AIX6 - EFS

AIX6 Encrypted filesystem

 

EFS is built into JFS2, EFS is a feature of JFS2 and not a new FS

 

We can,
- create new filesystem with EFS enabled
- Enable on existing filesystem
- Not for    /     /usr    /var    /opt

 

We can use this for encrypting the data files and not for the OS related files.

 

we can make,
All files in filesystem secure (inheritance)
Or
Just secure the important files

 

Access via a password
Can be connected to your login password  (Not safe as root or SU can access)
Or
A different password --> root can't access this data !!!

 

Pre-requisites
1. Fully secure network
- Ban telnet (tn) or ftp
- openssh and secureFTP are recommended

 

2. RBAC activated
lsattr -El sys0 -a enhanced_RBAC
chdev -l sys0 -a enhanced_RBAC=true plus a reboot

 

3. CryptiLite in C (Clic) cryptographic library
on the first Expansion Pack CD
Install file called clic.rte with smitty installp

 

4. Enable Encrypted filesystem
efsenable -a
it will prompt you for the password
ls -l /var/efs --> Here you can see the informations

 

Exercise:
# lsattr -El sys0 -a enhanced_RBAC --> enable the RBAC
Install the clic.rte from the first expansion pack cd
# efsenable -a --> set the password
# crfs -v jfs2 -g rootvg -m /secret -a size=1G -a efs=yes --> Create the efs
# mount /secret
# lsfs -q /secret  --> To confirm the EFS flag
# efsmgr -s -E /secret --> enables inheritance for this EFS filesystem /secret
# echo "Hello, world!" > /secret/hello

 

Now you will get the following error,
Cannot find the requested security attribute.
ksh: /secret/hello: 0403-005 Cannot create the specified file.

so we have to do the following things,
#efskeymgr -o ksh
root's EFS password:*******

WoW!!! Now you are able to create a file
#echo "Hello, world!" > /secret/hello

Note: If you exit from the console then you can't access this again.
Note: Any one can create/access his own EFS files but not others.

 

# efskeymgr -n --> To change the EFS password for the current user. (Default password is UNIX password hence we must change this EFS password to avoid the access from root/SU).

 

Backup of EFS:

 

- Must not put un-encrypted file on to the backup
- Have to have the keystore (password) to open the files
- Key holder uses enhanced backup tools, to save the raw encrypted data using:

•   backup -Z and restore -Z
•   tar -Z
•   pax -Z
•   cpio -Z

 Either,

 - Directly to backup media (or)

 - Archive to an encrypted data to regular file system, for a system admin backup

 

 Examples:

 # tar cvf /tmp/backup/unsafe.tar /secret/hello

 # tar cZvf /tmp/backup/safe.tar /secret/hello

 

 # cat /tmp/backup/unsafe.tar ---> You can see the content of the file as plain text

 # cat /tmp/backup/safe.tar ---> it will be in the form of unknown characters hence it is safe.

 

 The keystore (password) location for the EFS,

 

 /var/efs

 Not large so backup everything

 

 Backup the keystore for a particular user,
 /var/efs/users/USERNAME/keystore

 

 Note: it is an encrypted binary file