1.If you are moving the volume to another system, add an authorized user key pair for the administrator on the destination system. You will use this key pair on the destination system.

a.Create a new key pair for the administrator on the destination system using the following criteria:

The user account for the key owner must exist on the destination system.

The key name must be unique for the owner on the destination system.

You must know the passphrase for the private key, so do not specify the -soption for the evfspkey command. When you use the -soption, EVFS generates and stores the passphrase for you, and you cannot retrieve the passphrase. Stored passphrase files are encrypted with system-specific information, so a stored passphrase created on one system is unusable on any other system.

Use the following evfspkey keygen command syntax:

evfspkey keygen [-c cipher] [-u user] [-k keyname]

where:

-ccipher Specifies the type of public/private keys to create.

Valid values:

rsa-1024(RSA 1024-bit keys) rsa-1536(RSA 1536-bit keys) rsa-2048(RSA 2048-bit keys)

Default: rsa-1536

-uuser Specifies the user name of the key owner. This must be a valid user name on the destination system. If you do not specify -uuser, evfspkey uses your user name as the key owner. You must have superuser or the appropriate privileges to create a key pair for another user.

-kkeyname Specifies the key name. Specify a key name that does not already exist for the key owner on the destination system. If you do not specify -kkeyname, evfspkey uses the user name as the key name.

Valid value: An ASCII string, 1 to 255 characters long.

The evfspkey utility prompts you for a passphrase to protect the private key.

IMPORTANT: Make a note of this passphrase, because you must specify it when you administer the EVFS volume on the target system.

b.Use the following command to add the key to the EVFS volume:

evfsvol add -uuser [-kkeyname] evfs_volume_path

where:

 

-kkeyname

Specifies the name of the key to add. If you do not specify -k

 

keyname, evfsvol uses your user name as the key name.

evfs_volume_path Specifies the absolute pathname for the EVFS volume device file, such as /dev/evfs/vg01/lvol5, /dev/evfs/vx/dsk/rootdg/vol05, or /dev/evfs/dsk/c2t0d1.

2.Copy the owner's public and private keys files to removable media. You must restore these files on the destination system.

By default, EVFS stores the user key database in subdirectories below /etc/evfs/pkey, with a subdirectory for each user. The administrator can configure alternate database directories using the pub_key, priv_key, and pass_key attributes in the

92 Administering EVFS

Page 91 Page 93
Page 92
Image 92
HP UX Encrypted Volume and Filesystem (EVFS) manual Use the following evfspkey keygen command syntax
Page 91 Page 93
Top Page Image Contents