Figure 1-3 Enabling an EVFS Volume

1

evfsvol enable my_evol

Enter passphrase: my_passphrase

2

my_passphrase decrypts user 1’s private key

3

User 1’s private key decrypts the key record to extract the volume encryption key.

4

EVFS uses the volume encryption key to encrypt and decrypt the volume data as needed.

Key Names and Key IDs

Each public/private key pair has an owner and a key name. A user can have multiple public/private key pairs. The default key name (the name EVFS uses if you do not specify a key name) is the owner's user account name.

Public/private key pairs are also identified by a key ID formed by concatenating the owner's user account name and the key name, separated by a period (.). For example, the user bob owns the key pair named bobkey1. The key ID for this key pair is bob.bobkey1.

User Key and Passphrase Storage

By default, EVFS stores keys in a local database under the directory /etc/evfs/pkey. EVFS creates a subdirectory for each user who owns EVFS user keys. The subdirectory name is the user account name.

File Names

When using the default key storage directory, EVFS uses the following directory and file names to store user keys:

Public Key

/etc/evfs/pkey/user_name/key_name.pub, where user_name

 

is the key owner's name and key_name is the key name.

Private Key

/etc/evfs/pkey/user_name/key_name.priv, where

 

user_name is the key owner's name and key_name is the key name.

Stored Passphrase

/etc/evfs/pkey/user_name/key_name.pass.nnn, where

 

user_name is the key owner's name, key_name is the key name,

 

and nnn is a number based on system-specific data.

Alternate Storage Databases and Distributed Key Storage

You can configure EVFS to use different file directories for the user key database that contains the public keys, private keys, and stored passphrases. The directories can be local directories or remote directories that are NFS-mounted. You can also configure EVFS to use different database directories according to the data type (key type or stored passphrase), and to use fallback directories if attempts to store key data fail.

EVFS Architecture 23

Page 23
Image 23
HP UX Encrypted Volume and Filesystem (EVFS) manual Key Names and Key IDs, User Key and Passphrase Storage, File Names