HP UX Encrypted Volume and Filesystem (EVFS) manual Glossary, Aes

AES

Advanced Encryption Standard. AES uses a symmetric key block encryption. EVFS supports

AES with a 128-bit, 256-bit, or 292-bit key for encrypting volume data. AES is suitable for

encrypting large amounts of data.

authorized user

A user who is authorized to enable and disable an EVFS volume, and perform other

administrative operations on an EVFS volume. If an authorized user has the appropriate file

permissions for the EVFS device file, he can perform nearly all the same EVFS operations as

the volume owner, including enabling and disabling encryption and decryption access to an

EVFS volume.

autostart

An EVFS feature that automatically enables EVFS volumes at system startup, without manual

intervention.

cleartext

Data that is not encrypted.

cluster key pair

An EVFS key pair used by multiple nodes in a Serviceguard cluster.

EMD

Encryption metadata. The EMD contains EVFS operating parameters for an EVFS volume,

including the encryption algorithm. The EMD also includes key records. Each key record

contains the volume encryption key, encrypted with a user's public key.

encryption

The process of converting data from a readable format to a nonreadable format for privacy.

Encryption functions usually take data and a cryptographic key (value or bit sequence) as input.

key record

An entry in the EMD of a volume. The key record contains the volume encryption key, encrypted

with a user's public key. The user's private key is used to decrypt and extract the volume

encryption key for use. A key record is sometimes referred to as an envelope.

owner

See volume owner.

passphrase

A text string that EVFS uses to encrypt a user's private key.

passphrase file

A file containing a passphrase, encrypted with system-specific information. The EVFS subsystem

can decrypt the passphrase file and extract a user's private key. EVFS can then use the user's

private key to extract the volume encryption key from a key record.

A passphrase file can be used to perform EVFS operations, such as enabling an EVFS volume,

without human intervention. A passphrase file is also a security risk.

private key

1. The key in a public/private key pair that is not distributed to other parties. Data encrypted

with the public key can be decrypted only with the private key.

2. Any encryption key that is distributed to restricted parties, including a symmetric key.

public key

A cryptographic method using two mathematically related keys (k1 and k2) such that data

cryptography

encrypted with k1 can be decrypted only using k2. In addition, most algorithms provide

assurance that only the holder of k1 can correctly encrypt data that can be decrypted by k2.

One key must be private (known only to the owner), but the second key can be widely known

(public), which makes key distribution easy to manage. Public key encryption is computationally

expensive, so it is impractical for bulk data encryption. Instead, public key cryptography is

usually used to authenticate data or to encrypt ("wrap") symmetric keys.

Also referred to as asymmetric key cryptography (the two keys are not the same) or

public-private key cryptography.

recovery key

A key pair that a user can use to change the owner of an EVFS volume. Only a user who has

the private recovery key file or an EVFS volume owner can assign a new EVFS volume owner.

RSA

(Rivest-Shamir-Adelman) A public/private key cryptosystem that is used for privacy (encryption)

and authentication (signatures). For encryption, system A can send data encrypted with system

B's public key. Only system B's private key can decrypt the data.

EVFS uses RSA cryptography to secure volume encryption keys. EVFS supports 1024-bit,

1536-bit, and 2048-bit RSA keys.

symmetric key

A cryptographic method that uses the same key (bit string) to encrypt and decrypt the data.

cryptography