Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Encrypted Volume and Filesystem (EVFS)

Step 2: (Optional) Configuring Alternate Key Database Directories

EVFS stores user key data (public keys, private keys, and stored passphrases) in a key database.

By default, EVFS stores this database in subdirectories and files under the /etc/evfs/pkey

directory. You can modify the pub_key, priv_key, and pass_key attribute statements in the

/etc/evfs/evfs.conf file to configure EVFS to store the key database in alternate directories.

TIP: Configuring alternate key database directories is optional, and you can skip this step in

most topologies.

You can use alternate database directories as follows:

• Store public keys, private keys, and passphrase files in different directories according to

data type (key type or stored passphrase). For example, you can configure EVFS to store

public keys in a public directory because exposing public keys is not a security vulnerability.

• Store public and private keys in distributed file directories. For example, you can configure

EVFS to store public and private keys in an NFS directory so that administrators can access

and use the same keys on multiple systems. This topology is useful when using EVFS with

Serviceguard.

NOTE: It is not efficient to store passphrase files in distributed directories. EVFS encrypts

passphrases with system-specific data, so you must generate a passphrase file on each system

where you want to use the file.

• Use fallback directories to allow users without superuser privileges to create user keys. By

default, users must have superuser privileges to create EVFS keys because the default key

storage directory, /etc/evfs/pkey, is writable only by superusers . You can configure

EVFS to use a fallback storage directory if access to the /etc/evfs/pkey directory fails.

This enables EVFS to store keys created by users with superuser privileges in the protected

/etc/evfs/pkey directory and to allow users without superuser privileges to create EVFS

keys in the fallback directory.

Syntax for pub_key, priv_key, and pass_key Attribute Statements

To configure EVFS to use alternate directories for the user keys and stored passphrases, you

modify the pub_key, priv_key, and pass_key attribute statements in the

/etc/evfs/evfs.conf file. The syntax for these attribute statements is as follows:

pub_key = library[pkeydir:key_directory,onfail:action]...

priv_key = library[pkeydir:key_directory,onfail:action]...

pass_key = library[pkeydir:key_directory,onfail:action]...

Each attribute statement must be on one input line, without line breaks or line continuation

characters. A statement can contain multiple library[specifications...] terms, separated

by spaces. A library[specifications] term cannot contain spaces.

The parameters have the following meanings:

pub_key

Indicates that the attribute statement specifies EVFS behavior for user public

keys.

priv_key

Indicates that the attribute statement specifies EVFS behavior for user

private keys.

pass_key

Indicates that the attribute statement specifies EVFS behavior for

passphrases that secure user private keys.

library

Specifies the fully qualified pathname of the encryption and storage library.

Valid values:

/usr/lib/evfs/hpux64/libevfs_pkey.so (HP Integrity servers)

Step 2: (Optional) Configuring Alternate Key Database Directories 39