AIX operating systems

AIX JFS2 encrypted file system backup

Use AIX® JFS2 Encrypted File System (EFS) to back up files either in clear text or raw format. With clear text format, the file is decrypted by EFS as it is read. With raw format, the data is not decrypted. The default is raw format, but when you set the efsdecrypt option to yes, you get clear text backups.

About this task

Important: Whenever you run a backup that includes any files encrypted on an EFS, you must ensure that you use the correct specification of the efsdecrypt option. If the efsdecrypt option value changes between two incremental backups, all encrypted files on EFS file systems are backed up again, even if they have not changed since the last backup. For example, if you are running an incremental backup of encrypted files that were previously backed up as raw, then ensure that efsdecrypt is specified as no. If you change efsdecrypt to yes, all of the files are backed up again in clear text even if they are unchanged, so ensure that you use this option carefully.

If you attempt to restore an encrypted file to either a work station that does not support EFS, or a file system where EFS is not active, an error message is written and the file is skipped.

Here are some reasons to back up EFS using clear text encryption:

  • This type of decryption is useful if you want to use the IBM Spectrum Protect backup-archive client encryption or another type of hardware encryption (for tape systems, for example).
  • You can use clear text for long term archival of data, because the data is stored independent of the platform or encryption scheme.

Here are some things to consider when backing up a file in clear text:

  • The user who invoked the backup-archive client must be able to decrypt it
  • The user can have read access to a file, but not have access to the key

In the following scenarios an error message is issued:

Procedure

  1. The user is running in root guard mode, and EFS has the concept of two types of root. Root admin is the traditional mode. A root in guard mode will not have access to the unencrypted data, unless the user is the owner or a member of the file group.
  2. The user is running with a non-root user ID and attempting an archive of a file to which they have read access, but the user is not the owner or member of the file group. EFS will not allow the data to be decrypted.

Results

Here are some considerations when backing up EFS raw data:

  • The backup-archive client will not honor the client encryption setting, which prevents double encryption, but only at the client. The server has no knowledge that the data is encrypted so any encryption done by a tape drive, for example, still occurs.
  • The client will not honor the compression setting, so the client will not even try to compress the data.
  • The client does not automatically back up or restore the keystore files. When you are restoring encrypted files, you might also have to restore keystores in order to decrypt the data.

    Tips:

    1. To protect the keystore, make sure the contents of /var/efs are included in your periodic backups.
    2. For the keystore data, use IBM Spectrum Protect storage policy with an unlimited number of versions.
  • Encrypted file system (EFS) files backed up in raw mode (default) cannot be restored by a backup-archive client prior to V5.5, or by a client on another UNIX platform.