Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

111

112

113

114

115

116

117

118

119

120

The EVFS wrapper commands

EVFS provides wrapper commands to facilitate user/group encrypted data access and prevent

unintended decryption of encrypted files. These wrapper commands exhibit similar behaviors as

the corresponding HP-UX commands, except for the restrictions described in this section.

EVFS wrapper commands are located at /opt/evfs/bin. When you enter a secure session with

evfsauth (See “Using a secure session” (page 108)), this path is automatically added to the

beginning of the PATH shell variable. As a result, you can issue these commands without using

the full path.

The cp command

The cp wrapper command prevents unintended decryption of encrypted files. It copies a file within

a directory, within a file system, or across different file systems with some restrictions. The cp

wrapper command does not support the -r and -R options. Therefore, the source cannot be a

directory.

When you are in a secure session, the cp wrapper command succeeds if the destination directory

is configured for encryption (if the source file is clear, the target file becomes encrypted). This

command fails if the source file is an encrypted file and the destination directory is not configured

for encryption. Using the evfsxfr command with this wrapper bypasses this restriction (See

“Using the evfsxfr command” (page 117)). When you run the evfsxfr command with the cp

wrapper, the file is copied as is without any data transformation.

• If the source file is already encrypted, the encrypted form of the file will be copied to the

destination. As a result, unless the target file is in an EFS file system and you are in a secure

session, you cannot access the file.

• If the source is a clear file, the clear form of the file is copied to the destination whether the

directory is enabled for encryption or not. You can create a clear file in an EFS-enabled

directory.

The following table shows the restrictions for the cp wrapper command:

Destination Directory Encryption:SourceevfsxfrSession

Not ConfiguredConfigured

AllowedAllWithAll

NoAllowedEncrypted file

Without

Secure

session

AllowedClear file

NoEncrypted fileNon-secure

session

AllowedNoClear file

Example 1

In this example, user jsmith enters a secure session and successfully copies an encrypted file to

a directory configured for encryption, but fails to copy the encrypted file to a regular directory (for

example, it is not configured for encryption):

# evfsauth login

Enter your key passphrase:

You are entering in a secure session. Use "exit" to end the session.

# which cp

/opt/evfs/bin/cp

# echo “this is a test” > file1

# evfsfile list file1

EFS file information:

EMD Size (Kbytes): 4

Data Encryption Cipher: aes-128-cbc

Owner Key ID: jsmith.jsmith

120 Using EFS