Manualshelf

HP-UX 11i Encrypted Volume and File System (EVFS) Best Practice (2009)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software
12345678910
6
For example, to deny administrator access to the encrypted data, users should use EFS mode to
protect the information. Another example is if the application must access a raw volume directly
instead of a file system, only EVS mode can be used.
Key Management
HP-UX 11i EVFS has a built-in key management facility to manage key pairs for user, group
and recovery agent. Each EVFS key pair has an associated key identifier (key-id) that consists of
2 parts - user name (or group name) and key name. They are separated by a period character.
For example, the key-id of evfs.archive belongs to user evfs with key name of archive.
Keys with a user name as the key name are used by EFS to encrypt user files (e.g. user.user).
During key creation, when key name must be supplied, users should choose meaningful key
names. For better protection, do not use the same key pair for both EFS and EVS.
EVFS does not enforce management of key life cycle as described in NIST Recommendation [9].
It’s up to the user or organization to enforce the security policies and procedures.
Differences between EFS and EVS keys
Both EFS and EVS keys are stored in the same directories specified in the EVFS configuration file
(/etc/evfs/evfs.conf).
EVS mode EFS mode
There are 2 types of keys used - User key
and recovery key. For EVFS 2.0, an
encrypted volume can be associated with 1
owner key, up to 1024 user keys and up to
2 recovery keys.
There are 3 types of keys used - User key, group
key and recovery key. For EVFS 2.0, an
encrypted file can be associated with 1 owner
key and optionally 1 group key and 1 recovery
key.
Keys are used only for the duration of the
volume commands such as
evfsvol
.
Keys are used for the duration of the session and
all its child processes.
User keys are created manually. User keys can be created automatically when
entering secure session for the first time.
Administrators manage all keys. Users can
also manage their own keys.
Administrators manage user and recovery keys.
Key managers manage both user and group
keys. Users can also manage their own keys.
Encryption Keys
To minimize complexity, the symmetric encryption keys are wrapped with user keys and stored
in the Encryption Meta Data (EMD) header, which is resident in the beginning of the actual
volume or file. Unlike other solutions where the associations between the encryption key and the
encryption data are stored in an external key management device, the EMD is always
associated with the encrypted data. Therefore, there is no need for administrators or users to
manage these symmetric encryption keys separately.