Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

141

142

143

144

145

146

147

148

149

150

By default, the exported key is stored in the PKCS12 format. To store keys in the PEM format,

specify the –F pem option. The key can be shared with any applications that understand the

format.

To export a group key, use the following options:

-g <groupname> Specifies the group name.

-f <filename> Specifies the file to store exported key.

-F {pkcs12|pem} Specifies the exported key file format. Default is pkcs12.

Importing group key information

Only the key manager is allowed to import a group key from a file containing the key in either

PKCS12 or PEM format. To import a group key, the key manager is initially prompted to enter its

passphrase which protects the file. Then the key manager must enter its passphrase to protect the

private key. By default, the evfspkey import command assumes that the key is in PKCS12

format. If the key is in a PEM file format, you must specify the –F pem option.

For example:

# id

uid=100(evfs) gid=200(evfs)

# evfspkey import -f keyout -g testgrp

Enter passphrase which protects file “keyout”:

Enter key manager's passphrase:

Import key pair “testgrp.testgrp” from “keyout” successfully.

After a group key is imported successfully, the group access key is automatically added to all group

members that already have a user key.

For any new group member added after the group key is imported, the key manager must manually

add the group access key to the user with the evfspkey grpchk -f command.

To import a group key, use the following options:

-g <groupname> Specifies the group name. If the group name is not specified, the user key

will be assumed.

-f <filename> Specifies the file which contains the key in PKCS12 or PEM format. This

option is mandatory.

-F {pkcs12|pem} Specifies the exported key format in a file. Default is pkcs12.

Deleting a group key

Only the key manager is allowed to delete a group key. Before deleting a group key, the group

access key is deleted from all the users’ key files, whose primary group is the one in process.

For example:

# evfspkey delete -g lgrp1

Caution: Are you sure you want to delete the "lgrp1.lgrp1"

public/private key pair? If you proceed with this operation, the files for the group members

will not be sharable.

Answer [yes/no]:yes

lgrp1:

group access key has been removed from user "luser1" key record successfully.

group access key has been removed from user "luser2" key record successfully.

Public/Private key pair "lgrp1.lgrp1" has been successfully deleted.

When a group key is deleted, its group members can no longer access files owned by other group

members.

To delete a group from the system, the system administrator should use the EFS version of the

groupdel command (in /opt/evfs/bin). This command removes the group from the system,

deletes the group key, and removes the access key from the members. If the regular groupdel

command is used mistakenly, the group key and associated information in the members’ key files

will be left in the system. In that case, the key manager can still use the evfspkey delete

command to display and delete the key.

Managing a group key 141