Manualshelf

Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software
31323334353637383940
Example: Alternate directory for public keys
The following attribute statements configure EVFS to store public keys in the user-created directory
/etc/evfs/mykeys/users and to store private keys and passphrase files in the directory
/etc/evfs/pkey/users:
pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/mykeys,onfail:stop]
priv_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]
pass_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]
Example: NFS directory for public and private keys
The following attribute statements configure EVFS to store public and private keys in the NFS-mounted
directory /nfs_server1/etc/evfs/pkey/users and to store passphrase files in the local
directory /etc/evfs/pkey/users:
pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/nfs_server1/etc/evfs/pkey,onfail:stop]
priv_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/nfs_server1/etc/evfs/pkey,onfail:stop]
pass_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]
To use the autostart feature for volumes that have keys stored in NFS-mounted directories, you must
specify the boot_remote option in the /etc/evfs/evfstab file. For more information,
see “Step 6: (Optional) Configuring the autostart feature” (page 34).
Step 3: (Optional) Modifying EVFS global parameters
Edit the /etc/evfs/evfs.conf file to modify EVFS global parameters. This step is optional,
and you can use the default attribute values for most installations. Three attributes you might want
to modify are:
data_cipher
The data_cipher attribute specifies the default data encryption algorithm (the algorithm
EVFS uses to encrypt volume data). You can also specify the data encryption when you enter
the evfsvol create command, as described in “Step 1: Configuring an EVS volume
(page 45).
Valid values:
aes-128-cbc (128-bit AES CBC)
aes-192-cbc (192-bit AES CBC)
aes-256-cbc (256-bit AES CBC)
aes-128-cfb (128-bit AES CFB)
aes-192-cfb (192-bit AES CFB)
aes-256-cfb (256-bit AES CFB)
A longer key length provides more security, but slows data transfer rates.
Default: aes-128-cbc
file_cipher
The file_cipher attribute specifies the default file encryption algorithm (the algorithm EVFS
uses to encrypt file data). You can also specify the file encryption when you enter the evfsvol
create command, as described in “Step 1: Configuring an EVS volume” (page 45).
Valid values:
aes-128-cfb (128-bit AES CFB)
aes-192-cfb (192-bit AES CFB)
aes-256-cfb (256-bit AES CFB)
The following ciphers are valid only for IA:
aes-128-cbc (128-bit AES CBC)
32 Preparing EVFS for configuration