4.4.2.1 Ensure File System Level encryption is enabled

Information

When there is a requirement for file based encryption for unauthorized users for both live systems and encryption at rest the preferred mechanism is EFS - encrypted file systems.

A security enhancement introduced with AIX 6.1 is Encrypted Filesystems (EFS). This technology enables an individual user to encrypt their own data within a jfs2 filesystem.

After enabling a filesystem to use EFS individual files can be encrypted or encryption can be set at the directory (all files within the directory, recursively) or by system administration at filesystem level. Encryption is performed by the kernel. Access to the kernel secret key is managed via keystore files. The standard AIX data and user management commands have been modified to work with encryption.

Data is only accessible in 'cleartext' when the active process has access to the secret key. Without this access the file system acts as if the file does not exist.

Solution

There are two pre-requisite requirements for EFS, it requires RBAC and the installation of the CLiC cryptographic fileset. The fileset is located on the expansion pack, shipped with the AIX media.

Place the CLiC software into a convenient location, such as /tmp and install via:

/usr/lib/instl/sm_inst installp_cmd -a -Q -d /tmp -f clic.rte -c -N -g -X -G -Y

NOTE: If the software is not located in /tmp reflect the actual location in the command above.

Load the CLiC kernel extension:

/usr/lib/methods/loadkclic

As the EFS administrator, create the initial keystore. This is typically the root user:

efsenable -a

An EFS enabled filesystem can be created with the following command:

chfs -v jfs2 -g <vg_name> -m <filesystem> -a size=<size> -a efs=yes

To enable EFS for an existing filesystem:

chfs -a efs=yes <filesystem>

To encrypt a file, load your keystore via:

efskeymgr -o ksh

Then encrypt via:

efsmgr -c AES_192_ECB -e <filename>

To decrypt:

efsmgr -d <filename>

Further details regarding planning and implementation of EFS can be found within the IBM AIX 7.1 Infocentre:

https://www.ibm.com/docs/en/aix/7.1?topic=system-efs-encrypted-file

NOTE: The configuration of EFS is completely dependent on the unique requirements of a given environment.

Impact:

The use of EFS enhances the file and directory security within AIX. If there are sensitive or confidential files, encryption provides that extra level of security in the event of an accidental chmod which may allow read or write access to other users.

The encryption operates at the filesystem level and each file is encrypted with a separate key. From a user perspective the encryption is transparent as the key can be automatically loaded during login.

See Also

https://workbench.cisecurity.org/benchmarks/10385

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: Unix

Control ID: cbb2e2ea43cfbbe27158a396030051901534bee02eb835c42b96711875ea65a5