Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

161

162

163

164

165

166

167

168

169

170

EFS quick start

HP-UX EVFS includes the following EFS commands, typically used in the following order:

DescriptionCommand

Starts and manages the EVFS subsystem. Maps LVM, VxVM, or physical volumes to the EVFS

subsystem. See evfsadm(1M).

evfsadm

Enters a user secure session. A secure session contains the needed credentials to access encrypted

files pertaining to that particular user. The command also allows users to display their current

secure session information. See evfsauth(1).

evfsauth

Manages EFS encrypted files and directories. See evfsfile(1).evfsfile

Creating an EFS volume

As the root user, create the EFS volumes as follows:

1. Start the EVFS subsystem using the evfsadm start command. See evfsadm(1M).

2. If you are using LVM or VxVM (you are not directly accessing the physical disk as a physical

volume), use the appropriate LVM or VxVM commands (such as lvcreate or vxassist) to create

a new LVM or VxVM volume to use for the EVFS volume. See lvcreate(1M) or vxassist(1M).

3. Associate the underlying LVM, VxVM, or physical volume to an EFS volume in file-level

encryption mode using the evfsadm map -f command. This command also creates block

and character ("raw") device special files for the EFS volume and adds them to the kernel

registry.

4. Create a file system on the EFS volume, create one on the character (raw) EFS volume device

file using the newfs command. See newfs(1M).

5. If you want to mount the file system on the EFS volume, add an entry to the /etc/fstab file

that references the EFS volume special file with the stackfs=sefs option. See evfsadm(1M).

6. Mount the encrypted file system using the mount command with the -o stackfs=sefs

option. See mount(1M).

7. Verify the EVFS operation using the evfsadm stat -a and evfsvol display commands.

See evfsadm(1M).

To use EFS as an EFS user, follow these additional steps:

1. Enter a secure session with evfsauth login command. If the user’s credential does not

exist, the user will be prompted to create it. This credential is inherited to all the children for

the process. The command evfsauth display can be used to display the user’s credential.

Exiting the process (if in a shell, usually with the exit command) will terminate the secure

session. See evfsauth(1).

2. The command evfsfile is used to enable and disable files and directories for encryption.

The command can also be used to display file and directory encryption status. See evfsfile(1).

3. A set of wrapper commands is provided with EVFS. These wrapper commands facilitate

encryption access information and to prevent unintended decryption of files. See

evfs_wrapper(1).

Configuring volumes in EFS mode

The following steps show how a root user can configure volumes in EFS mode:

1. Start the EVFS subsystem:

% evfsadm start

2. Map the LVM volume /dev/vg01/lvol6 to EVFS with option -f. Note that unlike the EVS

mode, existing data on /dev/vg01/lvol6 will be not be touched:

# evfsadm map -f /dev/vg01/lvo16

3. If needed, create a new file system on the EVFS volume character (raw) device file:

# newfs -F vxfs /dev/evfs/vg01/rlvol6

164 EVFS quick reference