HP-UX Trusted Computing Services A.01.00 Administrator's Guide

pKcep0NVZVXzwJoLorVKkVsrKdqM+609OGP+EPtcqCQRh32TUQTzN1ZJ0qZKV3y1

TlzYFeHTSZOLRQsUDvSwhIAAaMyMy+Ebs2awHVMW1Nc=

-----END EVFS ENCRYPTED PRIVATE KEY-----

After creating a volume and associating the EVFS encrypted private key with the volume, you

must enable the volume using the evfsvol enable command. To enable the volume, the

evfsvol command must make the user's private key available to the kernel by prompting the

user for a password, then invoking the libevfs_tcspbe.so.1 library to decrypt the private

key. The library takes the password and the encrypted blob that it provided to evfspkey during

the key creation and storage process, and uses them in conjunction with the TPM to unbind the

private key. Then the libevfs_tcspbe.so.1 library makes the private key available to

evfsvol.

NOTE: Both the evfspkey command and the evfsvol command work the same way, with

or without HP-UX TCS.

Configuration

Configuring EVFS to make use of the libevfs_tcspbe.so.1 library consists of updating the

/etc/evfs/evfs.conf file with the following key/value pair:

pbe = /opt/tcs/lib/libevfs_tcspbe.so.1 keywrap = evfs-tcs-1.0

Updating these entries causes EVFS to use the TPM when protecting the private user keys. If

any of the encrypted volumes are set to be automatically enabled at boot time (for example, if

/etc/evfs/evfstab entries contain the boot_local keyword), then HP-UX TCS must also

be configured to come up early in the boot cycle to support this enablement. You can enable

early boot enablement by editing the /etc/rc.config.d/tcsconf file and setting the

TCS_EVFSENABLED variable to 1.

HP provides a script to simplify the configuration of HP-UX TCS for EVFS A.01.00:

/opt/tcs/bin/misc/evfs_setup enable. This script configures the HP-UX TCS library

in the /etc/evfs/evfs.conf file. The script also sets an appropriate flag in the

/etc/rc.config.d/tcsconf file. This script is provided as a convenience and has been

designed only for use with EVFS A.01.00. For later versions of EVFS, HP strongly recommends

using the manual configuration steps described at the beginning of this section.

Key Storage and Management

As stated in “Architecture” (page 8), the EVFS keys are created under a dedicated EVFS

application key under the RK. If the RK does not already exist in persistent storage, it is created

when the first wrap operation is performed by the evfspkey command. Subsequent wrap

operations retrieve the RK from persistent storage and use it accordingly.

To back up and restore EVFS keys, follow these steps:

1. Back up (and restore) the encrypted key blobs (for example, /etc/evfs/pkey/*) using

traditional file-based utilities or applications.

2. Back up (and restore) the TPM key hierarchy using the tpmadm command. The tpmadm

command uses the appropriate TPM ordinals to migrate the RK and to serialize (and

deserialize) the keys in persistent storage. For more information, see “Backing Up and

Restoring Keys” (page 25).

NOTE: When the passphrase for EVFS keys is bound to the system, you must change the

passphrase to a known value on the host system prior to migration. This issue is not specific to

HP-UX TCS. For more information see the HP-UX Encrypted Volumes and File Systems (EVFS)

documentation available at:

http://docs.hp.com/en/internet.html#Encrypted%20Volume%20and%20File%20System%20%28EVFS%29

Configuration 31