Manualshelf

HP-UX 11i Encrypted Volume and File System (EVFS) Best Practice (2009)

ManualsBrandsHP ManualsSoftwareHP-UX Encrypted Volume and File System Software
12345678910
7
Secure Passphrase
The private key of each key pair is always protected by a passphrase. The minimum passphrase
length is 8 characters. Since encrypted data is only as secure as the complexity and obscurity of
the passphrase, the passphrase must be strong enough to protect the data.
If the passphrase is lost or forgotten, these are the methods to retrieve the data:
1) If a recovery agent is configured, the data can be retrieved with the recovery agent.
2) In EVS mode, if there are other users assigned to the volume, the data can be retrieved by
these users.
3) In EFS mode, if group key is configured, the data can be retrieved by other users in the
group.
4) If key manager is configured, the passphrase can be reset by the key manager if this feature
is enabled.
If none of the above options are available, the data can be considered irretrievable.
Off-line Key Storage
Users should consider exporting their keys to removable media and store the media securely
when they are not in use. For the greatest possible security, the private key must be removed
from the computer whenever the computer is not in use. This protects against attackers who
physically obtain the computer and try to access the private key. When the encrypted data must
be accessed, the private key can easily be imported from the removable media.
Keep keys on-line only when needed. For example, in EVS mode, once an encrypted
volume is enabled, the keys are not needed until the next administrative task. Another
example is, in EFS mode, users or administrators might decide to bring the keys on-line only
when entering a secure session. It may be a good policy to keep the key storage off-line
until they are needed again, though this requires manual intervention.
Do not store the public/private keys or passphrase files on the same disk or volume as
encrypted data.
Keep a historical archive of all keys off-line.
HP-UX 11i EVFS provides the option of storing, public, private and passphrase in different
locations. However, user should put all key files, both public and private, in one place.
Key sharing and distribution
Key sharing and distribution are important in an enterprise environment. Keys created locally on
one system cannot be used on another system. There are two main methods for key sharing
distribution or replication.
In key distribution, keys are distributed through mechanism such as NFS. Simultaneous writes to
key storage should be avoided. Special consideration is required if auto start is required (see
EVFS Auto Boot section.)