AIX Encrypted File Systems (EFS)
Overview
EFS on AIX was designed so that each file is encrypted with a unique key. The cryptographic information is kept in file-extended attributes. EFS uses Extended Attributes (EA) Version 2. EFS is built into the enhanced journaled file system (JFS2) - it is not a new file system. You can create EFS on a new file system or enable it on a new file system. EFS is only meant for the encryption of data file systems, not for system-based file systems (such as /var and /opt).
You can perform encryption on the entire file system by switching on Inheritance, or by doing it per file.
A key store is used to access data with password protection. This password can be the login password or a different password that root cannot access. - Source
Keystores
Each user on the system will have its own keystore where its public and private keys are stored. This keystore can be protected by a separate password or can be synchronized such that it’s protected by the normal login password. I believe this is a system-wide setting, and the default is to synchronize the passwords. User keystores are located in /var/efs/users/
If a user is explicitly granted access to act as a specific group in relation to EFS (in addition to being assigned to that group at the OS level), the group’s private and public keys will also be copied into the user’s keystore.
Groups also have their own keystores, located in /var/efs/groups/
File encryption
Each file is encrypted with a unique, symmetric (AES) key. For each user or group that is authorized to view the encrypted file, the symmetric key is then itself encrypted with the user/group’s public key from its keystore, and that user-specific encrypted version of the key is stored in the file’s extended attributes (EAs). That is, there will be one EA for each user and group that has access to the file in question. (See section 2.4 of the AIX V6 Advanced Security Redbook.)
Requirements & Constraints
- AIX 6.1
- CryptoLite in C (CliC) cryptographic library needs to be installed.
- Enable Role Based Access Control (RBAC)
- Explicitly enable the system to use EFS. (efsenable command)
- Restriction: You cannot export the EFS through NFS.
Tips & Specific Commands
- The efsmgr command manages encryption of a file or directory. efskeymgr manages keystores, including loading them into memory or removing them from memory.
-
To determine whether a particular file or directory is encrypted, issue the following command:
ls -U filename
Encrypted files/directories will have an extra “e” at the end of their access attributes:
drwxr-x---e 5 user group 256 Nov 23 20:44 directory
-
To determine which keys are loaded into your current session, issue the following command:
efskeymgr -V
Your personal user key and any group keys to which you have access will be listed. The listed keys will determine which encrypted files or directories you can access. Compare the user and group keys listed against the AIX file/directory ownership and permissions.
-
To add a group’s key to a user’s keystore, the following command must be executed by a user who has the Admin key loaded:
efskeymgr -k group/
-s user/ </pre> - Note that if the user hasn’t yet logged into the system (after EFS was enabled), the keystore won’t exist, and this command will fail.
- Note that the user still has to be added to the group via the normal OS mechanism (/etc/group).
Synchronized passwords
-
If you wish to de-synchronize your keystore password from your login password, or simply to change your keystore password, run the following command:
efskeymgr -n
-
Even with keystore passwords synchronized to user login passwords, your shell session does not automatically “load” your user’s keys unless you’ve actually entered that password. In particular, if you authenticate via SSH keys, you’ll have to explicitly load a new shell in a manner which forces you to enter your password. One way to do this, using the EFS commands, is:
efskeymgr -o ksh
You’ll be prompted for the user’s “EFS password”, which in this case is simply the login password.
-
In the same manner, if you use “sudo su - “ to switch to another user, you will not load that user’s keys. But if you use “su - “, where you are forced to provide the user’s password, you will load its keys. That is, you have to know a user’s password if you want to act as that user and have access to its EFS files/directories. In particular, if you want to start a process which runs as that user and needs access to encrypted locations.
Note: based on this article which I’ve only recently seen and haven’t yet fully parsed, those last two items may no longer be true starting with AIX 6.1 TL4.
References
- Installing and configuring Encrypted File System on AIX 6.1 This is a good overview of all the basic activities.
- AIX V6 Advanced Security Features Introduction and Configuration Redbook with a useful chapter on EFS
- Understanding EFS Supposed to be a “handbook for beginners”, but I found it a bit confusing.
- Database encryption using AIX encrypted file system (EFS) (from the DB2 9.7 Infocenter)
- AIX EFS compliance with PCI-DSSv1.2