Manualshelf

Encrypted Volume and File System v2.0 Administrator Guide HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software
21222324252627282930
/usr/lib/evfs/hpux64/libevfs_pkey.so (HP Integrity servers)
/usr/lib/evfs/pa20_64/libevfs_pkey.sl (HP 9000 servers)
[ Literal left square bracket.
key_directory Specifies the fully qualified pathname of the base directory in which to store
key data, such as /etc/evfs/pkey. See “Key storage directory
requirements” (page 29) for more information. EVFS automatically creates
a users subdirectory under the key_directory to store the key files.
Therefore, you do not need to include users in the path.
If you want to use the autostart feature, the autostart option you specify in
the /etc/evfs/evfstab file is determined by the location of the
key_directory. See “Step 5: (Optional) Configuring the autostart feature
(page 31) for more information.
action Specifies the EVFS action if attempts to write to or read from the
key_directory fail.
continue Causes EVFS to continue to the next
library[specifications...] term.
stop Causes EVFS to stop processing and return an error.
] Literal right square bracket.
Key storage directory requirements
Directories used to store user keys and passphrases cannot be on EVFS volumes. EVFS cannot
access key files stored on an EVFS volume to enable the EVFS volume.
If there are file systems on EVFS volumes in the /etc/fstab file that you want the system to
mount at system startup, the key database must reside on the local root file system (the system
must be able to access the keys early in the system startup procedure).
If the private key directory is an NFS-mounted directory, the directory must be mounted with
read and write access so EVFS can re-encrypt the private key file as needed (the NFS server
must not export the directory with the ro flag).
HP recommends that the base directory is writable by superusers or users with appropriate
privileges only. For example, the /etc/evfs/pkey directory is installed with the following
permissions, owner, and group:
drwxr-xr-x 4 bin bin 96 Mar 16 17:26 pkey
Default pub_key, priv_key and pass_key attribute statements
The /etc/evfs/evfs.conf file installed with the EVFS product on HP Integrity servers contains
the following pub_key, priv_key, and pass_key attribute statements:
pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]
priv_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]
pass_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]
These statements configure EVFS to use the libevfs_pkey library to process all user key data
(public keys, private keys, and passphrase files), and to save all user key data in subdirectories
under the /etc/evfs/pkey/users directory (EVFS creates the users subdirectory). If EVFS
cannot access key data in the directory /etc/evfs/pkey, EVFS returns an error.
The /etc/evfs/evfs.conf file installed with the EVFS product on HP 9000 servers contains
equivalent statements, with the HP 9000 libevfs_pkey library, /usr/lib/evfs/pa20_64/
libevfs_pkey.sl.
Step 2: (Optional) Configuring alternate key database directories 29