Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)
Check or synchronize users and groups
The key manager uses the evfspkey chkgrp command to verify if the EFS users and groups
key information are synchronized. For example, if the primary group access keys are in the user
key records for all members.
There are three levels of verification:
1. Verification for the user
The evfspkey grpchk βu <username> command checks if the user has a group access
key to its primary group:
# evfspkey grpchk -u luser1 -g lgrp1
lgrp1:
group access key is already in user "luser1" key record.
.
If the user does not have a group access key and that the -f option is specified, the group
access key is added to the userβs key record.
2. Verification for a group
The evfspkey gprchk βg <groupname> command checks for one specific group and
reports group members who have this group as their primary group, already have a user key,
but do not have any group access key. If the -f option is specified, the group access key is
added into those membersβ key record. For those members configured in /etc/group, if the
group is just a supplementary group for them, nothing will be done:
# evfspkey grpchk -g lgrp1
lgrp1:
group access key is not in user "luser1" key record.
group access key is not in user "luser2" key record.
# evfspkey grpchk -f -g lgrp1
Enter key manager's passphrase:
lgrp1:
group access key has been added into user "luser1" key record.
group access key has been added into user "luser2" key record.
The evfspkey grpchk command will not report the users that do not have a user key.
3. Verification for the system
If the -a option is specified, all groups that have a group key will be checked and the access
information will be added to group members (if the -f option is specified). The groups that
still do not have a key pair will be skipped:
# evfspkey grpchk -f -a
Enter key manager's passphrase:
lgrp1:
group access key has been added into user "luser1" key record.
group access key has been added into user "luser2" key record.
lgrp2:
group access key has been added into user "lusera" key record.
group access key has been added into user "luserb" key record.
The evfspkey grpchk command does not report groups that do not have a group key.
Key file location
The user key data is by default stored locally under the /etc/evfs/pkey/users directory. The
group key data is stored under the /etc/evfs/pkey/groups directory. The administrator can
configure alternate local or remote storage directories for public keys, private keys, and stored
passphrases using the pub_key, priv_key, and pass_key directories in the file
/etc/evfs/evfs.conf. New keys will always be created in the first directory. If you have old
144 Managing keys