Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Encrypted Volume and Filesystem (EVFS)

/usr/lib/evfs/pa20_64/libevfs_pkey.sl (HP 9000 servers)

[

Literal left square bracket.

key_directory

Specifies the fully qualified pathname of the base directory in which to

store key data, such as /etc/evfs/pkey. See “Key Storage Directory

Requirements” (page 40) for more information.

If you want to use the autostart feature, the autostart option you specify in

the /etc/evfs/evfstab file is determined by the location of the

key_directory. See “Step 5: (Optional) Configuring the Autostart

Feature” (page 62) for more information.

action

Specifies the EVFS action if attempts to write to or read from the

key_directory fail.

continue

Causes EVFS to continue to the next

library[specifications...] term.

stop

Causes EVFS to stop processing and return an error.

]

Literal right square bracket.

Key Storage Directory Requirements

• Directories used to store user keys and passphrases cannot be on EVFS volumes. EVFS

cannot access key files stored on an EVFS volume to enable the EVFS volume.

• If there are file systems on EVFS volumes in the /etc/fstab file that you want the system

to mount at system startup, the key database must reside on the local root file system (the

system must be able to access the keys early in the system startup procedure).

• If the private key directory is an NFS-mounted directory, the directory must be mounted

with read and write access so EVFS can re-encrypt the private key file as needed (the NFS

server must not export the directory with the ro flag).

• HP recommends that the base directory is writable by superusers or users with appropriate

privileges only. For example, the /etc/evfs/pkey directory is installed with the following

permissions, owner, and group:

drwxr-xr-x 4 bin bin 96 Mar 16 17:26 pkey

You can also create and configure a fallback directory to allow nonprivileged users to create

keys.

Default pub_key, priv_key and pass_key Attribute Statements

The /etc/evfs/evfs.conf file installed with the EVFS product on HP Integrity servers

contains the following pub_key, priv_key, and pass_key attribute statements:

pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]

priv_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]

pass_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]

These statements configure EVFS to use the libevfs_pkey library to process all user key data

(public keys, private keys, and passphrase files), and to save all user key data in subdirectories

under the /etc/evfs/pkey directory. If EVFS cannot access key data in the directory

/etc/evfs/pkey, EVFS returns an error.

The /etc/evfs/evfs.conf file installed with the EVFS product on HP 9000 servers contains

equivalent statements, with the HP 9000 libevfs_pkey library,

/usr/lib/evfs/pa20_64/libevfs_pkey.sl.

40 Preparing EVFS for Configuration