Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Encrypted Volume and Filesystem (EVFS)
21222324252627282930
User Key Privileges
EVFS defines the following types of user keys and restricts the execution of EVFS commands
based on these keys and HP-UX user privileges:
EVFS volume owner keys
Recovery keys
Authorized user keys
User Privileges and Permissions
Some EVFS commands do not require user keys. Only users with the appropriate privileges can
execute these commands. By default, the appropriate privilege required for these EVFS commands
is superuser privilege. See the privileges(5) manpage for more information about HP-UX privileges.
To perform operations on EVFS volumes and other volumes, users must also have the appropriate
file access permissions for the associated device files. In most installations, users who want to
perform operations on EVFS volumes must have superuser privileges.
NOTE: EVFS user keys restrict execution of EVFS commands only. Read, write and execute
access to data on EVFS volumes is still restricted by normal HP-UX file permissions and access
controls.
EVFS Volume Owner Keys
When you create an EVFS volume, you specify the volume owner key or owner key for the
volume. The user who owns the volume owner key (the volume owner) can use the key to
perform administrative operations on an EVFS volume, including enabling and disabling EVFS
for the volume. The owner can also add additional key records to the EMD.
Recovery Keys
A recovery key enables you to change a volume owner key if the owner's keys are not available.
Only the recovery key and the owner key can be used to change the owner key of an EVFS
volume. The only operation you can perform with a recovery key is to change the owner key for
an EVFS volume.
At installation, EVFS creates an EVFS pseudo-user account, evfs, if it does not already exist.
Recovery keys are owned by this pseudo-user.
HP recommends that you configure a recovery key for each volume, but configuring recovery
keys is not mandatory for normal EVFS operation. You can configure up to two recovery key
pairs per EVFS volume.
Authorized User Keys
A volume owner can configure additional user keys to use to perform administrative operations
on the EVFS volume. These user keys are authorized user keys for the volume.
A user with an authorized user key and the appropriate file system permissions for the volume
device files can perform the same EVFS operations that the holder of an owner key can perform,
except changing the EVFS volume owner, adding and deleting additional keys to a volume, and
destroying the EVFS volume by removing the EMD.
Summary of Key Type and Privileged User Capabilities
Table 1-1 summarizes the capabilities for the different key types and for users with superuser
privileges or the appropriate privileges.
24 EVFS Introduction