Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
31323334353637383940
4 Using TCS On-Demand Encryption Utilities
This chapter describes the TCS utilities for on-demand encryption and decryption. It addresses
the following topics:
“Overview” (page 35)
“Using the tpmencrypt Utility” (page 36)
“Using the tpmdecrypt Utility” (page 36)
Overview
You can use a number of solutions for protecting files on HP-UX. One solution, EVFS, enables
you to encrypt entire volumes of sensitive information. Inherent with this protection is a need
for key management, recovery, data management, and other processes for ensuring the security
and availability of that information. The EVFS solution is described further in Chapter 7 (page 61).
There are some situations where a more limited, simplified encryption capability is appropriate.
TCS meets this need with a set of on-demand encryption utilities:
tpmencrypt
tpmdecrypt
These utilities use the system processor to encrypt and decrypt a specified set of files and or
folders. These utilities use the TPM to protect the data encryption key.
The tpmencrypt utility performs the following operations to encrypt data:
Compresses the input files or directories to create a single stream.
Generates a symmetric key and encrypts the input stream with the symmetric key and a
bulk encryption algorithm.
Generates a TPM asymmetric key pair and encrypts the symmetric key with the public key
component of the asymmetric key pair.
Uses the public key component of the RK to encrypt the private key component of the TPM
asymmetric key pair.
Writes the encrypted symmetric key and the encrypted input data to the output. It also
includes information needed to decrypt the data, such as the bulk encryption algorithm. By
default, it also includes the encrypted private key in the output.
The tpmdecrypt utility decrypts output from the tpmencrypt command. The tpmdecrypt
utility performs the following operations to decrypt the data:
Loads the private key and symmetric key generated by tpmencrypt into the TPM and uses
a procedure similar to the procedure described in “Chain of Protection” (page 17) to extract
the decrypted symmetric key.
Decrypts the input file using the symmetric key and the appropriate bulk data encryption
algorithm.
Restores the decrypted file to the location specified when the file was created with the
tpmencrypt command.
To prevent TPM congestion, the bulk data encryption and decryption operations are performed
by the system processors instead of the TPM.
Comparing EVFS and TPM On-Demand Encryption
EVFS encrypts and decrypts entire volumes of data. Administrators can enable EVFS volumes
at system startup time without human intervention. After an EVFS volume is enabled, EVFS
automatically decrypts data as needed without human intervention. Because of these features,
EVFS is suited for protecting data at rest, that is, when the volumes are not in use, such as when
a volume device is physically transported. EVFS is also suitable for implementations when data
Overview 35