Manualshelf

HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software
61626364656667686970
On systems with EVFS v1.1, it changes the pbe entry to:
pbe = /usr/lib/evfs/hpux64/libevfs_pbe.so[onfail:continue]
/opt/tcs/lib/libevfs_tcspbe.so.1
These statements configure EVFS to use the TCS library to encrypt and decrypt EVFS private
keys. On systems with EVFS v1.1, EVFS will attempt to use its default PBE library if it cannot
decrypt the private key using the TCS library. This configuration enables EVFS to use both
TPM-protected private keys and software private keys.
The script also sets the TCS_EVFSENABLED flag in the /etc/rc.config.d/tcsconf file.
This script is provided as a convenience and has been designed only for use with EVFS v1.0 and
v1.1. For later versions of EVFS, HP strongly recommends using the manual configuration steps
described at the beginning of this section.
Manually Updating Configuration Files
To manually update the EVFS and TCS configuration files, follow these steps:
1. Modify the EVFS configuration file /etc/evfs/evfs.conf as follows:
a. Configure EVFS to use TCS to encrypt new private keys by modifying the keywrap
statement as follows:
keywrap = evfs-tcs-1.0
b. Modify the value of the pbe attribute to use the TCS library to encrypt and decrypt
EVFS private keys.
On systems with EVFS v1.0, modify the pbe statement as follows:
pbe = /opt/tcs/lib/libevfs_tcspbe.so.1
This format specifies one library and is sufficient if all EVFS volumes have or will have
private keys secured by TCS only (there are no existing EVFS volumes with private
keys that are not secured by TCS).
EVFS v1.1 enables you to specify multiple libraries to encrypt and decrypt EVFS private
keys. You must use this format to use TCS with EVFS if you also have existing EVFS
volumes with private keys not secured by TCS. This format has the following syntax:
pbe = library[onfail:action] ...
Where:
library Specifies the encryption library for securing the EVFS private keys. Valid
values are:
/opt/tcs/lib/libevfs_tcspbe.so.1 (TCS encryption)
/usr/lib/evfs/hpux64/libevfs_pbe.so (EVFS software-based
encryption)
[ Is a literal left square bracket.
action Specifies the EVFS action if attempts to encrypt or decrypt private keys
using the library fail.
Valid values:
continue (continue to the next library value)
stop (stop processing and return an error)
] Is a literal right square bracket.
Configuring EVFS to Use TCS 63