Administrator's Guide
Glossary
AES Advanced Encryption Standard. AES uses a symmetric key block encryption. EVFS supports
AES with a 128-bit, 256-bit, or 292-bit key for encrypting volume data. AES is suitable for
encrypting large amounts of data.
authorized user A user who is authorized to enable and disable an EVFS volume, and perform other
administrative operations on an EVFS volume. If an authorized user has the appropriate file
permissions for the EVFS device file, he can perform nearly all the same EVFS operations as
the volume owner, including enabling and disabling encryption and decryption access to an
EVFS volume.
autostart An EVFS feature that automatically enables EVFS volumes at system startup, without manual
intervention.
cleartext Data that is not encrypted.
cluster key pair An EVFS key pair used by multiple nodes in a Serviceguard cluster.
EMD Encryption metadata. The EMD contains EVFS operating parameters for an EVFS volume,
including the encryption algorithm. The EMD also includes key records. Each key record
contains the volume encryption key, encrypted with a user's public key.
encryption The process of converting data from a readable format to a nonreadable format for privacy.
Encryption functions usually take data and a cryptographic key (value or bit sequence) as input.
key record An entry in the EMD of a volume. The key record contains the volume encryption key, encrypted
with a user's public key. The user's private key is used to decrypt and extract the volume
encryption key for use. A key record is sometimes referred to as an envelope.
owner See volume owner.
passphrase A text string that EVFS uses to encrypt a user's private key.
passphrase file A file containing a passphrase, encrypted with system-specific information. The EVFS subsystem
can decrypt the passphrase file and extract a user's private key. EVFS can then use the user's
private key to extract the volume encryption key from a key record.
A passphrase file can be used to perform EVFS operations, such as enabling an EVFS volume,
without human intervention. A passphrase file is also a security risk.
private key 1. The key in a public/private key pair that is not distributed to other parties. Data encrypted
with the public key can be decrypted only with the private key.
2. Any encryption key that is distributed to restricted parties, including a symmetric key.
public key
cryptography
A cryptographic method using two mathematically related keys (k1 and k2) such that data
encrypted with k1 can be decrypted only using k2. In addition, most algorithms provide
assurance that only the holder of k1 can correctly encrypt data that can be decrypted by k2.
One key must be private (known only to the owner), but the second key can be widely known
(public), which makes key distribution easy to manage. Public key encryption is computationally
expensive, so it is impractical for bulk data encryption. Instead, public key cryptography is
usually used to authenticate data or to encrypt ("wrap") symmetric keys.
Also referred to as asymmetric key cryptography (the two keys are not the same) or
public-private key cryptography.
recovery key A key pair that a user can use to change the owner of an EVFS volume. Only a user who has
the private recovery key file or an EVFS volume owner can assign a new EVFS volume owner.
RSA (Rivest-Shamir-Adelman) A public/private key cryptosystem that is used for privacy (encryption)
and authentication (signatures). For encryption, system A can send data encrypted with system
B's public key. Only system B's private key can decrypt the data.
EVFS uses RSA cryptography to secure volume encryption keys. EVFS supports 1024-bit,
1536-bit, and 2048-bit RSA keys.
symmetric key
cryptography
A cryptographic method that uses the same key (bit string) to encrypt and decrypt the data.
169