Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

121

122

123

124

125

126

127

128

129

130

To start the Oracle database during system boot, typically the Oracle's startup script has the

following entry. This starts the Oracle database during system boot automatically as user $ORACLE:

# su $ORACLE -c "$ORACLE_HOME/bin/dbstart $ORACLE_HOME"

If the database files are encrypted using EVFS (configured in EFS mode), the Oracle database must

be started with the evfsrun command in order to access the database file created by user

$ORACLE in clear. This requires that the $ORACLE user's stored passphrase exist:

# evfsrun su $ORACLE -c "$ORACLE_HOME/bin/dbstart $ORACLE_HOME"

The EFS recovery key

The recovery key for EFS is optional and is not enabled by default. To configure the recovery key

in EFS, the system administrator must configure the recovery key and create the recovery key.

To configure the recovery key, uncomment the line #efs_recovery_keyname =

efs_recovery_key_name in the /etc/evfs/evfs.conf file and set the recovery key name

to the efs_recovery_keyname configuration parameter. The EFS recovery key is loaded into

kernel during the EVFS subsystem start (through the evfsadm start command), or it can be

loaded through the evfspkey loadkey -r command if EVFS is already started. Once the

recovery key is loaded into the kernel, all newly created encrypted files will have the EFS recovery

key information.

For an encrypted file, in the case that the user key (or group key) is lost or corrupted, the recovery

key can be used along with the evfsfile assign command to assign a new user key in the

EMD for the file so that user can use a new key to access file data in cleartext.

Only the owner of an encrypted file can add or replace the recovery key from the encrypted file.

Example 1

You can create or load a recovery key, as follows:

# id

uid=0(root) gid=3(sys) groups=0(root)

# evfspkey keygen -r -k efs

Enter recovery passphrase:

Re-enter recovery passphrase:

Public/Private key pair "evfs.efs" has been successfully generated.

/* uncomment the line in /etc/evfs/evfs.conf and set recovery key name */

efs_recovery_keyname = efs

/* load key when efs_recovery_keyname specified in evfs.conf file */

# evfspkey loadkey -r

Recovery key "evfs.efs" has been loaded into the kernel successfully.

/* All the newly created encrypted files from this point will have recovery key. */

Example 2

In this example, the root user adds the recovery key evfs.efs to the encrypted file file1 that

was created before the recovery key is loaded:

# ll file1

-rw-rw-rw- 1 jsmith users 44 Aug 3 07:48 file1

/* An encrypted file file1 does not have any recovery key as it was created before */

/* the recovery key is loaded into the kernel. */

# evfsfile list file1

EFS file information:

EMD Size (Kbytes): 4

Data Encryption Cipher: aes-128-cbc

Owner Key ID: jsmith.jsmith

/*User jsmith is in a secure session with an EFS recovery key.*/

# evfsauth display

User key:

Key name: jsmith.jsmith

128 Using EFS