HP-UX Trusted Computing Services A.01.00 Administrator's Guide
the private key. In a configuration where the system must boot without an administrator in
attendance to enter in the passphrase, the passphrase itself can be stored and protected on the
system using system-intrinsic information.
On a system with a TPM that is running HP-UX TCS, the key management solution described
above can be made more secure. Instead of using a passphrase to protect the private key directly,
you can protect the private key using a TPM key. This requires the coordination of (and access
to) the TPM hardware to retrieve the key, such that the passphrase becomes the authorization
data that lets the TPM know it can release the key. Using the TPM in this way requires only a
configuration change, and does not effect the EVFS user interface (EVFS management commands).
The same set of EVFS commands are invoked to manage the encrypted volume, only the
underlying protection mechanism changes. For more information, see “User Interface” (page 30),
“Configuration” (page 31), and “Key Storage and Management ” (page 31).
There is no limit to the number of EVFS keys that the TPM can protect, because it does not actually
store all of the keys internally. The TPM encrypts the private key that is used to encrypt the EVFS
volume key, then the TPM sends the encrypted blob back to EVFS for storage. The TPM performs
this encryption with a TPM Roaming Key (RK) that is protected by a Storage Root Key (SRK)
that never leaves the TPM. The RK that protects the EVFS volume key never leaves the hardware.
When the RK is used, it must be loaded back into the TPM, where the actual operation takes
place. For a graphical representation of the relationships between keys, see TPM Key Hierarchy
(page 10).
User Interface
Use of a TPM for EVFS key storage is implemented by a shared library that conforms to the EVFS
Passphrase-Based Encryption (PBE) interface. The primary user interface to the component that
integrates HP-UX TCS with EVFS is the following EVFS management commands:
• evfspkey
• evfsvol
These commands are documented in the HP-UX Encrypted Volumes and File Systems (EVFS)
documentation available at:
http://docs.hp.com/en/internet.html#Encrypted%20Volume%20and%20File%20System%20%28EVFS%29
The following example illustrates how HP-UX TCS is used for EVFS key storage. This example
assumes that EVFS is configured to use the HP-UX TCS module, and it provides an overview of
EVFS commands as they relate to HP-UX TCS.
One of the first steps when using EVFS is to create a user key by running the evfspkey keygen
command. An EVFS key pair is created according to your specifications. As part of this command,
you are prompted for a passphrase to protect the private key. When you configure HP-UX TCS,
the evfspkey command passes the private key (in the clear) and the passphrase to the
libevfs_tcspbe.so.1 library provided with the HP-UX TCS product.
Once the libevfs_tcspbe.so.1 library receives the private key and the passphrase, it creates
an asymmetric TPM key according to the specifications defined below, and binds the EVFS
private key to the TPM key using the passphrase as authorization information. The resulting
encrypted blob is then passed back to the evfspkey command, which stores this information
in a key hierarchy in the /etc/evfs/pkey/[user]/[keyname].priv file. For example:
-----BEGIN EVFS ENCRYPTED PRIVATE KEY -----
version evfs-pkey-1.0
keyid root.myrootkey
keycipher rsa-1024
keywrap evfs-tcs-1.0
keyval da+rCAQRy4h5bWJufn86cZq3TyKAVtAbK01y5nGKcNowOpeRAktT7Xv7/pwUj5Em
RN9CzosSgoqNPW+S1QQ+0ViUKctYRavbM1LNO7k4442Ubc0/jWQiIz5cFqBh6rWT
UQst4SFGzo7ZccSncZuZH7dGSJHRfC8XiCmp0bWe+i2xMzweCd95jA3zadpjTVC6
Pwl6QInT9c18YjzbYTxT08yDMkm2VwCh3sweK6aeUjLElQkEfVNsj0HKUoTmATnw
eITu4LCa5qS2zdt0LKKyXuwNgCMD629nQBBDaRisnX0JyrOF1BkKW5Rgt0wwTtwx
30 EVFS Keys with HP-UX TCS