Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

111

112

113

114

115

116

117

118

119

120

Enabling encryption at the FS level

Encryption can be enabled at FS level by setting encryption parameters at the EFS mount point.

All the new files and directories created use the encryption parameters at the mount point. All the

existing files are still in cleartext and have no impact because of this operation.

In this example, an EFS is created and mounted on the /efsmnt directory. The encryption is not

enabled and the FS contains the file1 file and dir1 directory:

# ls /efsmnt

-rwxr-x--- efs_user efs_group file1

drwxr-x--- efs_user efs_group dir1

# evfsfile list /efsmnt/file1

evfsfile: list error: "/efsmnt/file1" is not an encrypted file.

# evfsfile list /efsmnt/dir1

evfsfile: list error: "/efsmnt/dir1" is not enabled for encryption.

NOTE: The ls command is not EVFS aware. Therefore, it does not show whether the file or

directory is enabled for encryption. You must use the evfsfile list sub-command to list the

encryption parameters on an EFS directory or file.

The /efsmnt directory is enabled for encryption and the cipher is set to aes-256-cfb, as follows:

# evfsfile set -c aes-256-cfb /efsmnt

EFS configuration parameters has been successfully set

# mkdir /efsmnt/dir2

# touch /efsmnt/dir1/file2

# evfsfile list /efsmnt/file1

evfsfile: list error: "/efsmnt/file1" is not an encrypted file.

# evfsfile list /efsmnt/dir1

evfsfile: list error: "/efsmnt/dir1" is not enabled for encryption.

# evfsfile list /efsmnt/dir2

EFS directory information:

Data Encryption Cipher: aes-256-cfb

# evfsfile list /efsmnt/dir1/file2

EFS file information:

EMD Size (Kbytes): 4

Data Encryption Cipher: aes-256-cfb

Owner Key ID: efsuser.efsuser

Group Key ID: efsgroup.efsgroup

Enabling encryption at the directory level

When a directory is enabled for encryption, all new files and directories created in this directory

use the properties from this directory. The existing directories and files are not changed.

In this example, the EFS is created and mounted on the /efsmnt directory. Before enabling for

encryption, the /efsmnt/dir1 and /efsmnt/dir2 directories exist:

# evfsfile list /efsmnt/dir1

evfsfile: list error: "/efsmnt/dir1" is not enabled for encryption.

c# evfsfile list /efsmnt/dir2

evfsfile: list error: "/efsmnt/dir2" is not enabled for encryption.

# evfsfile set /efsmnt/dir2

EFS configuration parameters has been successfully set

# touch /efsmnt/dir1/file1

# touch /efsmnt/dir2/file2

# mkdir /efsmnt/dir2/dir3

# evfsfile list /efsmnt/dir1

evfsfile: list error: "/efsmnt/dir1" is not enabled for encryption.

File encryption attributes 111