Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)
EVFS supports only the user's primary group key. After a key pair is created for a group configured
in the system, the group access is implicitly added to the key records of the users who have this
group as their primary group (for example, the group ID is configured in the user account entry in
the /etc/passwd directory or in the remote data repository such as NIS or LDAP).
If a user has access to the primary group key (that is the group access key has been added to the
user's key record), the file encryption key is encrypted with the user's public key and the primary
group public key. As a result, other users who also have access to the same primary group key
will be able to decrypt the file encryption key with the group's private key, thus decrypt the file.
Creating a group
When a group is created, in order for its group members to share encrypted files, the key manager
has to create a group key for this group. The group access key which grants members to access
the group key is automatically added to the group members that have this group as their primary
group and have a user key. See “Creating a group key” (page 139).
Adding a group member
If a user does not have a user key when their primary group key is created, or if the user is newly
added after their primary group key is created, the key manager has to explicitly grant the user
access to the group key by running the evfspkey add command. See “Key manager operations”
(page 142).
Deleting a group
When a group is deleted, its group key must be deleted so that group members no longer share
encrypted files. If the system administrator uses the EFS version of groupdel (in /opt/evfs/bin)
to delete the group, the group key is automatically deleted. Otherwise, after deleting a group, the
key manager has to run evfspkey delete to delete the group key. The group access key is
implicitly removed from all of the group members’ key records. See “Deleting a group key”
(page 141).
Removing a group member
If a user is no longer a group member, the key manager can explicitly remove the group access
key from the user's key record by running the evfspkey delete –u <username> -g
<groupname> command. See “Key manager operations” (page 142).
Changing group
When a user logs into EFS, if the group key exists, the key of the primary group configured in the
user's account is loaded. The newgrp command does not cause any changes.
File conversion operations
This section describes the conversion of an existing cleartext file to encrypted file, the conversion
of an encrypted file to a cleartext file, and how to change the file encryption key of an encrypted
file.
EVFS v2.1 supports only offline data conversion, meaning that the file to be converted should not
be accessed during the process, until the conversion is complete. In the case that the conversion
is interrupted (or suspended), the process cannot be completed. In that case, the conversion process
must be restarted from the beginning by invoking the command once more.
This operation requires that the file system should have enough free space (each original file
requires an additional 4K bytes, where 4K is the file Encryption Meta Data size).
Converting a cleartext file to an encrypted file
The syntax for converting a cleartext file to an encrypted file is as follows:
114 Using EFS