Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

178

179

180

181

182

183

184

185

186

187

Glossary

AES Advanced Encryption Standard. AES uses a symmetric key block encryption. EVFS supports AES

with a 128-bit, 256-bit, or 292-bit key for encrypting volume data. AES is suitable for encrypting

large amounts of data.

authorized user A user who is authorized to enable and disable an EVFS volume in EVS mode, and perform other

administrative operations on an EVS volume. If an authorized user has the appropriate file

permissions for the EVFS device file, he can perform nearly all the same EVFS operations as the

volume owner, including enabling and disabling encryption and decryption access to an EVFS

volume.

autostart An EVFS feature that automatically enables EVFS volumes at system startup, without manual

intervention.

cleartext Data that is not encrypted.

cluster key pair An EVFS key pair used by multiple nodes in a Serviceguard cluster.

Data encryption

key (or) Symmetric

encryption key

Either EVS volume or encrypted file encryption key used to encrypt/decrypt the data.

EFS volume EVFS volume configured in EFS mode.

EMD Encryption metadata. The EMD contains EVFS operating parameters for an EVS volume or

encrypted file, including the encryption algorithm. The EMD also includes key records. Each key

record contains the volume or file encryption key, encrypted with a user's public key.

encryption The process of converting data from a readable format to a nonreadable format for privacy.

Encryption functions usually take data and a cryptographic key (value or bit sequence) as input.

file encryption key Symmetric key used by EVFS to encrypt file data.

file owner Encrypted file owner (EFS).

group key Keys associated with the HP-UX groups. Used only with encrypted files.

key record An entry in the EMD of a EVS volume or encrypted file. The key record contains the volume

encryption key, encrypted with a user's public key. The user's private key is used to decrypt and

extract the volume or file encryption key for use. A key record is sometimes referred to as an

envelope.

owner Volume owner or encrypted file owner.

passphrase A text string that EVFS uses to encrypt a user's private key.

passphrase file A file containing a passphrase, encrypted with system-specific information. The EVFS subsystem

can decrypt the passphrase file and extract a user's private key. EVFS can then use the user's

private key to extract the volume encryption key from a key record.

A passphrase file can be used to perform EVFS operations, such as enabling an EVFS volume,

without human intervention. A passphrase file is also a security risk.

private key 1. The key in a public/private key pair that is not distributed to other parties. Data encrypted

with the public key can be decrypted only with the private key.

2. Any encryption key that is distributed to restricted parties, including a symmetric key.

public key

cryptography

A cryptographic method using two mathematically related keys (k1 and k2) such that data

encrypted with k1 can be decrypted only using k2. In addition, most algorithms provide assurance

that only the holder of k1 can correctly encrypt data that can be decrypted by k2.

One key must be private (known only to the owner), but the second key can be widely known

(public), which makes key distribution easy to manage. Public key encryption is computationally

expensive, so it is impractical for bulk data encryption. Instead, public key cryptography is usually

used to authenticate data or to encrypt ("wrap") symmetric keys.

Also referred to as asymmetric key cryptography (the two keys are not the same) or public-private

key cryptography.

183