Backing Up EFS Filesystems

Answer

Yes, savevg, savewpar and the backup command can back up and restore encrypted files from an EFS filesystem.

Further, they do not need to be allowed to read the files they are backing up. That would require the files to have the EFS public key of the user backing them up assigned to the file.

The reason that the encryption keys are not needed is because the backup command uses raw mode I/O, opening the files with open64x(O_RAW). It saves them to the backup medium in raw, encrypted form, which safeguards the data.


Using The Backup Command

To allow the backup command to use raw mode for encrypted files, you must include the -Z flag.

Here's an example:

# more myfile
myfile: Security Authentication Denied

So my user environment doesn't have the proper encryption keys to read the file "myfile". If I attempt to back it up without adding the -Z flag it will try to open the file and fail. This is because a process needs to have the encryption keys loaded into its environment to open, and therefore decrypt, a file:

# find . -print | backup -ivqf /tmp/testbackup

Backing up to /tmp/testbackup
Cluster 51200 bytes (100 blocks).
Volume 1 on /tmp/testbackup
a            0 .
a            0 ./lost+found
a            0 ./encryptdir
cannot open ./encryptdir/myfile: Security Authentication Denied
cannot open ./encryptdir/newfile: Security Authentication Denied
a            0 ./encryptdir/newtmp
a            0 ./encryptdir/zerofile
a            0 ./tmpdir
a      7004268 ./b.out
    total size: 7005770
Done at Wed Feb 25 09:19:24 2009; 13700 blocks on 1 volume(s)

Now if I back it up adding -Z it will copy the encrypted file without trying to open (decrypt) it:

# find . -print | backup -iZvqf /tmp/testbackup

Backing up to /tmp/testbackup
Cluster 51200 bytes (100 blocks).
Volume 1 on /tmp/testbackup
a            0 .
a            0 ./lost+found
a            0 ./encryptdir
a         4096 ./encryptdir/myfile
a         4096 ./encryptdir/newfile
a            0 ./encryptdir/newtmp
a            0 ./encryptdir/zerofile
a            0 ./tmpdir
a      7004268 ./b.out
    total size: 7012460
Done at Wed Feb 25 09:22:16 2009; 13800 blocks on 1 volume(s)


Using Savevg With Encrypted Files

The savevg, savewpar and mksysb commands by default will call /usr/sbin/backup and include the -Z flag in order to allow backups of any encrypted files that happen to exist in the filesystems.

However, while using savevg you must disable "software packing" of the backup. The "software packing" mechanism compresses the files in the backup, and requires the files to be read in order to compress them. This will fail to back up the files. To disable software packing add the -p flag on the command line, or in smitty savevg use:


Disable software packing of backup?          yes               +

If this value is set to "no" (or -p is NOT used on the command line) the savevg will fail similarly to:

/usr/bin/savevg[2489]: 614434 Killed

0512-005 savevg: Backup Completed.
        The backup command completed with errors.
        The messages displayed on Standard Error contained additional
        information.


NOTE: Archives created with -Z option can be restored only on AIX 6.1 or later releases.