encripted filesystem on AIX

Posted on 2010-11-11
Last Modified: 2013-11-17
OK, my boss asked me (once again) :-)

- Make an encrypted filesystem to be accesed ONLY to one user (not even root) to hold some sources files. Question:

How can I make this filesystem? Please, I know there's a redbook about this, I just want a simple step by step (if possible) tutorial to do the homework.

Question by:sminfo
  • 3
  • 2
LVL 68

Accepted Solution

woolmilkporc earned 500 total points
ID: 34115634
Hi again,

setting up EFS is fairly straightforward but, to be honest, at the moment I have no idea how to protect against root access.

I know for sure that it's possible, but I admit I'll have to study a bit, because I never had that requirement.

OK, first steps -

1) You need AIX 6.1.

2) You need the clic filesets clic.rte.kernext and clic.rte.lib

3) Enable EFS with "efsenable -a" as root. This will prompt you for the password for the initial keystore and will then set up the required environment.

4) Create your filesystem using the "efs=yes" attribute or choose "Enable EFS? - Yes" when using smitty.

5) To have all newly created files encrypted in your new FS (inheritance) issue "efsmgr -s -E /mountpoint"

6) To work with files/directories there you must load the keys beforehand. This is done via

efskeymgr -o "command"

"command" can be a shell!

So far for root. I use EFS only for root up to now (and not exhaustively - that's to say only for very few files).

As I said, I'll have to study how to set up EFS for a normal user and how to protect against root access.
But don't worry - you know I'm curious enough so I'll find it out!

CU tomorrow!


LVL 68

Assisted Solution

woolmilkporc earned 500 total points
ID: 34119920

the non-root user thing is fairly easy, as it seems.

My difficulties resulted from the fact that I didn't realize that initial keystores are only created by "efsenable" for users in the "security" group.
Keystores for other users are created when running the "passwd" command for them. Hard to find!

So the approach is:

- Run "efsenable -a"

- Create an EFS enabled filesystem for your user (I'll call them "secretuser" below). Set inheritance so unencrypted files cannot be placed into this FS (4. and 5. above). Set ownership/permissions so they can access it.
- Have your user change their password. The new password will also become the EFS password of the user. In the future both passwords can be changed independently.

-- The UNIX password is changed as usual with "passwd"
-- The EFS password is changed with "efskeymgr -n" (password will be prompted).

- Protect the user's keystore from being administered/changed by root or other admins with "efskeymgr -k user/secretuser -r guard" (as root) or have the user do it themselves with "efskeymgr -r guard". In both cases they will be prompted for their EFS password. This setting can be revoked only by "secretuser with "-r admin", not by root or by anybody else. - So if the password is lost all encrypted files of that user are lost (since not decryptable by anybody)

Now you can neither read nor create or modify files/dirs below your new FS without the kystore being loaded beforehand.

This is done with efskeymgr -o "command" where "command" can be a shell.

Files/dirs created by secretuser can only be read/modified by this user. Attention: File removal is subject to regular Unix permissions and is not controlled by EFS (at least as far as I have seen up to now).

OK, at the moment that's all I know (or so). If you have further questions - don't worry, we'll find the answer.

LVL 25

Expert Comment

ID: 34127797
As said above in AIX 6.1 you could place the file into an encrypted file system for more details look @ 
Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.


Author Comment

ID: 34137681

Sorry the delay, but I'm extremely busy now... I'll let you know soon what you say above.


Author Comment

ID: 34198600
I have setup EFS and everything is working fine.. but I want to know if it's possible to a user, let say root work with the EFS's filesystem (/secure) without asking the passwd of the keystore? I mean with the command efskeymgr -o ksh, for example?

LVL 68

Expert Comment

ID: 34203306
efskeymgr -o ksh will ask you once for the keystore password and then start a ksh for you.
You will be able to work with your encrypted files without being asked for the password again until you leave this shell.

As far as I know there is no possibility to load the keystore directly at login without being asked for a password, although I heard rumours that this should be possible if the keystore password was the same as the login password - but I never got it to work.
Maybe you're lucky with this - should you find a way please let me know!




Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question