Manualshelf

Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software
21222324252627282930
# useradd -g my_evfs_group -c "EVFS pseudo-user" \
-d /tmp -s /usr/bin/false my_evfs_user
Step 2: (Optional) Configuring alternate key database directories
EVFS stores user key data (public keys, private keys, and stored passphrases) in a key database.
By default, EVFS stores this database in subdirectories and files under the /etc/evfs/pkey
directory. EVFS then automatically creates a users subdirectory. You can modify the pub_key,
priv_key, and pass_key attribute statements in the /etc/evfs/evfs.conf file to configure
EVFS to store the key database in alternate directories.
TIP: Configuring alternate key database directories is optional, and you can skip this step in
most topologies.
You can use alternate database directories as follows:
Store public keys, private keys, and passphrase files in different directories according to data
type (key type or stored passphrase). For example, you can configure EVFS to store public
keys in a public directory because exposing public keys is not a security vulnerability.
Store public and private keys in distributed file directories. For example, you can configure
EVFS to store public and private keys in an NFS directory so that administrators can access
and use the same keys on multiple systems. This topology is useful when using EVFS with
Serviceguard.
NOTE: It is not efficient to store passphrase files in distributed directories. EVFS encrypts
passphrases with system-specific data, so you must generate a passphrase file on each system
where you want to use the file.
EVFS always create new keys in the first directory. The fallback directory is kept for old keys
only. If you have old keys from previous releases in different directories, you must configure
those directories into priv_key, pub_key, pass_key, so that EVFS can successfully locate
them.
Syntax for pub_key, priv_key, and pass_key attribute statements
To configure EVFS to use alternate directories for the user keys and stored passphrases, you modify
the pub_key, priv_key, and pass_key attribute statements in the /etc/evfs/evfs.conf
file. The syntax for these attribute statements is as follows:
pub_key = library[pkeydir:key_directory,onfail:action]...
priv_key = library[pkeydir:key_directory,onfail:action]...
pass_key = library[pkeydir:key_directory,onfail:action]...
Each attribute statement must be on one input line, without line breaks or line continuation characters.
A statement can contain multiple library[specifications...] terms, separated by spaces.
A library[specifications] term cannot contain spaces.
The parameters have the following meanings:
pub_key Indicates that the attribute statement specifies EVFS behavior for user public
keys.
priv_key Indicates that the attribute statement specifies EVFS behavior for user private
keys.
pass_key Indicates that the attribute statement specifies EVFS behavior for passphrases
that secure user private keys.
library Specifies the fully qualified pathname of the encryption and storage library.
Valid values:
30 Preparing EVFS for configuration