evfsfile.1 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

evfsﬁle(1) evfsﬁle(1)

(EVFS Software Required)

NAME

evfsﬁle - manage EVFS encrypted ﬁles and directories

SYNOPSIS

evfsfile add -r ﬁle

evfsfile assign -r recovkey_ﬁle -u user

-g group ﬁle

evfsfile assign -r recovkey_ﬁle {

-u user | -g group} ﬁle

evfsfile decrypt ﬁle

evfsfile encrypt [-c cipher ] ﬁle

evfsfile list ﬁle | directory

evfsfile rekey [-c cipher ] ﬁle

evfsfile set [-c cipher | -d] directory

evfsfile sync ﬁle | directory

DESCRIPTION

The

evfsfile command enables users to manage HP-UX EVFS encrypted ﬁles and directory created in

a disk or volume in ﬁle-level encryption mode.

With

evfsfile, users can enable/disable a directory or a ﬁle system for encryption, list the encryption

attributes of an encrypted ﬁle or a directory conﬁgured for encryption. Users can also convert a clear-text

ﬁle in an Encrypted File System to an encrypted ﬁle, an encrypted ﬁle to clear-text ﬁle and change the ﬁle

symmetric key (rekey) of an encrypted ﬁle. This command can be used to add/replace a recovery key

record of an encrypted ﬁle. evfsfile command can also be used to synchronize the ﬁle UNIX DAC per-

missions with the EVFS access permissions of an encrypted ﬁle in case there is any mismatch.

The

evfsfile command requires the optional HP-UX Encrypted Volume and File System (EVFS)

software.

Subcommands

evfsfile recognizes the following subcommands:

add Add/Replace a recovery key record (key envelope) of an encrypted ﬁle. If the recovery key

record already exists in the encrypted ﬁle, then this command replaces the existing

recovery key record with the key record of the recovery key loaded in the system. The

recovery key should be already loaded in the system to add/replace the recovery key

record. Use the evfspkey loadkey command to load the recovery key. See evfsp-

key(1).

Only the owner of an encrypted ﬁle, being in secure session, can perform this operation.

assign Change ﬁle owner, group, or both for an encrypted ﬁle. The current owner’s key record

in the encrypted ﬁle is replaced by the new owner’s key record. The current group’s key

record in the encrypted ﬁle is replaced by the new group’s key record if it is speciﬁed.

Only the system admin or the owner of the encrypted ﬁle can perform this operation.

decrypt Convert an encrypted ﬁle to clear-text ﬁle. A ﬁle in conversion is not accessible until the

operation is successful.

Only the owner of the ﬁle, being in secure session, can perform this operation. Users

must login to secure session using the

evfsauth login command. See evfsauth (1).

encrypt Convert the clear-text ﬁle to an encrypted ﬁle. Users can specify the cipher with which

the data to be encrypted. A ﬁle in conversion is not accessible until the operation is suc-

cessful.

Only the owner of the ﬁle, being in secure session, can perform this operation. Users

must login to secure session using the

evfsauth login command. See evfsauth (1).

list List the encryption parameters of an encrypted ﬁle or a directory enabled for encryption.

A user with valid UNIX DAC permissions can perform this operation.

rekey Change the symmetric key of an encrypted ﬁle. Users can specify the cipher with which

the data to be re-encrypted. A ﬁle in conversion is not accessible until the operation is

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
evfsfile(1) evfsfile(1) (EVFS Software Required) NAME evfsfile - manage EVFS encrypted files and directories SYNOPSIS evfsfile add -r file evfsfile assign -r recovkey_file -u user -g group file evfsfile assign -r recovkey_file {-u user | -g group } file evfsfile decrypt file evfsfile encrypt [-c cipher ] file evfsfile list file | directory evfsfile rekey [-c cipher ] file evfsfile set [-c cipher | -d] directory evfsfile sync file | directory A DESCRIPTION The evfsfile command enables users to manage HP
PAGE 2
evfsfile(1) evfsfile(1) (EVFS Software Required) successful. Only the owner of the file, being in secure session, can perform this operation. Users must login to secure session using the evfsauth login command. See evfsauth (1). Enable or disable encryption for a given directory or a file system. To enable/disable encryption at file system level, the mount point directory where the file system is mounted should be specified. This command can also be used to change the encryption parameters (e.g.
PAGE 3
evfsfile(1) evfsfile(1) (EVFS Software Required) EXAMPLES The following command enables a directory /test_efs_mnt/efs_dir for encryption, where the /test_efs_mnt is the mount point of an encrypted file system: % evfsfile set /test_efs_mnt/efs_dir The following command changes the cipher specified for a directory /test_efs_mnt/efs_dir to aes-256-cfb where the /test_efs_mnt is the mount point of an encrypted file system: % evfsfile set -c aes-256-cbc /test_efs_mnt/efs_dir The following command displays th
PAGE 4
(Notes) A (Notes) eA 4 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010