Manualshelf

Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software
141142143144145146147148149150
keys from previous releases in different directories, you still need to configure those directories into
priv_key, pub_key, and pass_key so that EVFS can successfully locate them.
EVFS creates a users subdirectory for all user keys, and a groups subdirectory for all group
keys, it then creates a subdirectory under users for each user that creates EVFS keys, using the
user name as the directory name. EVFS also creates a subdirectory under groups for each group
that creates EVFS keys, using the group name as the directory name. Therefore, when you configure
priv_key, pub_key, and pass_key, you should specify the directory paths without users and
groups.
For example, the first time user john generates an EVFS public/private key pair using the
evfspkey keygen command, EVFS creates the subdirectory /etc/evfs/pkey/users/john
to contain John's keys. By default, EVFS creates the files john.priv and john.pub in the john
subdirectory. They contain the private key and the public key respectively. The private key is
protected with a passphrase. If the key manager is allowed to reset John's passphrase by entering
its passphrase, or if John's primary group already has a key when John creates his key,
john.privext will be also created to contain additional key information.
Each group key has two files associated with it: one file contains the public key and one file contains
the private key. For example, when the key manager creates a group key pair for the group
mygroup using the evfspkey keygen -g mygroup command, EVFS creates the subdirectory
/etc/evfs/pkey/groups/mygroup to contain the mygroup key. By default, EVFS creates
the files mygroup.privext and mygroup.pub in the mygroup subdirectory. The
mygroup.privext file contains the mygroup private key which is protected by the key manager's
key. The mygroup.pub contains the mygroup public key.
Passphrases are created to allow reboots when a system includes encrypted volumes that require
activation without user intervention. It also allows the root user to access encrypted files on behalf
of a regular user. The passphrase file name has the form john.pass.machine_intrinsic_id.
That is, the passphrase file name is composed of keyname.pass, suffixed with a string unique
to a given hardware system.
CAUTION:
Do not edit the contents of the key or passphrase files. Use the evfspkey command to modify
these files.
Stored passphrases add convience, but are a security risk.
If you have a stored passphrase, it is possible for root to access your encrypted files.
Key file location 145