Go Premium for a chance to win a PS4. Enter to Win


encripted filesystem on AIX

Posted on 2010-11-11
Medium Priority
Last Modified: 2013-11-17
OK, my boss asked me (once again) :-)

- Make an encrypted filesystem to be accesed ONLY to one user (not even root) to hold some sources files. Question:

How can I make this filesystem? Please, I know there's a redbook about this, I just want a simple step by step (if possible) tutorial to do the homework.

Question by:sminfo
  • 3
  • 2
LVL 68

Accepted Solution

woolmilkporc earned 2000 total points
ID: 34115634
Hi again,

setting up EFS is fairly straightforward but, to be honest, at the moment I have no idea how to protect against root access.

I know for sure that it's possible, but I admit I'll have to study a bit, because I never had that requirement.

OK, first steps -

1) You need AIX 6.1.

2) You need the clic filesets clic.rte.kernext and clic.rte.lib

3) Enable EFS with "efsenable -a" as root. This will prompt you for the password for the initial keystore and will then set up the required environment.

4) Create your filesystem using the "efs=yes" attribute or choose "Enable EFS? - Yes" when using smitty.

5) To have all newly created files encrypted in your new FS (inheritance) issue "efsmgr -s -E /mountpoint"

6) To work with files/directories there you must load the keys beforehand. This is done via

efskeymgr -o "command"

"command" can be a shell!

So far for root. I use EFS only for root up to now (and not exhaustively - that's to say only for very few files).

As I said, I'll have to study how to set up EFS for a normal user and how to protect against root access.
But don't worry - you know I'm curious enough so I'll find it out!

CU tomorrow!


LVL 68

Assisted Solution

woolmilkporc earned 2000 total points
ID: 34119920

the non-root user thing is fairly easy, as it seems.

My difficulties resulted from the fact that I didn't realize that initial keystores are only created by "efsenable" for users in the "security" group.
Keystores for other users are created when running the "passwd" command for them. Hard to find!

So the approach is:

- Run "efsenable -a"

- Create an EFS enabled filesystem for your user (I'll call them "secretuser" below). Set inheritance so unencrypted files cannot be placed into this FS (4. and 5. above). Set ownership/permissions so they can access it.
- Have your user change their password. The new password will also become the EFS password of the user. In the future both passwords can be changed independently.

-- The UNIX password is changed as usual with "passwd"
-- The EFS password is changed with "efskeymgr -n" (password will be prompted).

- Protect the user's keystore from being administered/changed by root or other admins with "efskeymgr -k user/secretuser -r guard" (as root) or have the user do it themselves with "efskeymgr -r guard". In both cases they will be prompted for their EFS password. This setting can be revoked only by "secretuser with "-r admin", not by root or by anybody else. - So if the password is lost all encrypted files of that user are lost (since not decryptable by anybody)

Now you can neither read nor create or modify files/dirs below your new FS without the kystore being loaded beforehand.

This is done with efskeymgr -o "command" where "command" can be a shell.

Files/dirs created by secretuser can only be read/modified by this user. Attention: File removal is subject to regular Unix permissions and is not controlled by EFS (at least as far as I have seen up to now).

OK, at the moment that's all I know (or so). If you have further questions - don't worry, we'll find the answer.

LVL 25

Expert Comment

ID: 34127797
As said above in AIX 6.1 you could place the file into an encrypted file system for more details look @
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 34137681

Sorry the delay, but I'm extremely busy now... I'll let you know soon what you say above.


Author Comment

ID: 34198600
I have setup EFS and everything is working fine.. but I want to know if it's possible to a user, let say root work with the EFS's filesystem (/secure) without asking the passwd of the keystore? I mean with the command efskeymgr -o ksh, for example?

LVL 68

Expert Comment

ID: 34203306
efskeymgr -o ksh will ask you once for the keystore password and then start a ksh for you.
You will be able to work with your encrypted files without being asked for the password again until you leave this shell.

As far as I know there is no possibility to load the keystore directly at login without being asked for a password, although I heard rumours that this should be possible if the keystore password was the same as the login password - but I never got it to work.
Maybe you're lucky with this - should you find a way please let me know!




Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses

879 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question