3.1 Encryption: File System Level (EFS)

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The recommendation, if there is a requirement for file based encryption aka encryption at rest, is to utilize EFS.

Rationale:

A security enhancement introduced with AIX 6.1 is Encrypted Filesystems (EFS). This technology enables an individual user to encrypt their own data within a jfs2 filesystem.

After enabling a filesystem to use EFS individual files can be encrypted or encryption can be set at the directory (all files within the directory, recursively) or by system administration at filesystem level. Encryption is performed by the kernel. Access to the kernel secret key is managed via keystore files. The standard AIX data and user management commands have been modified to work with encryption.

Data is only accessible in 'cleartext' when the active process has access to the secret key. Without this access the file system acts as if the file does not exist.

Impact:

The use of EFS enhances the file and directory security within AIX. If there are sensitive or confidential files, encryption provides that extra level of security in the event of an accidental chmod which may allow read or write access to other users.

The encryption operates at the filesystem level and each file is encrypted with a separate key. From a user perspective the encryption is transparent as the key can be automatically loaded during login.

Solution

There are two pre-requisite requirements for EFS, it requires RBAC and the installation of the CLiC cryptographic fileset. The fileset is located on the expansion pack, shipped with the AIX media.
Place the CLiC software into a convenient location, such as /tmp and install via:

/usr/lib/instl/sm_inst installp_cmd -a -Q -d /tmp -f clic.rte -c -N -g -X -G -Y

NOTE: If the software is not located in /tmp, reflect the actual location in the command above.
Load the CLiC kernel extension:

/usr/lib/methods/loadkclic

As the EFS administrator, create the initial keystore. This is typically the root user:

efsenable -a

An EFS enabled filesystem can be created with the following command:

chfs -v jfs2 -g <vg_name> -m <filesystem> -a size=<size> -a efs=yes

To enable EFS for an existing filesystem:

chfs -a efs=yes <filesystem>

To encrypt a file, load your keystore via:

efskeymgr -o ksh

Then encrypt via:

efsmgr -c AES_192_ECB -e <filename>

To decrypt:

efsmgr -d <filename>

Further details regarding planning and implementation of EFS can be found within the IBM AIX 7.1 Infocentre:
https://www.ibm.com/docs/en/aix/7.1?topic=system-efs-encrypted-file
NOTE: The configuration of EFS is completely dependent on the unique requirements of a given environment.

Default Value:

N/A

See Also

https://workbench.cisecurity.org/benchmarks/13069