EFS on AIX was designed so that each file is encrypted with a unique key. The cryptographic information is kept in file-extended attributes. EFS uses Extended Attributes (EA) Version 2. EFS is built into the enhanced journaled file system (JFS2) — it is not a new file system. You can create EFS on a new file system or enable it on a new file system. EFS is only meant for the encryption of data file systems, not for system-based file systems (such as /var and /opt).
You can perform encryption on the entire file system by switching on Inheritance, or by doing it per file.
A key store is used to access data with password protection. This password can be the login password or a different password that root cannot access. - Source
Each user on the system will have its own keystore where its public and private keys are stored. This keystore can be protected by a separate password or can be synchronized such that it's protected by the normal login password. I believe this is a system-wide setting, and the default is to synchronize the passwords. User keystores are located in /var/efs/users/<username>
If a user is explicitly granted access to act as a specific group in relation to EFS (in addition to being assigned to that group at the OS level), the group's private and public keys will also be copied into the user's keystore.
Groups also have their own keystores, located in /var/efs/groups/<groupname>.
Each file is encrypted with a unique, symmetric (AES) key. For each user or group that is authorized to view the encrypted file, the symmetric key is then itself encrypted with the user/group's public key from its keystore, and that user-specific encrypted version of the key is stored in the file's extended attributes (EAs). That is, there will be one EA for each user and group that has access to the file in question. (See section 2.4 of the AIX V6 Advanced Security Redbook.)
Requirements & Constraints
- AIX 6.1
- CryptoLite in C (CliC) cryptographic library needs to be installed.
- Enable Role Based Access Control (RBAC)
- Explicitly enable the system to use EFS. (efsenable command)
- Restriction: You cannot export the EFS through NFS.
Tips & Specific Commands
- If you wish to de-synchronize your keystore password from your login password, or simply to change your keystore password, run the following command:
- Even with keystore passwords synchronized to user login passwords, your shell session does not automatically "load" your user's keys unless you've actually entered that password. In particular, if you authenticate via SSH keys, you'll have to explicitly load a new shell in a manner which forces you to enter your password. One way to do this, using the EFS commands, is:
efskeymgr -o ksh
You'll be prompted for the user's "EFS password", which in this case is simply the login password.
- In the same manner, if you use "sudo su - " to switch to another user, you will not load that user's keys. But if you use "su - ", where you are forced to provide the user's password, you will load its keys. That is, you have to know a user's password if you want to act as that user and have access to its EFS files/directories. In particular, if you want to start a process which runs as that user and needs access to encrypted locations.
Note: based on this article which I've only recently seen and haven't yet fully parsed, those last two items may no longer be true starting with AIX 6.1 TL4.