Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
61626364656667686970
Figure 7-1 EVFS Encryption Keys
Encryption Metadata (EMD)
Encrypted Data
EVFS Volume
Key
Records
Volume Encryption Key
User 1’s Public Key Encrypts the
Volume Encryption Key
User 1’s Private Key Decrypts
the Volume Encryption Key
TCS EVFS Key Protects the User Private Key
Volume Encryption
Key Encrypts/Decrypts
the Data
my_passphrase” Authorizes Access to the
TCS EVFS Key
Stored Passphrase:
System-specific data
encryptsmy_passphrase
my_passphrase”
When a user performs an EVFS operation that requires an EVFS user key (such as enabling a
volume with the evfsvol command), the user enters the EVFS passphrase or uses an EVFS
passphrase file as he would when using EVFS without TCS. However, instead of processing the
passphrase directly, EVFS forwards the passphrase and encrypted EVFS private key to TCS. If
a passphrase file is used, EVFS decrypts the file before forwarding the passphrase to TCS. TCS
uses the passphrase to authorize access to the TCS EVFS private key, and uses the TPM to decrypt
the EVFS private key using the mechanism described in “Chain of Protection” (page 17). TCS
then returns the decrypted EVFS private key to EVFS.
For a full description of EVFS and how it functions, see the HP-UX Encrypted Volumes and File
Systems (EVFS) documentation available at http://docs.hp.com/en/
internet.html#Encrypted%20Volume%20and%20File%20System%20%28EVFS%29
Configuring EVFS to Use TCS
There are two methods for configuring EVFS to use a TCS library:
Run the evfs_setup script.
Manually update the appropriate EVFS and TCS configuration files.
Using the evfs_setup Script to Update Configuration Files
The /opt/tcs/bin/misc/evfs_setup script enables or disables TCS for EVFS. To use this
script to enable TCS for EVFS, enter the following command:
/opt/tcs/bin/misc/evfs_setup enable
This script makes the following modifications to the /etc/evfs/evfs.conf file:
Changes the keywrap entry to:
keywrap = evfs-tcs-1.0
This configures EVFS to use TCS to encrypt new private keys.
On systems with EVFS v1.0, it changes the pbe entry to:
pbe = /usr/lib/evfs/hpux64/libevfs_pbe.so
62 Protecting EVFS Keys with TCS