Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

131

132

133

134

135

136

137

138

139

140

Displaying user key information

The system administrator or the key manager can display any user’s key information using the

evfspkey lookup command with the -u option. A key owner can also display its own key

information. For example:

# id

uid=110(luser1) gid=20(users)

# evfspkey lookup

Key ID: luser1.luser1

Key Cipher: rsa-2048

Key Fingerprint: 1c:61:a0:13:9e:d1:82:1b:ca:73:d9:ac:f7:3e:f9:15:1b:b8:69:9e

Private Key Keywrap: evfs-pbe1

Reset passphrase required: yes

Allow passphrase reset by key manger: yes

Stored passphrase: no

When displaying another user’s key information using the -u option, a non-root user can only

see the partial key information. For example:

# id

uid=110(luser1) gid=20(users)

# evfspkey lookup -u luser2

Key ID: luser2.luser2

Key Cipher: rsa-2048

Key Fingerprint: 39:81:4d:2b:3b:61:70:bb:d2:08:d1:4f:66:a7:a3:d1:1f:f6:dc:d6

Exporting a user key

A user key can be exported by the key manager or the key owner. The key passphrase is required

to access the private key. If the key is exported by the key manager and the key manager has the

capability to reset the user’s passphrase without the user's old passphrase, the key manager’s

passphrase will be required to access the private key. Otherwise, the key owner’s passphrase is

required.

The user key can be exported into two different formats: PKCS12 and PEM. By default, the

evfspkey export command converts the key to the PKCS12 format and stored it in a file

specified in the command line. The file will be protected with a required passphrase. If the –F

pem option is specified, the key will be exported to the PEM format.

The exported keys can be used on other systems that have EVFS.

The following options are valid only by the key manager:

-u <username> Specifies the user name.

-r <recovery_file> Specifies the recovery key file path.

The following options are valid for the key manager and the regular users:

-k <keyname> Specifies the key name to export.

-f <filename> Specifies the file that contains the exported key.

This option is mandatory.

-F {pkc12|pem} Specifies the format in which the key is exported. Default is pkcs12.

Examples

If the key manager is not configured, the key owner will be the only one able to export its own

key. The system administrator is not allowed to export a user key.

# id

uid=110(testuser) gid=20(users)

# evfspkey export -f keyout

Enter passphrase:

Enter passphrase to protect file “keyout”:

Re-enter passphrase to protect file “keyout”:

Export key pair “testuser.testuser” to “keyout” successfully

136 Managing keys