Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
31323334353637383940
in volumes or files are opened without direct human intervention by applications such as
databases.
EVFS also includes a key management infrastructure that enables administrators to create keys
with different capabilities and provides a key recovery service.
By comparison, the TCS on-demand encryption and decryption feature provides a simple method
for users to encrypt and decrypt a file or group of files as needed by running command-line
utilities. These utilities use the TPM key infrastructure; no additional key management is needed.
Using the tpmencrypt Utility
In most cases, you can use the following syntax for tpmencrypt:
tpmencrypt -o output input
Where output is the output file and input is the input file or directory.
In the following example, tpmencrypt encrypts the file foo and stores the results in
protected_foo. The user does not specify a secret passphrase, so tpmencrypt prompts the
user for one:
# tpmencrypt -o protected_foo foo
Enter Passphrase:
Verifying - Enter Passphrase:
tpmencrypt Options
This section describes some of the tpmencrypt options. For descriptions of all the options, see
tpmencrypt(1).
Specifying Alternate Data Encryption Algorithms
By default, tpmencrypt encrypts data using the Advanced Encryption Standard algorithm
(AES) in Cipher Block Chaining (CBC) mode with a 256-bit key. You can use the -a option to
specify an alternate algorithm. For a complete list of supported algorithms, see tpmencrypt(1).
Storing the TCS Encryption Key in System Persistent Storage
If you specify the -d option, tpmencrypt stores the encrypted private key in TCS persistent
storage instead of including it in the output.
Disabling Password Protection
By default, the output from tpmencrypt is password protected. You can specify the -n option
to disable password protection. If password protection is not disabled, tpmencrypt checks if
you specified a password in the command line with the -p option. If you do not specify the -p
option, tpmencrypt uses the value of the environment variable TCS_PASS as the password if
it is set. If you do not specify the -p option and TCS_PASS is not set, tpmencrypt prompts the
you for a password.
Using the tpmdecrypt Utility
In most cases, you can use the following syntax for tpmdecrypt:
tpmencrypt -i input
Where input is the name of file containing the output from the tpmencrypt command.
For example:
# tpmdecrypt -i protected_foo
Enter Passphrase:
36 Using TCS On-Demand Encryption Utilities