HP-UX Trusted Computing Services A.01.00 Administrator's Guide

6 EVFS Keys with HP-UX TCS

This chapter explains using HP-UX TCS to protect EVFS private keys. This chapter addresses

the following topics:

• “Overview” (page 29)

• “User Interface” (page 30)

• “Configuration” (page 31)

• “Key Storage and Management ” (page 31)

Overview

One benefit of HP-UX TCS is the secure storage it offers for protecting application sensitive

information, boosting overall application security. A prominent example is the integration of

HP-UX TCS with HP-UX Encrypted Volume and File System (EVFS). More specifically, HP-UX

TCS can protect the EVFS private keys, requiring an attacker to have access to the server TPM

to access the encryption keys.

For more information on EVFS, see the HP-UX Encrypted Volumes and File Systems (EVFS)

documentation available at:

http://docs.hp.com/en/internet.html#Encrypted%20Volume%20and%20File%20System%20%28EVFS%29

As shipped, EVFS uses encryption keys as illustrated in Figure 6-1.

Figure 6-1 EVFS Encryption Keys

Encryption Metadata (EMD)

Encrypted Data

EVFS Volume

Key

Records

Volume Encryption Key

User 1’s Public Key Encrypts the

Volume Encryption Key

User 1’s Private Key Decrypts

the Volume Encryption Key

Volume Encryption

Key Encrypts/Decrypts

the Data

“my_passphrase”

Encrypts Private Key

Stored Passphrase:

System-Specific Data

Encrypts “my_passphrase”

“my_passphrase”

EVFS creates a Volume Encryption Key for each volume that it protects. These symmetric volume

keys are stored in an encrypted form as part of the encrypted volume itself. To keep them secret,

the volume keys are encrypted when they are created using a public/private key pair specified

by the user who creates the volume. This public/private (asymmetric) key pair must also be

stored, keeping the private component secret. By default, EVFS achieves this using a

passphrase-based encryption mechanism, in which a user-entered password is used to encrypt

Overview 29