group name.

NOTE: Do not change the group name once the group has a key.

If you are not in a secure session to issue these wrapper commands, you must do one of the

following:

• Change the shell variable PATH to add /opt/evfs/bin in order to override /usr/sbin.

• Refer to the full path /opt/evfs/bin/<wrapper_cmd>.

Example 1

User jsmith has a key pair. The system administrator attempts to change the login name of

jsmith using the usermod wrapper command with the -l option:

# id

uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail)

# evfspkey lookup -u jsmith

Key ID: jsmith.jsmith

Key Cipher: rsa-1536

Key Fingerprint: d6:00:1f:2a:df:05:18:3e:9d:da:28:6c:4e:d8:1c:dc:50:d5:5b:63

Private Key : evfs-pbe1

Group access: users

Reset passphrase required: yes

Allow passphrase reset by key manger: no

Stored passphrase: no

# /opt/evfs/bin/usermod -l newuser jsmith

EVFS usermod error: cannot use "-l" option. Since "jsmith" has a key pair,

you cannot change the login name.

Example 2

User jsmith has access to encrypted files that belong to jsmith's primary group users. The

system administrator uses the usermod wrapper command to change jsmith's primary group:

# /opt/evfs/bin/usermod -g newgrp jsmith

The "users" group access key has been successfully removed from the user "jsmith” key record.

Example 3

The system administrator attempts to change the users group name while the group already has

a key:

# id

uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail)

# evfspkey lookup -g users

Key ID: users.users

Key Cipher: rsa-1536

Key Fingerprint: 4c:50:8b:d7:87:c6:4d:71:b6:c6:70:d0:59:04:af:16:3b:b0:3d:f0

# /opt/evfs/bin/groupmod -n newgrp users

EVFS groupmod error: group key exists, cannot modify group name.

The userdel and groupdel commands

The userdel wrapper command deletes the user from the system by executing the HP-UX userdel

command and deletes all keys associated with this user. Once the keys are deleted, the encrypted

files protected by those keys become inaccessible.

If the HP-UX userdel command is used to delete the user account, the user's user keys remain in

the system, but the keys and encrypted files associated with the user become inaccessible. Therefore,

before deleting a user account that already has keys and encrypted files, you need to make sure

that there are no more encrypted files to access with these keys. To delete the user key while the

user account is already deleted from the system, the system administrator or key manager can run

the evfspkey delete –u <username> command.

The groupdel wrapper command deletes a group from the system by executing the HP-UX

groupdel command and deletes the group key and the group access key from its members' key

The EVFS wrapper commands 123