Encrypted File System usability

Encrypted File System (EFS) key management, file encryption, and file decryption are transparent to users in normal operations.

EFS is part of the base AIX operating system. To enable EFS, root (or any user with the RBAC aix.security.efs authorization, see EFS actors for more information) must use the efsenable command to activate EFS and create the EFS environment. This is a one time system enablement. After EFS is enabled, when the user logs in, its key and keystore are silently created and protected or encrypted with the user login password. The users keys are then used sliently by the J2 file system when encrypting or decrypting EFS files. Every EFS file is protected with its own unique file key, and this file key is in turn protected or encrypted with the file owner or group key depending on the file permissions.

By default, a J2 File System is not EFS-enabled. When it is EFS-enabled, the J2 File System transparently manages encryption and decryption in the kernel for read and write requests. Users and groups administration commands (such as mkgroup, chuser, and chgroup) transparently manage the users' and groups' keystores.