Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

131

132

133

134

135

136

137

138

139

140

is prompted to enter the aforementioned passphrase, and also requested to change the

passphrase.

The system administrator or key manager is allowed to create a key pair for other users by

specifying the user name with the -u <username> and -s options. When the -s option is

specified, keygen automatically generates a random passphrase to protect the private key,

and stores it in a designated file. There is no need for the system administrator or key manager

to share the passphrase with the user. When a user runs the evfsauth login command

to log into EFS, the user is forced to change the passphrase, the stored passphrase is read

from the file and then removed. This provides an easy way for the system administrator or key

manager to manage user keys. Alternatively, the user can change the passphrase using the

evfspkey passgen command.

Example 1

In this example, the system administrator creates a key pair for the testuser user using the

-s option:

# id

uid=0(root) gid=3(sys) groups=0(root)

# evfspkey keygen -s -u testuser

Public/Private key pair "testuser.testuser" has been successfully generated.

When the user logs into EFS, the user has to change the passphrase as follows:

# id

uid=110(testuesr) gid=20(users)

# evfsauth login

evfsauth: login warning: you have a stored passphrase.

You need to reset EFS passphrase.

Enter new pasphrase:

Re-enter new passphrase:

Do you still want to store the passphrase in a file?

Answer [yes/no]:no

[Passphrase store file is deleted.]

For security reasons, you should answer no unless the system administrator has to run

applications on your behalf and requires your passphrase. With a stored passphrase, the

root user can access your encrypted files.

Example 2

In this example, the system administrator creates a key pair for the testuser user:

# id

uid=0(root) gid=3(sys) groups=0(root)

# evfspkey keygen -u testuser

Enter passphrase:

Re-enter passphrase:

Public/Private key pair "testuser.testuser" has been successfully generated

3. The user explicitly– for example, the key owner.

A user can create its own key pair before logging into EFS. The user will be prompted to enter

a passphrase to protect the key pair. The same passphrase will be requested whenever the

user needs to access the key pair (for example, when logging into EFS). For example:

# id

uid=110(testuser) gid=20(users)

# evfspkey keygen

Enter passphrase:

Re-enter passphrase:

Public/Private key pair "testuser.testuser" has been successfully generated

Exception

Since the key manager has a special role in EFS, the key manager's passphrase that is used to

protect the key pair should not be shared with the system administrator. The key manager is also

Managing a user key 133