Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

AIX - How to mount and encrypt data on a USB

Posted on 2012-08-28
20
Medium Priority
?
1,917 Views
Last Modified: 2012-08-30
What is the correct method to discover and mount a USB stick on a server? Also, how to encrypt the data that I will be transferring over to the USB stick on an AIX server?
0
Comment
Question by:AIX25
  • 10
  • 10
20 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 2000 total points
ID: 38342686
What you need (from the installation DVD, if not already present):

- devices.usbif*
- devices.common.IBM.usb.rte

How it works:

- Insert the USB stick and run
cfgmgr
-- You should find several /dev/*usb* entries now.
-- The actual storage device is "usbms0" (AIX 6.1 and up, in older versions "flashdrive0")

- Create a filesystem:
mkfs -V jfs2 -o ea=v2 /dev/usbms0
-- You must confirm "destroy /dev/usbms0" with "yes".

- Mount it:
mkdir /myusb
mount -o log=NULL /dev/usbms0 /myusb


- Unmount it:
umount /myusb

I must admit that I never hit on the idea of encrypting an USB stick under AIX.
I'm rather sure that AIX's own "Encrypted Filesystem" will not work with USB, and even if it did you could only decrypt your data on the originating system.

Rather use something like openssl to encrypt (and later decrypt) your data, e.g.
openssl enc ...

Here is more about "openssl enc":
http://www.openssl.org/docs/apps/enc.html
0
 

Author Comment

by:AIX25
ID: 38342848
Please provide an example as how I would encrypt and decrypt file1, file2, file3, directory1, and directory2 under /usr_mnt? Would tar up the whole directory and encrypt that?? Also, how do I NFS mount /usr_mnt to another server? Is that possible to NFS mount a USB FS?

servername:/usb_mnt> df -g |grep usb
/dev/usbms0      465.76    465.19    1%        3     1% /usb_mnt
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 2000 total points
ID: 38343009
openssl works on a per-file basis (or on stdin/stdout) not on directories or file lists.
Also, it doesn't encrypt in place.

Crypt a file to USB:
openssl enc -aes-256-cbc -salt -pass pass:mypassword -in /path/to/file1 -out /usb_mnt/file1.enc

Decrypt:
openssl enc -d -aes-256-cbc -salt -pass pass:mypassword -in  /usb_mnt/file1.enc -out /path/to/file1

Of course you can use pipes to tar up and encrypt a directory. This will result in an encryped tar archive on USB (Examples with stdin/stdout instead of "-in/-out"):

tar -cvf - /path/to/directory1 | openssl enc -aes-256-cbc -salt -pass pass:mypassword > /usb_mnt/directory1.enc.tar

Decrypt with:

openssl enc -d -aes-256-cbc -pass pass:mypassword < /usb/mnt/directory1.enc.tar | tar -xvf -

You can also read your password from a file ("-pass file:/path/to/pwdfile")

It should be possible to "mknfsexp"  against a directory on USB. Do it just the same way as you would with any local directory.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:AIX25
ID: 38343457
After I tar'ed and encrypted the directories. I unmount the USB, and wanted to remount the USB to verify all the data was still there, so I followed your steps again on mounting a USB, and there was no data on the USB. Does it get deleted when I remount the USB, using the method you listed earlier?? How do I view the contact of the USB, without deleting it?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 38344404
As long as you just issue the "umount" and "mount" commands you should be fine.
These commands don't touch the content of the device.

Of course you should not reissue the "mkfs" command. This will indeed destroy all data.

Btw., are you sure that the data have successfully been placed on the USB device before?
0
 

Author Comment

by:AIX25
ID: 38345733
I'm sure the data have successfully place on the USB before unmount.
server:/usb_mnt> ls -l
total 37487336
-rw-r--r--    1 root     system   7105531936 Aug 28 16:34 dir1.enc.tar
-rw-r--r--    1 root     system   2690367520 Aug 28 16:52 dir2.enc.tar
-rw-r--r--    1 root     system   5690830880 Aug 28 16:41 dir3.enc.tar
-rw-r--r--    1 root     system   3705602080 Aug 28 16:48 dir4.enc.tar

The USB unmounts fine, but when I go to remount it..it gives me the error below??

server:/> mount /usb _mnt
mount: 0506-334 /usb_mnt is not a known file system.
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 2000 total points
ID: 38345841
Yes, it's not in /etc/filesystems, that's why you must use:

mount -o log=NULL /dev/usbms0 /usb_mnt

log=NULL is important because we don't use a journal, and the device specification is needed for lack of a filesystems entry.
0
 

Author Comment

by:AIX25
ID: 38346053
Here is what I get:

server:/> mkfs -V jfs2 -o ea=v2 /dev/usbms0
mkfs: destroy /dev/usbms0 (yes)? yes
File system created successfully.
488371472 kilobytes total disk space.
Device /dev/usbms0:
  Standard empty filesystem
  Size:           976742944 512-byte (DEVBLKSIZE) blocks
server:/> mkdir /usb_mnt
server:/> mount -o log=NULL /dev/usbms0 /usb_mnt
mount: 0506-323 Cannot get information about log device NULL.
server:/>

Why can't I mount it?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 38346384
Don't you have AIX 6.1 or 7.1? I always assumed so.

AIX 5.x doesn't have the mount option "log=NULL"

In order to mount the device on 5.3 you must create the FS on the originating system (whichever AIX version) with

mkfs -o log=INLINE,ea=v2 -V jfs2 /dev/usbms0

You will be asked "logform: Format inline log for  <y>?" Answer "y".

Mount it without "-o log=NULL" then, regardless of the AIX version.
Use "-o log=INLINE" instead.

mount -o log=INLINE /dev/usbms0 /usb_mnt

I think you're aware that you need the mkfs command only once?
Issuing it a second time will of course destroy your data!

So after umounting it and taking it to another box just plug the device in, issue "cfgmgr"
and the "mkdir" and "mount" commands, not mkfs!
0
 

Author Comment

by:AIX25
ID: 38346709
server:/> oslevel -s
6100-07-03-1207
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 38346756
>> mount: 0506-323 Cannot get information about log device NULL. <<

is definitely an AIX 5.3 message. Are you sure you saw it on the same machine as the above oslevel output?

If so, I must admit that I'm out.
0
 

Author Comment

by:AIX25
ID: 38346856
What is the correct process with AIX 6.1??
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 38346906
The one I described initially.

And please remember to issue mkfs only once. Subsequent mkfs commands will destroy all data on the device.
0
 

Author Comment

by:AIX25
ID: 38346949
Yes, I'm sure that the oslevel was 6.1 on the server. When I was working on this yesterday, I used the 5.3 method, because NULL was not working. Was that why my USB data was not saving correctly, with the unmount and mount?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 38346993
umount or mount do not destroy data. Only mkfs does.
0
 

Author Comment

by:AIX25
ID: 38347488
Then why can't I remount it?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 38347610
What do you mean, you can't?

Because of the log=NULL error?

So go back to your source system, create the filesystem using the log=INLINE method, mount it using the log=INLINE method, then put your data on the stick, umount it, go to your target system and mount it using the log=INLINE version.

The INLINE method works on AIX 5.3, 6.1 and 7.1!
0
 

Author Comment

by:AIX25
ID: 38347717
Here are the steps I ran:

cfgmgr

mkfs -olog=INLINE,ea=v2 -Vjfs2 /dev/usbms0

mkdir /usb_mnt

mount -V jfs2 -o log=/dev/usbms0 /dev/usbms0 /usb_mnt

server:/> df -g |grep usb
/dev/usbms0      465.76    459.44    2%        8     1% /usb_mnt

Then I tar'ed and encrypted all the directories needed.

Also ran, server:/> lsfs |grep usb . Nothing shows up.

THen I ran, unmount /usb_mnt.

What will me the mount command?
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 2000 total points
ID: 38347805
Why  didn't you use log=INLINE in the mount command? Anyway, it works your way as well because you created the FS with an inline log.

Try

mount -v jfs2 -o log=INLINE /dev/usbms0 /usb_mnt

It's normal that you don't see anything with lsfs. mkfs does not write to /etc/filesystems.
0
 

Author Comment

by:AIX25
ID: 38347900
It worked! I was not mounting it with the INLINE mount command! I mounted it with log=INLINE...and that did it!!!
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses
Course of the Month10 days, 10 hours left to enroll

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question