Full or restricted access as root

The root access to the keys can be unlimited or limited. In either mode, it is not possible for root to simply su to a user and gain access to the user's encrypted file or keystore.

In one mode, root can reset the user’s keystore password, and might gain access to the user’s keys within this keystore. This mode provides greater system administration flexibility.

In the other mode, root can reset the user's logon password, cannot reset the user's keystore password. It is not possible for root to substitute user (with the su command) and inherit an open keystore. While root can create and delete users and groups. along with their associated keystores, cannot gain access to the keys within these keystores. This mode provides a greater degree of protection against an attack from malicious root.

There are two modes for managing and using keystores, Root Admin and Root Guard. An EFS administration key is also provided.

The EFS administration key enables access to rest the password to all keystores in Root Admin mode. This key is located in the efs_admin special keystore. Access to the efs_admin special keystore is granted only to authorized users (root user and security group at installation, or the RBAC aix.security.efs authorization).

When a keystore is in Root Guard mode, the keys contained in this keystore cannot be retrieved without the correct keystore password. This provides strong security against a malicious root, but can also cause problems if a user forgets their password, as there is no way to regenerate the password without loosing the keys in the keystore, and the user can no longer access their data as a result. In this keystore mode, some operations cannot be treated immediately and are scheduled as pending operations. These pending operations are generated in cases such adding or suppressing a group access key in a user keystore or regenerating a private key. These are managed by the keystore owner.