Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

131

132

133

134

135

136

137

138

139

140

Creating a group key

Only the key manager can create a group key. Therefore, the key manager’s key must be created

before any group keys can be created. Unlike user keys where a user can have multiple keys

(specified with –k <keyname>), each group is allowed only one key and the key name is always

the same as the group name. Therefore, the option –k is not valid to create a group key.

Example 1

By default, after the group key is created successfully, the evfspkey keygen command implicitly

copies the group access key into all of the users’ key files whose primary group is the one in

process. As a result, when those users log into EFS with the evfsauth login command, the

group key is accessible and loaded into the kernel.

# id

uid=100(keymgr) gid=200(evfs)

# evfspkey keygen -g testgrp

Enter key manager's passphrase:

Public/Private key pair "testgrp.testgrp" has been successfully generated

Example 2

In this example, the luser1 and luser2 users have the lgrp1 group as their primary group,

and they already have a user key:

# grget -n lgrp1

lgrp1::200:luser2,lusera,userx <- group ID is 200

# grep 200 /etc/passwd

luser1:DgFcvrjtiHEUw,z.cT:200:200::/home/luser1:/sbin/sh

luser2:wkU5.agVOyRH2:201:200::/home/luser2:/sbin/sh

# evfspkey keygen -g lgrp1

Enter key manager's passphrase:

Public/Private key pair "lgrp1.lgrp1" has been successfully generated

lgrp1:

group access key has been added into user "luser1" key record.

group access key has been added into user "luser2" key record.

If you display those users’ keys, you can see the group access information:

# evfspkey lookup -u luser1

Key ID: luser1.luser1

Key Cipher: rsa-2048

Key Fingerprint: 1c:61:a0:13:9e:d1:82:1b:ca:73:d9:ac:f7:3e:f9:15:1b:b8:69:9e

Private Key Keywrap: evfs-pbe1

Group access: lgrp1

Reset passphrase required: yes

Allow passphrase reset by key manger: yes

Stored passphrase: no

If the -n option is specified with the evfspkey keygen –g group command, the group access

key is copied into its members, and the evfsauth login command will not load the group key

for the members.

If a user key is created after the user's primary group key, the group access key has to be added

into the new user’s key file manually by the key manager using the evfspkey add command for

which the key manager’s passphrase is required (see “Key manager operations” (page 142)).

After a group key is created successfully, the system administrator should not modify the group

name using the groupmod –n command. If the EFS version of the groupmod command (in

/opt/evfs/bin) is executed, the -n option to change the group name will be rejected. If the

regular groupmod –n command is executed mistakenly, the users can no longer load the group

key and as a result, they will fail to access files belonging to this group.

It is possible that the key manager needs to create many groups for the system. To make this task

easier, the –f <filename> option can be specified to create multiple group keys by just entering

Managing a group key 139