How to work with AIX Encrypted File Systems (EFS) – Part1
mhhaque 2700012HF4 Visits (3414)
We should have the understand on cryptography, before we go through the AIX Encrypted File Systems (EFS). Here are fundamentals and terminology of the cryptography:
There are two main type of encryption is used to encrypt and decrypt the message:
A message that is encrypted using a public key can only be decrypted using a private key, while also, a message encrypted using a private key can be decrypted using a public key.
AIX Encrypted File System (EFS):
AIX Encrypted File System (EFS) is a JFS2 filesystem level encryption through individual key stores. This allows for file encryption in order to protect confidential data from attackers with physical access to the computer.
Encrypted File Systems (EFS) employ both symmetric and asymmetric encryption techniques for the encryption.
EFS command-line tools & terminology:
Each user on the system will have its own keystore where user’s public and private keys are stored. This keystore can be protected by a separate password or can be synchronized such that it's protected by the normal login password.
Keystores has two administration modes:
admin mode: An EFS administrator with the aix.security.efs RBAC authorization and the access key to admin keystore can open the keystore for management including password reset, key regeneration, access key addition or removal, and so on.
guard mode: The EFS administrator cannot get access to the keystore. In this mode, if the password to keystore is lost, there is no possible recovery of the private key.
Each file is encrypted with a unique, symmetric (AES) key (also known as secret key). For each user or group that is authorized to view the encrypted file, the symmetric key is then itself encrypted with the user/group's public key from its keystore, and that user-specific encrypted version of the key is stored in the file's extended attributes (EAs). That is, there will be one EA for each user and group that has access to the file in question.
Extended Attributes (EAs):
Every file on a AIX filesystem, there is associated metadata. "metadata" is information about a file: user ID of who owns the file, permissions, file type (special, regular, named pipe, etc) and which disk-blocks the file uses etc.
The JFS2 v2 filesystem supports extended attributes and additional metadata can be stored in extended file attributes.
The /etc/security/user and /etc/security/group files are updated with new EFS attributes on execution of this command.
-a activates the EFS capability on a system.
-q displays the list of available algorithms.
-o ksh: can load keystore file
-v or V: can display keystore file in var (v) or loaded (V)
-k <user or group / name> -s <user,group/name>: add -k value to -s value
-k <user or group/name> -S <user,group/name>: remove -S value from -k value
-n generate new keystore password
-R generate new private key: Causes current private key to be depreciated
-C creates the keystore of the group group.
-E sets the inheritance on the dir directory.
-L displays the inherited cipher on the specified directory.
-l lists the keys in a file metadata.
-a adds encoded symmetric keys to a file metadata.
-r removes encoded symmetric keys from a file metadata.
Encrypted File System (EFS) Prerequisites:
The following prerequisites must be met:
Working with Encrypted File System (EFS):
To enable EFS on AIX, run the following:
# efsenable -a
To verify the /var/efs directories that created to facilitate EFS:
To create a EFS filesystem on AIX:
# smitty crjfs2std
Note: We can create the same file system through the command line as well.
# crfs -v jfs2 -g rootvg -m /appsefs -a size=100M -a efs=yes
Note: This creates three separate keystores for these three users in the /var/efs/users directory:
# ls -a /var/efs/users
To create keystores for the groups with EFS:
# efskeymgr -C
# ls -la /var/efs/groups
Note: The keystores for the users will be created during setting the users password. But we need to run efskeymgr command to create the keystore for each group. In the below screenshot, user04 has no keystores file and the user04 directory in the /usr/efs/users , until we set the password for the user04.
We have create a EFS filesystem /aixefs and going mount that filesystem:
To create a EFS directory:
# cd /aixefs
# mkdir myreport
# efsmgr -E myreport
# efsmgr -L myreport
Note: The encryption inheritance for the file system
To listing Encrypted file in EFS
# ls -U dailyreport
The "e" means that the “dailyreport” encrypted and no one other than the owner who possesses the keystore can access and read its content.
Note: user01 considered other and can’t read the dailyreport file, though other has the read permission in DAC Permission.
To listing encrypted file attribute of the Encrypted file in EFS:
# efsmgr -l dailyreport
We can change the cipher and other attributes of the file. To change attributes of the encrypting a single file:
# cd /aixefs
# ls -U
# efsmgr -c AES_192_ECB -e todayreport
# ls -U todayreport
# efsmgr -l todayreport