Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

131

132

133

134

135

136

137

138

139

140

Re-enter new passphrase:

Passphrase for key "testuser.testuser" has been successfully generated

2. The key manager – by entering the key manager’s passphrase

The key manager can change a user's key passphrase by entering its own passphrase when

the following conditions are true:

• The key_manager account has been configured in the /etc/evfs/evfs.conf file.

• The key manager has created his key pair.

• The parameter keymgr_reset_passphrase is yes.

• During key creation, the key owner chose to allow the key manager to reset its passphrase

(for example, answer yes to the prompt Do you want to allow key manager

to reset your passphrase without your old passphrase? from the

evfspkey keygen or evfsauth login command). Or the key owner has run the

evfspkey passgen –e command to allow the key manager to reset the user's

passphrase using the their passphrase.

You can check that all the above conditions are true by displaying the key information, as

follows:

# evfspkey lookup -u testuser

Key ID: testusr.ltestuser

Key Cipher: rsa-2048

Key Fingerprint: 1c:61:a0:13:9e:d1:82:1b:ca:73:d9:ac:f7:3e:f9:15:1b:b8:69:9e

Private Key Keywrap: evfs-pbe1

Reset passphrase required: yes

Allow passphrase reset by key manger: yes

Stored passphrase: no

If Allow passphrase reset by key manager is set to yes, the key manager is able

to reset the passphrase without the user's old passphrase.

For example:

# id

uid=100(keymgr) gid=200(evfs)

# evfspkey passgen -u testuser

Enter key manager's passphrase:

Enter new passphrase:

Re-enter new passphrase:

Passphrase for key "testuser.testuser" has been successfully generated

3. The key owner

A key owner can change its own passphrase as follows:

# id

uid=110(testuser) gid=20(users)

# evfspkey passgen

Enter old passphrase:

Enter new passphrase:

Re-enter new passphrase:

Passphrase for key "testuser.testuser" has been successfully generated

When the system administrator or the key manager changes a user’s passphrase, such as in the

previous examples 1 and 2, if the -s option is specified with the –u <username> option, passgen

automatically generates a random passphrase to protect the private key, and stores it in a designated

file. There is no need for the system administrator or the key manager to share the passphrase with

the user.

Managing a user key 135