Manualshelf

HP-UX Trusted Computing Services A.01.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
21222324252627282930
5 On-Demand Encryption
This chapter describes the TCS mechanisms for on-demand encryption and decryption.
There are a number of mechanisms for protecting files on HP-UX. One of those mechanisms,
EVFS, provides a solution for encrypting entire volumes of sensitive information. Inherent with
this protection is a need for key management, recovery, data management, and other processes
for ensuring the security and availability of that information. The EVFS solution is described
further in Chapter 6 (page 29) , and in-depth in the HP-UX Encrypted Volumes and File Systems
(EVFS) documentation available at:
http://docs.hp.com/en/internet.html#Encrypted%20Volume%20and%20File%20System%20%28EVFS%29
There are some situations where a more limited, simplified encryption capability is appropriate.
HP-UX TCS meets this need with a set of on-demand encryption utilities:
tpmencrypt
tpmdecrypt
These commands use the system processor to encrypt a specified set of files and or folders, then
use the TPM to protect the encryption key.
The tpmencrypt command randomly generates a symmetric key, then uses the symmetric key
and an OpenSSL bulk encryption algorithm to encrypt the specified files or directories. The
specified files or directories are compressed first to generate a single stream. This bulk encryption
takes place on the system processor. The symmetric keys are encrypted using a key pair generated
on the TPM, then the symmetric key is discarded. The encrypted symmetric key, along with the
OpenSSL bulk encryption output, is serialized to the output file. The new TPM key is encrypted,
exported from the TPM, and stored in the output file.
The tpmdecrypt command reverses the tpmencrypt process by first loading the encrypted
TPM key back into the hardware, then using it to decrypt the symmetric key (which is used to
decrypt the data). For example:
1. To encrypt a sensitive file with HP-UX TCS, enter the following command:
# /opt/tcs/bin/tpmencrypt -p demo2007 \
-o /opt/demo/tf.enc /opt/demo/testfile
2. To remove the original file and verify listing, enter the following commands:
# rm /opt/demo/testfile
# ls /opt/demo
3. (Optional) To display the encrypted file, enter the following command:
# cat /opt/demo/tf.enc
4. To decrypt the original file and verify, enter the following commands:
# /opt/tcs/bin/tpmdecrypt -p demo2007 -i /opt/demo/tf.enc
# ls /opt/demo
27