Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)
not allowed to enter in an EFS secure session. To create a key manager key, the user configured
as the key manager (see key_manager in the /etc/evfs/evfs.conf file) must log into the
system and run the evfspkey keygen command.
The following options are allowed only by the system administrator or the key manager:
-u <username> Specify the user name (for example, the key owner).
-r Specify recovery key.
See evfspkey for detailed information on their usage.
The following options are allowed by the system administrator, the key manager, and regular
users:
-c Specifies the type of key to generate.
-k <keyname> Specifies the key name.
-p Creates a passphrase and stores it in a file.
-s Generates a random passphrase and stores it in a file.
-m <keywrap> Specifies the keywrap algorithm to override the keywrap parameter in the
/etc/evfs/evfs.conf file.
By default, the key name is the same as the user name. Even though it is possible for a user to
create multiple keys with different key names, when the user logs into EFS using the evfsauth
login command, EFS always loads the key with the default key name. Therefore, to use EFS, a
user must have a key with the default key name (for example, creating a key without specifying
the –k <keyname> option that is same username).
Although a non-root user is allowed to store the passphrase in a file, the stored passphrase is not
used when the user logs into EFS. It is intended for system startup without manual intervention when
the passphrase is needed. The evfsauth login command always prompts for the passphrase,
whether the stored passphrase file exists or not.
Therefore, a user that intends to enter a secure session should not generate a key with the -s option
because with that option the system generates a random passphrase and the passphrase is unknown
to the user.
WARNING! A user key is linked with the user’s login name. After the key is created successfully,
the system administrator should not modify the user’s login name with the usermod –l option. If
the EFS version of the usermod command (in /opt/evfs/bin) is executed, the -l option that
changes the login name is rejected. If the regular usermod –l option is executed mistakenly, the
user will lose its user key and can no longer log into EFS.
Changing the passphrase
A user key can be changed by one of the following roles:
1. The system administrator or the key manager – by entering the key owner’s passphrase
The system administrator or the key manager is allowed to change another user’s passphrase
by specifying the user name with the -u option. However, they will be prompted to enter the
user’s old passphrase. For example:
# id
uid=0(root) gid=3(sys) groups=0(root)
# evfspkey passgen -u testuser
Enter old passphrase:
Enter new passphrase:
134 Managing keys