HP-UX 11i Encrypted Volume and File System (EVFS) Best Practice (2009)
14
Temporary file creation (EFS mode only)
Some applications create temporary files which may not be encrypted. One example is the vi
text editor. Applications need to be validated to ensure they do not place sensitive and private
data in directories that are not configured for encryption.
Periodic EVFS tasks
Administrators should periodically check the EVFS status to ensure encrypted volumes are
enabled and properly mounted. Encryption counters and rates should be monitored for proper
operation.
A periodic task for EFS mode is to ensure that the encryption of important files has not been
accidentally disabled. Periodic audit and log checks need to be performed to ensure no clear
text data are exposed.
Disk Disposal and Recycling
Disks encrypted with EVFS can be safely discarded or recycled. This is especially useful with
defective disks where the data may still be accessible. No physical destruction of the disk is
required. EVFS disks can also be safely re-deployed.
Conclusion
This paper contains some of the best practices for HP-UX 11i EVFS. But there is no one set that
fits all users. Different organizations may develop different sets of best practices and
methodologies. Certainly, many users and administrators will discover new and improved ones
along the way. When best practices are shared among the community, users will be more
confident in using encryption technologies, such as HP-UX 11i EVFS.
Acronyms
AES
Advanced Encryption Standard
DSF
Device Special File
EFS
Encrypted File System mode
EMD
Encryption Meta Data
EVFS
Encrypted Volume and File System
EVS
Encrypted Volume System mode
FIPS
Federal Information Processing Standards
PCI DSS
Payment Card Industry Data Security Standard
TCS
Trusted Computing Services
TPM
Trusted Platform Module