Question & Answer
Question
How can I get all files in a particular directory or filesystem to be encrypted automatically?
Answer
The AIX Encrypted (EFS) product contains a concept called "inheritance". This inheritance is a property of an EFS
When an EFS
To enable inheritance, use the "-E" flag to the /usr/sbin/efsmgr command.
This option enables inheritance on an entire
and on a single directory:
To check the inheritance use the "-L" flag.
Here we are checking the inheritance on a
on a directory:
/usr/bin/ls will also show it:
The "e" in the 11th column means a file is encrypted OR inheritance is enabled on a directory.
Disabling inheritance does not decrypt any files in the directory or
To disable inheritance on a
on a directory:
Note that it is now not showing the "e"
If a directory has inheritance enabled, and users do not have their encryption keys loaded, they will not be able to create new files or read existing encrypted files from the directory. The preceding statement assumes the users have passed normal
filesystem mount point or directory which forces any new files inside it to be automatically encrypted, using the directory's cipher. This property also enables inheritance on any new subdirectories created after it is enabled.When an EFS
filesystem is initially created, inheritance is not enabled.To enable inheritance, use the "-E" flag to the /usr/sbin/efsmgr command.
This option enables inheritance on an entire
filesystem:# efsmgr -s -E /encrand on a single directory:
# efsmgr -E mydirTo check the inheritance use the "-L" flag.
Here we are checking the inheritance on a
filesystem:# efsmgr -s -L /encrEFS inheritance is set with algorithm: AES_128_CBCon a directory:
# efsmgr -L mydirEFS inheritance is set with algorithm: AES_128_CBC/usr/bin/ls will also show it:
# ls -lUd /encrdrwxr-xr-xe 3 root system 256 Apr 09 15:06 /encrThe "e" in the 11th column means a file is encrypted OR inheritance is enabled on a directory.
Disabling inheritance does not decrypt any files in the directory or
filesystem, however, any new files created will not be encrypted. Use the "-D" option to the efsmgr command to disable encryption inheritance.To disable inheritance on a
filesystem: # efsmgr -s -D /encron a directory:
# efsmgr -D mydirNote that it is now not showing the "e"
# ls -lUd /encr drwxr-xr-x- 3 root system 256 Apr 09 15:06 /encr # efsmgr -s -L /encr Error getting EFS attributes: Cannot find the requested security attribute.If a directory has inheritance enabled, and users do not have their encryption keys loaded, they will not be able to create new files or read existing encrypted files from the directory. The preceding statement assumes the users have passed normal
filesystem permission checks for owner, group, other and are allowed to perform the operation they are attempting.$ efskeymgr -VThere is no key loaded in the current process.$ cd /encr$ touch newfiletouch: 0652-046 Cannot create newfile.$ efskeymgr -VList of keys loaded in the current process: Key #0: Kind ..................... User key Id (uid / gid) ......... 200 Type ..................... Private key Algorithm ................ RSA_1024 Validity ................. Key is valid Fingerprint .............. 507efc16: 1a167367:66e01b5f:6abf5018:d3e1b9e9$ cd /encr$ touch newfile$ ls -lUtotal 16-rw-r--r--e 1 mike staff 0 Apr 09 17:01 newfile
[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"}],"Version":"6.1;7.1","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Was this topic helpful?
Document Information
Modified date:
06 December 2019
UID
isg3T1012183