Example: Alternate Directory for Public Keys

The following attribute statements configure EVFS to store public keys in the user-created directory /etc/evfs/mykeys and to store private keys and passphrase files in the directory /etc/evfs/pkey:

pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/mykeys,onfail:stop]

priv_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]

pass_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]

Example: NFS Directory for Public and Private Keys

The following attribute statements configure EVFS to store public and private keys in the NFS-mounted directory /nfs_server1/etc/evfs/pkey and to store passphrase files in the local directory /etc/evfs/pkey:

pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/nfs_server1/etc/evfs/pkey,onfail:stop]

priv_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/nfs_server1/etc/evfs/pkey,onfail:stop]

pass_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail:stop]

To use the autostart feature for volumes that have keys stored in NFS-mounted directories, you must specify the boot_remote option in the /etc/evfs/evfstab file. See “Step 5: (Optional) Configuring the Autostart Feature” (page 62) for more information.

Example: Fallback Directory for Nonprivileged Users

The following attribute statements configure EVFS to first attempt to store key data in the protected directory /etc/evfs/pkey. If it fails, EVFS falls back to the user-created directory /opt/evfskeys, which is writable by the appropriate users without superuser privileges. If EVFS cannot access /opt/evfskeys, EVFS stops processing the request and return an error.

pub_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail: continue] /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/opt/evfskeys,onfail:stop]

priv_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail: continue] /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/opt/evfskeys,onfail:stop]

pass_key = /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/etc/evfs/pkey,onfail: continue] /usr/lib/evfs/hpux64/libevfs_pkey.so[pkeydir:/opt/evfskeys,onfail:stop]

To use the autostart feature to enable an EVFS volume using keys stored on the root disk of the local system, specify the boot_local option for the volume in the /etc/evfs/evfstab file. To use the autostart feature to enable an EVFS volume using keys stored on a nonroot disk of the local system, specify the boot_local2 option for the volume. In this example, /opt/evfskeys is not on the root disk, so you must specify boot_local2 to use the autostart feature for EVFS volumes enabled using keys stored in /opt/evfskeys. See “Step 5: (Optional) Configuring the Autostart Feature” (page 62) for more information.

Step 2: (Optional) Configuring Alternate Key Database Directories

41

Page 41
Image 41
HP UX Encrypted Volume and Filesystem (EVFS) manual Example Alternate Directory for Public Keys