PCI-DSS Compliance for an HP-UX Host
8
EVFS can encrypt data at both the volume and file level and can be used to protect cardholder data as mentioned
previously. Depending on whether the volume or file level encryption is desired, EVFS can be configured either in
EVS mode (Encrypted Volume System) or in EFS mode (Encrypted File system).
EVFS volumes (EVS mode) are configured as pseudo-devices below the HP-UX file system. EVFS volumes are
“Application Transparent”, that is, applications in User space will not notice any changes and neither will they have
to make any changes. The EVS mode supports all disk file systems. Data in EVFS volumes is encrypted using
symmetric encryption keys. These encryption keys are again wrapped using a public or private keypair. These keys
are for authentication for administrative access and during startup. Once the volumes are created and made
operational, users and applications continue to function normally, and are not required to do anything out of the
ordinary for accessing their data.
The EFS mode of EVFS allows users to enable or disable encryption at the file or directory level. An administrator
creates the EFS. Users can then login to an EVFS secure session using their keys and enable or disable encryption
attributes on their files or directories. It must be noted though; EVFS supports encryption of regular files only.
HP-UX EVFS product literature can be found at the following location:
For more information about HP-UX EVFS Support Manuals, see Appendix A.
3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be
managed independently of native operating system access control mechanisms (for example, by not using local
user account databases). Decryption keys must not be tied to user accounts
Volume decryption in EVFS is not linked to OS authentication. Decryption keys are always protected using the
Volume owner’s private key. This key is stored in a fixed location for easy retrieval but is again protected using a
password. EVFS provides an option to store this private key either in /etc/evfs/pk or in a TPM device for enhanced
security.
3.5 Protect any keys used to secure cardholder data against disclosure
and misuse
This requirement deals with securing keys by storing them safely and restricting access to only those who strictly
require it. Though HP-UX currently does not provide a host-level tool for key management, this requirement can be
met by using Enterprise-level key management solutions like Atalla Enterprise Secure Key Manager (ESKM) and the
HP StorageWorks Secure Key Manager appliance.
For more Information about Atalla ESKM, see Appendix A.
For more information about the PCI-DSS applicability matrix for Atalla ESKM, see Appendix A.
For more information about HP Storageworks SKM support manual, see Appendix A.
Requirement 4: Encrypt transmission of cardholder data
across open, public networks
Sub Req# Requirement Products
4.1
Use strong cryptography and security protocols to
safeguard cardholder data during transmission
HP-UX IPSec, OpenSSL, Secure NFS, HP-UX
Secure Shell
4.2
Never send unprotected PANS by end-user messaging
technologies.
HP-UX IPSec, HP-UX HIDS
4.1 Use strong cryptography and security protocols to safeguard
cardholder data during transmission
This requirement mainly deals with securing cardholder data during transmission over open, public networks.
Cardholder data transmitted through the corporate network or over the internet can be encrypted using OpenSSL or
HP-UX IPSec or Secure NFS (Network File systems) or OpenSSH.
HP-UX OpenSSL can be used to secure communication between two applications (the applications need to be built
to use SSL protocol implemented by the OpenSSL libraries) whereas HP-UX IPSEC can be used to encrypt all the
packets which are going through the network. Secure NFS allows customers to implement different security