Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

111

112

113

114

115

116

117

118

119

120

# evfsfile list /efsmnt/file1

EFS file information:

EMD Size (Kbytes): 4

Data Encryption Cipher: aes-128-cbc

Owner Key ID: root.root

Group Key ID: sys.sys

Recovery Key ID: evfs.efs

5. Change the encryption key with a different cipher:

# evfsfile rekey -c aes-256-cfb /efsmnt/file1

Successfully changed the file encryption key

6. List the encryption attributes on the /efsmnt/file1 file:

# evfsfile list /efsmnt/file1

EFS file information:

EMD Size (Kbytes): 4

Data Encryption Cipher: aes-256-cfb

Owner Key ID: root.root

Group Key ID: sys.sys

Recovery Key ID: evfs.efs

Cipher precedence

For the evfsfile encrypt and the evfsfile rekey commands, if the cipher option (-c) is

not specified, the order in which to find the cipher is as follows:

1. If encryption is enabled for the directory, the command uses the cipher specified for the

directory.

2. If encryption is enabled for the mount point directory, the command uses the cipher that is set

at the mount point.

3. Otherwise, the command uses the default file_cipher parameter in the

/etc/evfs/evfs.conf file.

Using the evfsxfr command

CAUTION: The evfsxfr command must be used with caution. It exposes the encrypted file in

its raw form and any changes, intentional or unintentional, can corrupt the file and make it

unreadable.

For example, if the following command was issued in an encrypted directory:

# evfsxfr ls -l > OUT

The OUT result file is a corrupted file with an output of ls –l imbedded in the EMD. This command

must always be used in read-only or while restoring the backup data.

The evfsxfr command is mainly used for the following functions:

• Transfer encrypted files, such as backup and restore

• Display the actual size of a file

• Bypass encrypted file restrictions (see “The EVFS wrapper commands” (page 120))

If the encrypted file is already open for normal access, evfsxfr cannot be used to access the

open encrypted file. Conversely, if the encrypted file is already open with evfsxfr access, normal

access to the file is denied.

Examples

The following command backs up the DIR directory in encrypted form:

# evfsxfr tar cvf DIR.tar DIR

The evfsxfr command can be used to display the actual size of the file:

Using the evfsxfr command 117