encripted filesystem on AIX

Posted on 2010-11-11
Last Modified: 2013-11-17
OK, my boss asked me (once again) :-)

- Make an encrypted filesystem to be accesed ONLY to one user (not even root) to hold some sources files. Question:

How can I make this filesystem? Please, I know there's a redbook about this, I just want a simple step by step (if possible) tutorial to do the homework.

Question by:sminfo
  • 3
  • 2
LVL 68

Accepted Solution

woolmilkporc earned 500 total points
Comment Utility
Hi again,

setting up EFS is fairly straightforward but, to be honest, at the moment I have no idea how to protect against root access.

I know for sure that it's possible, but I admit I'll have to study a bit, because I never had that requirement.

OK, first steps -

1) You need AIX 6.1.

2) You need the clic filesets clic.rte.kernext and clic.rte.lib

3) Enable EFS with "efsenable -a" as root. This will prompt you for the password for the initial keystore and will then set up the required environment.

4) Create your filesystem using the "efs=yes" attribute or choose "Enable EFS? - Yes" when using smitty.

5) To have all newly created files encrypted in your new FS (inheritance) issue "efsmgr -s -E /mountpoint"

6) To work with files/directories there you must load the keys beforehand. This is done via

efskeymgr -o "command"

"command" can be a shell!

So far for root. I use EFS only for root up to now (and not exhaustively - that's to say only for very few files).

As I said, I'll have to study how to set up EFS for a normal user and how to protect against root access.
But don't worry - you know I'm curious enough so I'll find it out!

CU tomorrow!


LVL 68

Assisted Solution

woolmilkporc earned 500 total points
Comment Utility

the non-root user thing is fairly easy, as it seems.

My difficulties resulted from the fact that I didn't realize that initial keystores are only created by "efsenable" for users in the "security" group.
Keystores for other users are created when running the "passwd" command for them. Hard to find!

So the approach is:

- Run "efsenable -a"

- Create an EFS enabled filesystem for your user (I'll call them "secretuser" below). Set inheritance so unencrypted files cannot be placed into this FS (4. and 5. above). Set ownership/permissions so they can access it.
- Have your user change their password. The new password will also become the EFS password of the user. In the future both passwords can be changed independently.

-- The UNIX password is changed as usual with "passwd"
-- The EFS password is changed with "efskeymgr -n" (password will be prompted).

- Protect the user's keystore from being administered/changed by root or other admins with "efskeymgr -k user/secretuser -r guard" (as root) or have the user do it themselves with "efskeymgr -r guard". In both cases they will be prompted for their EFS password. This setting can be revoked only by "secretuser with "-r admin", not by root or by anybody else. - So if the password is lost all encrypted files of that user are lost (since not decryptable by anybody)

Now you can neither read nor create or modify files/dirs below your new FS without the kystore being loaded beforehand.

This is done with efskeymgr -o "command" where "command" can be a shell.

Files/dirs created by secretuser can only be read/modified by this user. Attention: File removal is subject to regular Unix permissions and is not controlled by EFS (at least as far as I have seen up to now).

OK, at the moment that's all I know (or so). If you have further questions - don't worry, we'll find the answer.

LVL 25

Expert Comment

Comment Utility
As said above in AIX 6.1 you could place the file into an encrypted file system for more details look @  
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.


Author Comment

Comment Utility

Sorry the delay, but I'm extremely busy now... I'll let you know soon what you say above.


Author Comment

Comment Utility
I have setup EFS and everything is working fine.. but I want to know if it's possible to a user, let say root work with the EFS's filesystem (/secure) without asking the passwd of the keystore? I mean with the command efskeymgr -o ksh, for example?

LVL 68

Expert Comment

Comment Utility
efskeymgr -o ksh will ask you once for the keystore password and then start a ksh for you.
You will be able to work with your encrypted files without being asked for the password again until you leave this shell.

As far as I know there is no possibility to load the keystore directly at login without being asked for a password, although I heard rumours that this should be possible if the keystore password was the same as the login password - but I never got it to work.
Maybe you're lucky with this - should you find a way please let me know!




Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. Please see for the updated article. It is avail…
Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now