• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 946
  • Last Modified:

encripted filesystem on AIX

OK, my boss asked me (once again) :-)

- Make an encrypted filesystem to be accesed ONLY to one user (not even root) to hold some sources files. Question:

How can I make this filesystem? Please, I know there's a redbook about this, I just want a simple step by step (if possible) tutorial to do the homework.

  • 3
  • 2
2 Solutions
Hi again,

setting up EFS is fairly straightforward but, to be honest, at the moment I have no idea how to protect against root access.

I know for sure that it's possible, but I admit I'll have to study a bit, because I never had that requirement.

OK, first steps -

1) You need AIX 6.1.

2) You need the clic filesets clic.rte.kernext and clic.rte.lib

3) Enable EFS with "efsenable -a" as root. This will prompt you for the password for the initial keystore and will then set up the required environment.

4) Create your filesystem using the "efs=yes" attribute or choose "Enable EFS? - Yes" when using smitty.

5) To have all newly created files encrypted in your new FS (inheritance) issue "efsmgr -s -E /mountpoint"

6) To work with files/directories there you must load the keys beforehand. This is done via

efskeymgr -o "command"

"command" can be a shell!

So far for root. I use EFS only for root up to now (and not exhaustively - that's to say only for very few files).

As I said, I'll have to study how to set up EFS for a normal user and how to protect against root access.
But don't worry - you know I'm curious enough so I'll find it out!

CU tomorrow!



the non-root user thing is fairly easy, as it seems.

My difficulties resulted from the fact that I didn't realize that initial keystores are only created by "efsenable" for users in the "security" group.
Keystores for other users are created when running the "passwd" command for them. Hard to find!

So the approach is:

- Run "efsenable -a"

- Create an EFS enabled filesystem for your user (I'll call them "secretuser" below). Set inheritance so unencrypted files cannot be placed into this FS (4. and 5. above). Set ownership/permissions so they can access it.
- Have your user change their password. The new password will also become the EFS password of the user. In the future both passwords can be changed independently.

-- The UNIX password is changed as usual with "passwd"
-- The EFS password is changed with "efskeymgr -n" (password will be prompted).

- Protect the user's keystore from being administered/changed by root or other admins with "efskeymgr -k user/secretuser -r guard" (as root) or have the user do it themselves with "efskeymgr -r guard". In both cases they will be prompted for their EFS password. This setting can be revoked only by "secretuser with "-r admin", not by root or by anybody else. - So if the password is lost all encrypted files of that user are lost (since not decryptable by anybody)

Now you can neither read nor create or modify files/dirs below your new FS without the kystore being loaded beforehand.

This is done with efskeymgr -o "command" where "command" can be a shell.

Files/dirs created by secretuser can only be read/modified by this user. Attention: File removal is subject to regular Unix permissions and is not controlled by EFS (at least as far as I have seen up to now).

OK, at the moment that's all I know (or so). If you have further questions - don't worry, we'll find the answer.

Fadi SODAH (aka madunix)Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP and CCIPCommented:
As said above in AIX 6.1 you could place the file into an encrypted file system for more details look @
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

sminfoAuthor Commented:

Sorry the delay, but I'm extremely busy now... I'll let you know soon what you say above.

sminfoAuthor Commented:
I have setup EFS and everything is working fine.. but I want to know if it's possible to a user, let say root work with the EFS's filesystem (/secure) without asking the passwd of the keystore? I mean with the command efskeymgr -o ksh, for example?

efskeymgr -o ksh will ask you once for the keystore password and then start a ksh for you.
You will be able to work with your encrypted files without being asked for the password again until you leave this shell.

As far as I know there is no possibility to load the keystore directly at login without being asked for a password, although I heard rumours that this should be possible if the keystore password was the same as the login password - but I never got it to work.
Maybe you're lucky with this - should you find a way please let me know!



Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now