HP UX Encrypted Volume and Filesystem (EVFS) manual Keys, Private keys, Valid values

Step 2: (Optional) Configuring Alternate Key Database Directories

EVFS stores user key data (public keys, private keys, and stored passphrases) in a key database. By default, EVFS stores this database in subdirectories and files under the /etc/evfs/pkey directory. You can modify the pub_key, priv_key, and pass_key attribute statements in the /etc/evfs/evfs.conf file to configure EVFS to store the key database in alternate directories.

TIP: Configuring alternate key database directories is optional, and you can skip this step in most topologies.

You can use alternate database directories as follows:

•Store public keys, private keys, and passphrase files in different directories according to data type (key type or stored passphrase). For example, you can configure EVFS to store public keys in a public directory because exposing public keys is not a security vulnerability.

•Store public and private keys in distributed file directories. For example, you can configure EVFS to store public and private keys in an NFS directory so that administrators can access and use the same keys on multiple systems. This topology is useful when using EVFS with Serviceguard.

NOTE: It is not efficient to store passphrase files in distributed directories. EVFS encrypts passphrases with system-specific data, so you must generate a passphrase file on each system where you want to use the file.

•Use fallback directories to allow users without superuser privileges to create user keys. By default, users must have superuser privileges to create EVFS keys because the default key storage directory, /etc/evfs/pkey, is writable only by superusers . You can configure EVFS to use a fallback storage directory if access to the /etc/evfs/pkey directory fails. This enables EVFS to store keys created by users with superuser privileges in the protected /etc/evfs/pkey directory and to allow users without superuser privileges to create EVFS keys in the fallback directory.

Syntax for pub_key, priv_key, and pass_key Attribute Statements

To configure EVFS to use alternate directories for the user keys and stored passphrases, you modify the pub_key, priv_key, and pass_key attribute statements in the /etc/evfs/evfs.conf file. The syntax for these attribute statements is as follows:

pub_key = library[pkeydir:key_directory,onfail:action]...

priv_key = library[pkeydir:key_directory,onfail:action]...

pass_key = library[pkeydir:key_directory,onfail:action]...

Each attribute statement must be on one input line, without line breaks or line continuation characters. A statement can contain multiple library[specifications...] terms, separated by spaces. A library[specifications] term cannot contain spaces.

The parameters have the following meanings: