efsmgr Command

Purpose

Manages the files encryption and decryption for the Encrypted File System (EFS).

Syntax

efsmgr -?

efsmgr -q [-v]

efsmgr -C <cipher> [-v]

efsmgr [ -c <file> ] -e <file> [-v]

efsmgr [ -c <cipher> ] [ -s ] -E <dir> [-v]

efsmgr [ -c <cipher> ] -t <file> [-v]

efsmgr [ -c <cipher> ] [ -s ] -T <dir> [-v]

efsmgr -d <file> [-v]

efsmgr [ -s ] -D <dir> [-v]

efsmgr -l <file> [-v]

efsmgr [ -s ] -L <dir> [-v]

efsmgr -a <file> [ -u <user> | -g <group> ] [-v]

efsmgr -r <file> [ -u <user> | -g <group> ] [-v]

Description

The efsmgr command is dedicated to the files encryption management inside EFS. Encrypted files can only be created on the EFS-enabled JFS2 file systems. For more information about enabling EFS on your system, see the mkfs, chfs, crfs, and efsenable commands.

There are two ways to create encrypted files: either explicitly by using the following command, or implicitly when inheritance is set on the file system or the directory where the file is being created.
efsmgr -e <file>

When inheritance is set on a directory, all new files created in this directory are encrypted by default. The cipher used to encrypt files is the inherited cipher. New directories also inherit the same cipher. If inheritance is disabled on a subdirectory, the new files created in this subdirectory will not be encrypted.

When inheritance is set on a file system, all new files created in this file system are encrypted using the inherited cipher. If inheritance is set both on a directory and a file system with different ciphers, new files created in this directory will be encrypted using the cipher inherited from the directory.

Setting or removing inheritance on a directory or a file system has no effect on the existing files. The efsmgr command must be used explicitly to encrypt or decrypt files.

The file owner's private key must be loaded into the process before the encrypted file can be created. The access to the encrypted file can be granted to any user or group with a keystore, which is a key repository that contains EFS security information. For more information about managing user and group repositories, see the efskeymgr command.

When an encrypted file is being opened, the Discretionary Access Control (DAC) and the Access Control List (ACL) are checked for the file access permission. If the access is granted, the keys loaded into the kernel for the process are searched for a private key matching one of the file's protection keys. If a matching key is found, the file content can be read, otherwise the access is denied.

Note: This EFS command requires that Role Based Access Control (RBAC) is enabled on the system, which is the default setting.

Flags

Item Description
-c <cipher> Uses this cipher instead of the inherited or the default cipher. See the -q command for the valid cipher values.
-g <group> This group must be added or removed from the EFS access list. The group value can be either the gid or the group name.
-s The operation is targeted to a file system rather than a directory. In this case, the dir parameter must be the mount point of a file system with EFS support.
-u <user> This user must be added or removed from the EFS access list. The user value can be either the uid or the login name.
-v Verbose mode.
-? Displays the command help and exits.
-a <file> Adds access to the specified file to a list of users and groups specified with the -u and -g flags.
-C <cipher> Changes the default cipher for your user to the cipher value.
-D <dir> Removes the inheritance on the directory. To apply the command on the whole file system, you must add the -s flag.
-d <file> Decrypts the specified file.
-E <dir> Sets the inheritance on the dir directory. To apply the command on the whole file system, you must add the -s flag.
-e <file> Encrypts the specified file.
-L <dir> Displays the inherited cipher on the specified directory.
-l <file> Lists the encryption information of the specified file: cipher, and keys that can decrypt the file.
-q Displays a list of supported ciphers.
-r <file> Revokes access to the specified file to a list of users and groups specified with the -u and -g flags.
-T <dir> Changes the inherited cipher on the specified directory. To apply the command on the complete file system, you must add the -s flag.
-t <file> Refreshes the encryption keys of the specified file. This can also be used to change the file cipher.

Exit status

Item Description
0 The command executed successfully.
1 An error occurred during the execution of the command.
2 A syntax error occurred on the command line.

Examples

  1. To encrypt the database.txt file using a strong cipher, enter:
    efsmgr –e database.txt –c AES_256_CBC
  2. To display the list of keys that can open the file, enter:
    efsmgr –l database.txt
  3. To add access to user joe and to group maintainers to the file, enter:
    efsmgr –a database.txt –u joe –g maintainers
  4. To set the inheritance on the file system of the home directory, enter:
    efsmgr –c AES_128_CBC –s –E /home

Files

Item Description
/etc/security/user Contains the default cipher attributes for the user.