Setting up the Encrypted File System
You need to do this first.
The stage needs to be set just so.
- Install the clic.rte fileset. This fileset contains the cryptographic libraries and kernel extension required by EFS. The clic.rte fileset can be found on the AIX Expansion Pack.
- Enable EFS on the system with the efsenable command (for example >efsenable –a). When prompted for a password, it is reasonable to use the root password. Users keystores are created automatically, then the user logs in, or re-logs in, after the efsenable command has been run. Once efsenable –a has been run on a system, then the system is EFS-enabled and the efsenable command does not need to be run again.
- Create an EFS-enabled filesystem with the –a efs=yes option.
For example,
crfs -v jfs2 -m /foo –A yes -a efs=yes -g rootvg -a size=20000 - After mounting the filesystem, turn on the cryptographic inheritance
on the EFS-enabled filesystem. This can be done with the efsmgr command.
To continue the previous example where the filesystem /foo was created,
run the following command:
efsmgr –s –E /foo. This allows every file created and used in this filesystem to be an encrypted file.
From this point forward, when a user or process with an open keystore
creates a file on this filesystem, the file will be encrypted. When the user
or file reads the file, the file is automatically decrypted for users who
are authorized to access the file.
See the following for more information:
- chfs, chgroup, chuser, cp, efsenable, efskeymgr, efsmgr, lsuser, ls, mkgroup, mkuser, and mv commands
- /etc/security/group and /etc/security/user files