evfs.5 (2010 09)
e
evfs(5) evfs(5)
(EVFS Software Required)
6. Add recovery keys and authorized user keys to the EVFS volume using the
evfspkey add com-
mand.
7. Enable the encrypted volume to start encrypting and decrypting data to and from the volume using
the
evfsvol enable command. See evfsvol (1M).
8. If you want to create a file system on the EVFS volume, create one on the character (raw) EVFS
volume device file using the
newfs
command. See newfs(1M).
9. If you want to mount the file system on the EVFS volume, add an entry to the
/etc/fstab file
that references the EVFS volume special file. See evfsadm (1M).
10. Mount the encrypted file system using the
mount command. See mount(1M).
11. Verify EVFS operation using the
evfsadm stat -a and evfsvol display commands.
Once the above steps are executed, EVFS transparently encrypts and decrypts data accessed through the
EVFS volume or the file system above it. You can display encryption/decryption statistics using the
evfsadm stat command.
The mapping between regular volumes and encrypted volumes are described in evfstab (4).
File-Level Encryption Mode
For this mode, HP-UX EVFS includes the following EVFS commands, typically used in the order shown
below:
evfsadm Starts and manages the EVFS subsystem. Maps LVM, VxVM, or physical volumes to the
EVFS subsystem. See evfsadm (1M).
evfsauth Enters a user secure session. A secure session contains the needed credentials to access
encrypted files pertaining to that particular user. The command also allows users to
display their current secure session information. See evfsauth (1).
evfsfile Manages EVFS encrypted files and directories. See evfsfile(1).
The main steps in creating EVFS volumes in EFS mode are:
1. Start the EVFS subsystem using the
evfsadm start command. See evfsadm (1M).
2. If you are using LVM or VxVM (you are not directly accessing the physical disk as a physical
volume), use the appropriate LVM or VxVM commands (such as
lvcreate
or vxassist) to create
a new LVM or VxVM volume to use for the EVFS volume. Include 1 MB of the EVFS Encryption
Metadata (EMD). See lvcreate (1M) or vxassist (1M).
3. Associate the underlying LVM, VxVM, or physical volume to an EVFS volume in file-level encryption
mode using the
evfsadm map -f command. This command also creates block and character
("raw") device special files for the EVFS volume and adds them to the kernel registry.
4. If you want to create a file system on the EVFS volume, create one on the character (raw) EVFS
volume device file using the
newfs command. See newfs(1M).
5. If you want to mount the file system on the EVFS volume, add an entry to the
/etc/fstab file
that references the EVFS volume special file with the stackfs=sefs option. See evfsadm (1M).
6. Mount the encrypted file system using the
mount command with the -o stackfs=sefs option.
See mount (1M).
7. Verify EVFS operation using the
evfsadm stat -a and evfsvol display commands.
For a EFS user, the main steps in using EFS are:
8. Enter a secure session with
evfsauth login command. If the user credential doesn’t exist, user
will be prompted to create it. This credential is inherited to all the children for the process. The
command evfsauth display can be used to display the user’s credential. Exiting the process (if
in a shell, usually with the exit command) will terminate the session session.
9. The command
evfsfile is used to enable and disable files and directories for encryption. The
command can also be used display file and directory encryption status. See evfsfile (1).
10. A set of wrapper commands is provded with EVFS. The main purposes are to facilitate encryption
access information and to prevent unintended decryption of files. See evfs_wrapper (1).
For both modes, configuration information for the EVFS administration commands is stored in the
/etc/evfs/evfs.conf file. Most evfs* subcommands execute their operations via the
/dev/evfs/admin device special file (see evfsadm (1M)).
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010