Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)
Changing the file permissions
Use the HP-UX chmod command to change the mode bits (user and group access permissions) on
an encrypted file. You need to have a valid DAC permission to change the mode bits. You do not
need to be in a secure session to perform this operation.
Changing the file owner/group
You must be in a secure session to change the owner/group on an encrypted file. Only the owner
of the file can change the owner/group permissions of an encrypted file. EFS enabled chown
command can be used on encrypted files for changing owner/group permissions.
File encryption attributes
An Encrypted File System (EFS) can contain both encrypted and cleartext (not encrypted) files. By
default, encryption is not enabled on an EFS.
You can use the evfsfile command to manage the encrypted files and directory, as follows:
• Enable a directory or file sysem for encryption
• Disable a directory or file system for encryption
• List file or directory encryption attributes
• Perform file conversion operations
A directory in an EFS can be enabled or disabled for encryption. When a directory is enabled for
encryption, all of the new files created under that directory are encrypted. EVFS supports only
encryption of regular files.
For more information, see evfsfile(1).
Enabling a directory or a file system for encryption
When an EFS is first created and mounted on a directory, any new files created are not encrypted
by default. You can enable the file encryption at two different levels:
• The directory level
• The file system (FS) level ( or mount point)
Use the evfsfile command to enable the file encryption. You can also use the evfsfile
command to change the encryption parameters on an EFS directory, but directories themselves
can never be encrypted.
When a directory is enabled and configured for encryption, all new files and directories created
in that directory use the encryption parameters defined for that directory. Encryption parameters
for all existing files, directories, and sub-directories are not changed.
When a FS (mount point) is enabled and configured for encryption, all new files and directories
created in this FS use the encryption parameters from the mount point, unless it is overridden by
the encryption parameters in the current directory. Encryption parameters for all existing files,
directories, and sub-directories are not changed.
You can enable the directory for encryption as follows:
# evfsfile set [-c cipher] directory
The default cipher to create encrypted files on PA is aes-128-cfb and on IA it is aes-128-cbc,
as specified in the evfs.conf file. When the cipher value is not specified, the default value is
used.
The valid cipher values are aes-128-cfb, aes-192-cfb, and aes-256-cfb. On IA,
aes-128-cbc, aes-192-cbc, and aes-256-cbc, are also valid.
110 Using EFS