Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

121

122

123

124

125

126

127

128

129

130

Data Encryption Cipher: aes-128-cbc

Owner Key ID: usera.usera

Example 2

If the new owner does not have a key, the chown wrapper command fails to change the owner

of an encrypted file:

# ll filea

-rw-rw-rw- 1 usera users 15 Jul 30 15:40 filea

# evfspkey lookup -u userb

evfspkey: lookup error: user key pair "userb.userb" does not exist.

# chown userb filea

chown: error: cannot retrieve public key "userb.userb", key loading failure

Example 3

User jsmith changes the group of an encrypted file using the chgrp wrapper command:

# ll file1

-rw-rw-rw- 1 jsmith users 5 Jul 30 17:09 file1

# evfsfile list file1

EFS file information:

EMD Size (Kbytes): 4

Data Encryption Cipher: aes-128-cbc

Owner Key ID: jsmith.jsmith

Group Key ID: users.users

# evfspkey lookup -g newgrp

Key ID: newgrp.newgrp

Key Cipher: rsa-1536

Key Fingerprint: f3:8b:15:c2:15:b8:d7:e1:b6:04:1d: \

db:54:ad:93:61:53:f1:f1:ed

# chgrp newgrp file1

# ll file1

-rw-rw-rw- 1 jsmith newgrp 5 Jul 30 17:09 file1

# evfsfile list file1

EFS file information:

EMD Size (Kbytes): 4

Data Encryption Cipher: aes-128-cbc

Owner Key ID: jsmith.jsmith

Group Key ID: newgrp.newgrp

Example 4

The chgrp wrapper command fails to change the group of an encrypted file if the new group

does not have a key pair:

# evfspkey lookup -g grp1

evfspkey: lookup error: group key pair "grp1.grp1" does not exist.

# chgrp grp1 file1

chgrp: error: cannot retrieve public key "grp1.grp1", key loading failure

The mv command

The mv wrapper command prevents unintended decryption of encrypted files. You can use this

wrapper command to rename a file or a directory within a directory or to relocate a file within a

file system or across different file systems with some restrictions.

An encrypted file cannot be moved to a directory which is not configured for encryption and a

cleartext file cannot be moved to a directory which is configured for encryption. Using the evfsxfr

command with the mv wrapper command bypasses this restriction. However, you can move an

encrypted file to a directory which is not configured for encryption or vice versa.

Renaming a cleartext file or an encrypted file (for example, moving within the same directory) is

allowed. When in a secure session, the root user or the file owner can move an encrypted file

across different file systems.

The EVFS wrapper commands 123