HP-UX 11i Encrypted Volume and File System (EVFS) Best Practice (2009)
5
• Continually monitor or audit all automated and manual actions.
• Ensure procedures are in place to ensure the integrity and security of logs.
Each organization should develop its own guidelines and procedures to satisfy its own specific
security requirements.
Selecting Data for Encryption
Because of overhead associated with data encryption, only sensitive and private data should to
be encrypted. HP-UX 11i EVFS has some restrictions on the types of volumes that can be
encrypted. For example, root and swap volumes cannot be encrypted with EVFS (See EVFS
Administration Guide [1] for more detail.) But in general, executables and configuration files do
not need to be protected. For example, the executables can reside in a separate non-encrypted
volume.
After the encrypted data set is selected, correct access permissions need to be assigned for
each user and application. An entity-relationship diagram is helpful in this analysis.
Selecting EFS or EVS mode
With HP-UX 11i EVFS, a disk or volume can be configured to be in either EVS mode (volume
level) or EFS mode (file level), but never both. If protecting data at rest is the only objective,
volume level encryption is preferred over file level encryption. File level encryption is used when
additional access control is required. Below is a brief summary:
EVS mode EFS mode
Entire volume is encrypted. Encryption is selectable by file, directory or file
system.
Protects data at rest only. In addition to protecting data at rest, it provides
additional user access control.
Root privilege is required to create
and enable the volume.
Users can create, access and delete individual
encrypted files.
Once enabled, access control
through standard UNIX permissions.
Access is controlled through secure session in
addition to standard UNIX permissions.
One encryption key per volume. One encryption key per file. More overhead if
there are lots of file open and close operations.
Once enabled, root has access to
encrypted content.
Root access to encrypted content can be disabled.
Additional users can be added to
the volume access list.
EFS group permissions can be added to the
encrypted files.
No file system required. Supported on HFS and VxFS only.
Once enabled, the volume can be
accessed.
Need to be in secure session to access encrypted
files.
Incremental back up can be done
only with clear text data.
Incremental back up can be done with encrypted
files.