4.13.1 EFS - implementation - CLiC kernel extension loaded

Information

The recommendation, if there is a requirement for file based encryption, is to utilize EFS.

The use of EFS further enhances the file and directory security within AIX. If there are sensitive or confidential files, encryption provides that extra level of security in the event of an accidental chmod which may allow read or write access to other users.The encryption operates at the filesystem level and each file is encrypted with a separate key. From a user perspective the encryption is transparent as the key can be automatically loaded during login.

Solution

There are two pre-requisite requirements for EFS, it requires RBAC and the installation of the CLiC cryptographic fileset. The fileset is located on the expansion pack, shipped with the AIX media.Place the CLiC software into a convenient location, such as /tmp and install via-

/usr/lib/instl/sm_inst installp_cmd -a -Q -d /tmp -f clic.rte -c -N -g -X -G -Y

NOTE- If the software is not located in /tmp, reflect the actual location in the command above.

Load the CLiC kernel extension-

/usr/lib/methods/loadkclic

As the EFS administrator, create the initial keystore. This is typically the root user-

efsenable -a

An EFS enabled filesystem can be created with the following command-

chfs -v jfs2 -g <vg_name> -m </filesystem> -a size=<size> -a efs=yes

To enable EFS for an existing filesystem-

chfs -a efs=yes </filesystem>

To encrypt a file, load your keystore via-

efskeymgr -o ksh

Then encrypt via-

efsmgr -c AES_192_ECB -e <filename>

To decrypt-

efsmgr -d <filename>

Further details regarding planning and implementation of EFS can be found within the IBM AIX 7.1 Infocentre-

http://pic.dhe.ibm.com/infocenter/aix/v7r1/index.jsp?topic=%2Fcom.ibm.aix.security%2Fdoc%2Fsecurity%2Fefs_efs.htm

NOTE- The configuration of EFS is completely dependant on the unique requirements of a given environment.

See Also

https://workbench.cisecurity.org/files/528