Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

111

112

113

114

115

116

117

118

119

120

# evfsfile list /efsmnt/dir1/file1

evfsfile: list error: "/efsmnt/dir1/file1" is not an encrypted file.

# evfsfile list /efsmnt/dir2

EFS directory information:

Data Encryption Cipher: aes-128-cbc

# evfsfile list /efsmnt/dir2/dir3

EFS directory information:

Data Encryption Cipher: aes-128-cbc

Enabling encryption at the FS and directory level

If encryption is enabled at the FS (mount point) level and on an underlying directory level with a

different cipher, the files created under the directory use the cipher specified at the directory level

rather than at the FS level.

Consider the previous example where encryption is enabled at the FS level. The /efsmnt/dir2

directory uses the cipher information from /efsmnt. If you change the cipher on the

/efsmnt/dir2 directory and create a new file in that directory, you will enable encryption at

the FS level as well as the directory level, as follows:

# evfsfile list /efsmnt

EFS directory information:

Data Encryption Cipher: aes-256-cfb

# evfsfile list /efsmnt/dir2

EFS directory information:

Data Encryption Cipher: aes-256-cfb

# evfsfile set -c aes-192-cfb /efsmnt/dir2

# touch /efsmnt/dir2/file4

# evfsfile list /efsmnt/dir2

EFS directory information:

Data Encryption Cipher: aes-192-cfb

# evfsfile list /efsmnt/dir2/file4

EFS file information:

EMD Size (Kbytes): 4

Data Encryption Cipher: aes-192-cfb

Owner Key ID: efsuser.efsuser

Group Key ID: efsgroup.efsgroup

Disabling a directory or FS for encryption

Similar to enabling the encryption, to disable an encrypted FS or directory that is enabled for

encryption, use the evfsfile command. The syntax for disabling encryption is as follows:

# evfsfile set -d efs_dir

efs_dir Specifies an efs directory that is enabled for encryption. It can be a mount point to

disable encryption on a FS level, or an underlying directory to explicitly disable

encryption.

Disabling encryption at the FS level

In this example, the EFS is mounted on the /efsmnt directory and enabled for encryption.

Directories /efsmnt/dir1 and /efsmnt/dir2 are created after enabling the /efsmnt directory

for encryption. Note that the directories /efsmnt/dir1 and /efsmnt/dir2 still contain

encryption parameters after the FS is disabled for encryption. Existing files (encrypted or

unencrypted) do not change when encryption is enabled or disabled.

# evfsfile list /efsmnt

EFS directory information: Data Encryption Cipher: aes-192-cfb

# evfsfile list /efsmnt/dir1

EFS directory information: Data Encryption Cipher: aes-192-cfb

# evfsfile list /efsmnt/dir2

EFS directory information: Data Encryption Cipher: aes-192-cfb

Disable the encryption at the FS level as follows:

112 Using EFS