Encrypted Volume and File System v2.2 Administrator Guide (777846-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software

Table 1 Key types and user capabilities

CapabilitiesKey type/user type

Any user with superuser privileges or the appropriate privileges and file permissions can

perform the following tasks (no EVFS key is required):

Superuser or appropriate

privileges and file

permissions for the device

files

• Start or stop the EVFS subsystem

• Map volumes to EVFS (create EVFS device files)

• Create user keys for other users

• Display information about EVS volumes

• Restore an EVS volume's EMD

If a user has the owner key for an EVS volume and the appropriate file permissions for

the device file, the user can perform the following tasks:

Owner Key

• Enable and disable EVS volumes

• Add and remove authorized user keys to EVS volumes

• Change the owner of an EVS volume

• Destroy an EVS volume (remove the EMD; the data is irrecoverable)

• Perform inline encryption

The user can also perform tasks that do not require EVS keys, such as displaying

information about EVS volumes.

If a user has the recovery key for an EVS volume and the appropriate file permissions

for the device file, the user can change the owner of an EVS volume.

The user can also perform tasks that do not require EVS keys, such as displaying

information about EVS volumes.

Recovery Key

If a user has an authorized user key for an EVS volume and the appropriate file

permissions for the device file, the user can enable and disable EVS volumes (note that

some backup procedures require the user to disable and enable the volume).

The user can also perform tasks that do not require EVFS keys, such as displaying

information about EVS volumes.

authorized user Key

Creating keys

Each user key pair has a key name. The default key name is the name of the user for whom the

key pair is created.

This section addresses the following topics:

• “Guidelines for creating user keys” (page 41)

• “Creating keys for EVS volume owners” (page 42)

• “Creating recovery keys” (page 43)

• “Creating keys for authorized users” (page 43)

Guidelines for creating user keys

Use the following guidelines to determine the number and types of user keys to create.

• At a minimum, you must create one user key pair (public/private key pair) for the EVS volume

owner.

• You can use one key pair for multiple EVS volumes, but using a unique key pair for each EVS

volume is more secure.

• HP recommends that you create at least one recovery key pair. You can use a recovery key

to assign a new owner to a volume if the owner key pair is lost or compromised. HP

recommends that you store the private recovery key off line.

• To use the autostart feature, you must create a passphrase file. Passphrase files are a security

risk. If you use a passphrase file, you can reduce the security risk by creating a user key pair

Creating keys 41