Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

141

142

143

144

145

146

147

148

149

150

Key manager operations

The following operations require the key manager to log into the system. The system administrator

cannot perform these operations when running the su command as the key manager.

• “Changing the passphrase” (page 134)

• “Managing a group key” (page 138)

• “Granting a member access to a group key” (page 142)

• “Removing a member from a group key” (page 143)

• “Check or synchronize users and groups” (page 144)

Granting a member access to a group key

When a group key is created, its access information is implicitly added to existing user key records

of those members whose primary group is the one under process. As a result, those members are

automatically granted the access to the group key and therefore, the access to the encrypted files

belonging to the group.

If a user does not have a user key when its primary group key is created, or if the user is newly

added after its primary group key is created, the key manager must explicitly grant the user the

access to the group key by running the evfspkey add –u <username> —g <groupname>

command.

Examples

In this example, the users group is the primary group for the usera, userb, and jsmith users.

The usera and userb users have a key, but the jsmith user does not. The keymgr key manager

(configured in /etc/evfs/evfs.conf with key_manager) creates the group key for the users

group. Before the key manager creates the group key, the usera user does not have access to

the users group. After the key manager creates the group key, the usera user has access to the

users group as follows:

# id

uid=112(keymgr) gid=20(users)

# evfspkey lookup -u usera

Key ID: usera.usera

Key Cipher: rsa-2048

Key Fingerprint: f1:6d:ca:e3:b5:68:0f:d0:05:c1:45:a3:8a:4f:c1:f1:db:bd:6c:e8

Private Key Keywrap: evfs-pbe1

Reset passphrase required: yes

Allow passphrase reset by key manger: no

Stored passphrase: no

# evfspkey keygen -g users

Enter key manager's passphrase:

Public/Private key pair "users.users" has been successfully generated.

users:

Group access key has been added into user "usera" key record.

Group access key has been added into user "userb" key record.

# evfspkey lookup -u usera

Key ID: usera.usera

Key Cipher: rsa-2048

Key Fingerprint: f1:6d:ca:e3:b5:68:0f:d0:05:c1:45:a3:8a:4f:c1:f1:db:bd:6c:e8

Private Key Keywrap: evfs-pbe1

Group access: users

Reset passphrase required: yes

Allow passphrase reset by key manger: no

Stored passphrase: no

In the following example, the key manager creates a user key for the jsmith user. The key manager

then explicitly grants the group access to jsmith, as follows:

# evfspkey keygen -u jsmith

Enter passphrase:

Re-enter passphrase:

Public/Private key pair "jsmith.jsmith" has been successfully generated.

142 Managing keys