Manualshelf

HP-UX 11i Encrypted Volume and File System (EVFS) Best Practice (2009)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software
12345678910
4
Barrier EVFS solution
Performance
Encryption algorithm is optimized for the architecture. Performance is
scalable with number of CPUs. A white paper on EVFS performance is
available (see [4].)
The intended audiences for this document are customers who are interested in deploying EVFS
or have already deployed EVFS on HP-UX 11i.
Executive Summary
Technology alone does not solve security problem. For an organization to be successful at
deploying an encryption solution, formalized policies, processes and procedures need to be in
place. The purpose of this paper is to share some of these best practices on HP-UX 11i EVFS.
The basic steps for deployment of EVFS are:
1. Determining the security objectives - Clearly document objectives and requirements.
2. Planning the project and designing the solution Clearly document policies, processes
and procedures. This includes the impacts and changes to the current practice.
3. Preparing and configuring the software. The limitation of the solution must be documented
and mitigated.
4. Testing and validating solution. Thorough validation testing to ensure the solution satisfies
the stated objectives and requirements. Validation should include searching for known
written data pattern in the encrypted volume. Data recovery mechanisms and procedures
need to be exercised to ensure complete data integrity after recovery.
5. And finally, rolling out the data encryption solution.
This paper advocates that more emphasis should be placed on the planning and design phase
(step 2.) Proactive planning will minimize problems in deployment and operation of the
encryption solution.
Strategy, Policy and Procedure
Before implementing a data encryption solution, policies and procedures need to be
established. There are many publications that contain useful information (see [7] and [11].) A
good recommendation for key management is SP 800-57 (see [8] and [9].) Some of more
notable practices are:
Ensure the enterprise's business and security objectives are well understood before choosing
and deploying key management.
Plan for all aspects of the key management life cycle and for future scalability in terms of
both system size and diversity.
Never transmit or store passphrases and keys in an unencrypted format.
Back up keys on a regular interval to a separate media, system or dedicated hardware
device.