Encrypted Volume and File System v2.0 Administrator Guide HP-UX 11i v3
EVFS encryption keys
EVFS uses two types of encryption keys:
• Symmetric keys to encrypt data, referred to as volume encryption keys for EVS, and referred
as file encryption keys for EFS.
• Public/private key pairs to protect volume or file encryption keys, also referred to as user keys
EVFS also uses passphrases to protect private keys.
Volume and file encryption keys
EVFS uses symmetric keys to encrypt data, referred to as volume or file encryption keys. In symmetric
key cryptography, the same key (bit string) is used to encrypt and decrypt the data. In EVS mode,
EVFS stores the volume encryption keys in the EMD area of a volume, as part of key records. In
EFS mode, EVFS stores the file encryption keys in the EMD area of a file. Each key record contains
the volume or file encryption key, encrypted with a user's public key. Because the encryption key
is encrypted with a public key, this data is also referred to as a “digital envelope.” The digital
envelope must be “opened,” or decrypted with the user's private key to retrieve the encryption
key. Figure 4 illustrates how EVFS uses and stores volume encryption keys.
Figure 4 Encryption metadata (EMD) and volume encryption keys
Encryption Metadata (EMD)
Encrypted Data
EVFS Volume
Key
Records
Volume Encryption Key
User 1’s Public Key Encrypts the
Volume Encryption Key
User 1’s Private Key Decrypts
the Volume Encryption Key
TCS EVFS Key Protects the User Private Key
Volume Encryption
Key Encrypts/Decrypts
the Data
“my_passphrase” Authorizes TCS Access to the
Volume Encryption Key
Stored Passphrase:
System-specific data
encrypts “my_passphrase”
“my_passphrase”
User keys
EVFS uses public/private encryption key pairs with passphrases to securely store file and volume
encryption keys. Each public/private key pair is owned by a user, and the key pairs are also
referred to as user keys.
Public/private key cryptography systems use pairs of related but different keys. The public and
private key pairs are mathematically related so that data encrypted with the public key requires
the private key to decrypt it. In public/private key systems, the public key does not have to be kept
secret.
Passphrases
For added protection, EVFS encrypts each private key with a passphrase before storing it. You
can specify the passphrase or have EVFS generate a passphrase for you.
Stored passphrases
You can store a passphrase in a file. EVFS encrypts the passphrase with system-specific information
before storing it. For EVS mode, stored passphrases enable EVS to retrieve a user's private key
without prompting for the passphrase. If you want to enable EVS volumes at system startup without
manual intervention, you must use stored passphrases. For EFS mode, the stored passphrase allows
the system administrator to start applications on behalf of other users. If applications require the
20 EVFS data and keys