Understanding EFSA simple hand book for beginners

Skill Level: Intermediate

Anto A. John (antojohn@in.ibm.com)AIX Development Support SpecialistIBM

29 Jan 2008

Safeguard your data with the Encrypted File System (EFS), a new AIX® 6.1 securityfeature, and get a comprehensive picture on the configuration of EFS and its usage.EFS can store the content of a file in an encrypted format at the file system level. Ifyou’re new to EFS, this article is a good starting point for reviewing the need for EFS,its features, and most commonly used commands.

Introduction

The Encrypted File System (EFS) is a J2 filesystem-level encryption throughindividual key stores. This allows for file encryption in order to protect confidentialdata from attackers with physical access to the computer. User authentication andaccess control lists can protect files from unauthorized access while the operatingsystem is running; however, it’s easy to circumvent the control lists if an attackergains physical access to the computer.

One solution is to store the encrypted files on the disks of the computer. In EFS, akey is associated to each user. These keys are stored in a cryptographicallyprotected key store and upon successful login, and the user's keys are loaded intothe kernel and associated with the process credentials. When the process needs toopen an EFS-protected file, the system tests the credentials. If the system finds akey matching the file protection, the process is able to decrypt the file key and filecontent. The cryptographic information is kept in the extended attributes for each file.EFS uses extended attribute Version 2, and each file is encrypted before beingwritten on the disk. The files are decrypted when they are read from the disk into

Understanding EFS© Copyright IBM Corporation 1994, 2007. All rights reserved. Page 1 of 12

memory so that the file data kept in memory is in clear format. The data is decryptedonly once, which is a major advantage. When another user requires access to thefile, their security credentials are verified before being granted access to the dataeven though the file data is already in memory and in clear format. If the user is notentitled to access the file, the access is refused. File encryption does not eliminatethe role of traditional access permissions, but it does add more granularity andflexibility.

In order to be able to create and use the EFS-enabled file system on a system, thefollowing prerequisites must be met:

• Install the CryptoLite in C (CliC) cryptographic library.

• Enable the RBAC.

• Enable the system to use the EFS file system.

How is AIX EFS different from others available in the market?

AIX® EFS encryption is at the file system level. Each file is protected with a uniquefile key, and protection is created against malicious root.

Frequently used commands

efsenable

The efsenable command activates the EFS capability on a system. It creates theEFS administration keystore, the user keystore, and the security group keystore.Keystore is a key repository that contains EFS security information. The access keyto the EFS administration keystore is stored in the user keystore and the securitygroup keystore. The efsenable command creates the /var/efs directory. The/etc/security/user and /etc/security/group files are updated with new EFS attributeson execution of this command.

efskeymgr

The efskeymgr command is dedicated to all key management operations neededby an EFS. The initial password of a user keystore is the user login password. Groupkeystores and admin keystores are not protected by a password but by an accesskey. Access keys are stored inside all user keystores that belong to this group.

When you open a keystore (at login or explicitly with the efskeymgr command), theprivate keys contained in this keystore are pushed to the kernel and associated withthe process. If access keys are found in the keystore, the corresponding keystoresare also opened and the keys are automatically pushed into their kernel.

developerWorks® ibm.com/developerWorks

Understanding EFSPage 2 of 12 © Copyright IBM Corporation 1994, 2007. All rights reserved.

efsmgr

The efsmgr command is dedicated to the files encryption and decryptionmanagement inside EFS. Encrypted files can only be created on the EFS-enabledJFS2 file systems. Inheritance is set on the file system or the directory where the fileis being created using this command. When inheritance is set on a directory, all newfiles created in this directory are encrypted by default. The cipher used to encryptfiles is the inherited cipher. New directories also inherit the same cipher. Ifinheritance is disabled on a subdirectory, the new files created in this subdirectorywill not be encrypted.

Setting or removing inheritance on a directory or a file system has no effect on theexisting files. The efsmgr command must be used explicitly to encrypt or decryptfiles.

Sample scenario

Let's take a scenario of a company that has three departments, namely sales,marketing, and finance. These three departments share the same AIX machine tostore their confidential content. If EFS is not enabled, the potential of having the dataexposed between the three departments is extremely high. See Listing 1 below tolearn how to make this threat-prone machine become a safe location to store data.

Enabling EFS

To enable EFS on AIX, type the following:

Listing 1. EFS enablement in AIX

# efsenable -aEnter password to protect your initial keystore:Enter the same password again:

Enter the following to see the directories created to facilitate EFS:

# cd /var/efs# lsefs_admin efsenabled groups users

All of the EFS capabilities should now be enabled.

You are now going to create a separate file system for all the three departments.The creation of an EFS is similar to the creation of a normal file system. The onlydifference is that you have to enable the EA2 efs = yes attribute.

Listing 2 illustrates how to create an encrypted file system through the System

ibm.com/developerWorks developerWorks®

Understanding EFS© Copyright IBM Corporation 1994, 2007. All rights reserved. Page 3 of 12

Management Interface Tool (SMIT):

Listing 2. EFS creation through SMIT

Add an Enhanced Journaled File System

Type or select values in entry fields.Press Enter AFTER making all desired changes.

[Entry Fields]Volume group name rootvgSIZE of file system

Unit Size Megabytes +* Number of units [100] #* MOUNT POINT [/sales]Mount AUTOMATICALLY at system restart? no +PERMISSIONS read/write +Mount OPTIONS [] +Block Size (bytes) 4096 +Logical Volume for Log +Inline Log size (MBytes) [] #Extended Attribute Format +ENABLE Quota Management? no +Enable EFS? yes +Allow internal snapshots? no +

You can also create the same file system through the command line, as shown herein Listing 3:

Listing 3. EFS creation through the command line

#crfs -v jfs2 -g rootvg -m /sales -a size=100M -a efs=yes#crfs -v jfs2 -g rootvg -m /marketing -a size=100M -a efs=yes#crfs -v jfs2 -g rootvg -m /finance -a size=100M -a efs=yes

You have now successfully created three separate file systems for these threedepartments.

Creating keystores for users and groups

In order to handle or maintain these individual file systems, you need create threedifferent users and create a keystore for them (see Listing 4). (A key store for anuser is created when a password is set for that user).

Listing 4. Creation of users

#mkuser salesman#passwd salesman

#mkuser marketingman#passwd marketingman

#mkuser financeman#passwd financeman

developerWorks® ibm.com/developerWorks

Understanding EFSPage 4 of 12 © Copyright IBM Corporation 1994, 2007. All rights reserved.

This creates three separate keystores for these three users in the /var/efs/usersdirectory (see Listing 5).

Listing 5. Keystore location for users

# pwd/var/efs/users# ls.lock salesman marketingman financeman root

You can also create keystores for the groups with EFS (see Listing 6).

Listing 6. Keystore creation for groups

#efskeymgr -C finance

# pwd/var/efs/groups# ls.lock finance security

Creation of a keystore for a group requires at least one user under it.

Creating EFS directories and setting properties

This section shows how you can create encrypted files and directories in the EFS filesystem and manipulate their properties. In order to create EFS directories, you needthe EFS file system to be mounted (see Listing 7).

Listing 7. Creating the EFS directory

# mount /finance# cd /finance

#mkdir yearlyreport# efsmgr -E yearlyreport

# efsmgr -L yearlyreportEFS inheritance is set with algorithm: AES_128_CBC

The yearlyreport directory is now set for inheritance. It indicates that a file ordirectory inherits both the property of encryption and all encryption parameters fromits parent directory.

There are various options with efsmgr, which facilitates you to set the type of cipherto be used on this directory, enable and disable inheritance, and add or removeusers and groups from the EFS access list of this directory.

Encrypting individual files

In order to carry out any EFS-related activity, you need to load the keystore. If you

ibm.com/developerWorks developerWorks®

Understanding EFS© Copyright IBM Corporation 1994, 2007. All rights reserved. Page 5 of 12

try to create a file inside this encrypted directory without having access to thekeystore that protects it, the following will result:

# cd yearlyreport# ls# touch apr_reporttouch: 0652-046 Cannot create apr_report.

This happens when you don't have the keystore loaded to perform the EFS activity(see Listing 8).

Listing 8. Loading EFS keystore to the shell

# efskeymgr -o kshfinanceman's EFS password:# touch apr_report

Now that you have loaded the keystore, any information that is added to this file isencrypted at the file system level (see Listing 9).

Listing 9. Encrypted file in EFS

# ls -U apr_report-rw-r--r--e 1 financeman system 0 Nov 28 06:14 apr_report

The "e" set for this file means that it's encrypted and no one other than the ownerwho possesses the key store can access and read its content (see Listing 10).

Listing 10. Listing encrypted file attributes

# efsmgr -l apr_reportEFS File information:Algorithm: AES_128_CBCList of keys that can open the file:Key #1:Algorithm : RSA_1024Who : uid 0Key fingerprint : 4b6c5f5f:63cb8c6f:752b37c3:6bc818e1:7b4961f9

With the different flags available with the efsmgr command, you can change thecipher and other attributes of the file. If you want to create a file that does not comeunder any encrypted directory, then you need to use the following option to encryptsuch standalone files (see Listing 11):

Listing 11. Encrypting a single file

#cd /finance#touch companylist# ls -Utotal 16-rw-r--r--- 1 root system 8 Nov 28 06:21 companylist

developerWorks® ibm.com/developerWorks

Understanding EFSPage 6 of 12 © Copyright IBM Corporation 1994, 2007. All rights reserved.

drwxr-xr-x- 2 root system 256 Nov 28 05:52 lost+founddrwxr-xr-xe 2 root system 256 Nov 28 06:14 yearlyreport

# efsmgr -c AES_192_ECB -e companylist

# ls -U companylist-rw-r--r--e 1 root system 8 Nov 28 06:24 companylist

Facilitating the access of other users for your files

Now you have seen that each department has created a separate file system andhas a keystore to guard them. If the scenario requests that a person from financewants to access the encrypted files from sales, then you need to be able to granthim or her permission to do so (see Listing 12 and Listing 13).

Listing 12. vi output when the file is encrypted

#vi sales_report

~~~~~~~~

"sales_report" Security authentication is denied.

Listing 13. Passing keystore access to another user

# efskeymgr -k user/salesman -s user/financeman

This command now sends the access key of the "salesman" user to the"financeman" user.If you try to edit a file owned by salesman, you can read and access the content inits plain format, as you now possess the keystore of the user who created the file(see Listing 14).

Listing 14. vi output after receiving keystore access

#vi sales_report

Sales report for this financial year~~~~~~~~

"sales_report" [Read only] 1 line, 36 characters

ibm.com/developerWorks developerWorks®

Understanding EFS© Copyright IBM Corporation 1994, 2007. All rights reserved. Page 7 of 12

Granting and revoking access to individual files

Instead of sending the complete access key to another user, you can also setaccess permissions on individual files residing on EFS.

Let's now suppose you have a file in the /marketing filesystem directory and youwish to give access to a particular /marketing/strategy.txt file to the "salesman" userand to the "finance" group. In order to accomplish this task, you need to reviewListing 15 and Listing 16.

Listing 15. Granting access to an user

# efsmgr -l strategy.txtEFS File information:Algorithm: AES_128_CBCList of keys that can open the file:Key #1:Algorithm : RSA_1024Who : uid 0Key fingerprint : 4b6c5f5f:63cb8c6f:752b37c3:6bc818e1:7b4961f9

# efsmgr -a strategy.txt -u salesman

# efsmgr -l strategy.txtEFS File information:Algorithm: AES_128_CBCList of keys that can open the file:Key #1:Algorithm : RSA_1024Who : uid 0Key fingerprint : 4b6c5f5f:63cb8c6f:752b37c3:6bc818e1:7b4961f9

Key #2:Algorithm : RSA_1024Who : uid 204Key fingerprint : f91b5a79:53bdd7f1:58987a33:f5701a38:99145b24

Listing 16. Granting access to a group

# efsmgr -a strategy.txt -g finance

# efsmgr -l strategy.txtEFS File information:Algorithm: AES_128_CBCList of keys that can open the file:Key #1:Algorithm : RSA_1024Who : uid 0Key fingerprint : 4b6c5f5f:63cb8c6f:752b37c3:6bc818e1:7b4961f9

Key #2:Algorithm : RSA_1024Who : uid 204Key fingerprint : f91b5a79:53bdd7f1:58987a33:f5701a38:99145b24

Key #3:Algorithm : RSA_1024Who : gid 201Key fingerprint : 8cb65011:2a42e9f0:91f7b712:20e36bb7:5eb0db0a

If you need to revoke the access that was provided to the "finance" group, then usethe "-r" flag with the efsmgr command, as shown in Listing 17 below.

developerWorks® ibm.com/developerWorks

Understanding EFSPage 8 of 12 © Copyright IBM Corporation 1994, 2007. All rights reserved.

Listing 17. Revoking access to a group

# efsmgr -r strategy.txt -g finance

# efsmgr -l strategy.txtEFS File information:Algorithm: AES_128_CBCList of keys that can open the file:Key #1:Algorithm : RSA_1024Who : uid 0Key fingerprint : 4b6c5f5f:63cb8c6f:752b37c3:6bc818e1:7b4961f9

Key #2:Algorithm : RSA_1024Who : uid 204Key fingerprint : f91b5a79:53bdd7f1:58987a33:f5701a38:99145b24

For complete list of flags and options of EFS commands, see the Resources section.

Conclusion

EFS is a great feature presented with AIX 6.1, which helps you encrypt andsafeguard your data. This article provided you with basic information on EFS thathelps in enabling AIX 6.1 machines with EFS. You learned how to create encryptedfiles and directories and how to change ciphers and inheritance through commands.You also examined a use case scenario detailing the configuration and usage ofEFS.

Share this...

Diggthisstory

Posttodel.icio.us

Slashdotit!

ibm.com/developerWorks developerWorks®

Understanding EFS© Copyright IBM Corporation 1994, 2007. All rights reserved. Page 9 of 12

Resources

Learn

• Information for System p: Visit this this site for additional information.

• Check out the following IBM® Redbooks®:

• The AIX 6 Advanced Security Features, Introduction and ConfigurationGuide—highlights and explains the security features enhancements onAIX 6.1.

• The AIX 5L Version 5.2 Security Supplement—you can use this documentas an additional source for security information.

• Popular content: See what AIX and UNIX content your peers find interesting.

• AIX and UNIX: The AIX and UNIX developerWorks zone provides a wealth ofinformation relating to all aspects of AIX systems administration and expandingyour UNIX skills.

• New to AIX and UNIX?: Visit the "New to AIX and UNIX" page to learn moreabout AIX and UNIX.

• AIX Wiki: A collaborative environment for technical information related to AIX.

• Search the AIX and UNIX library by topic:

• System administration

• Application development

• Performance

• Porting

• Security

• Tips

• Tools and utilities

• Java™ technology

• Linux

• Open source

• Safari bookstore: Visit this e-reference library to find specific technicalresources.

• developerWorks technical events and webcasts: Stay current with

developerWorks® ibm.com/developerWorks

Understanding EFSPage 10 of 12 © Copyright IBM Corporation 1994, 2007. All rights reserved.

developerWorks technical events and webcasts.

• Podcasts: Tune in and catch up with IBM technical experts.

Get products and technologies

• IBM trial software: Build your next development project with software fordownload directly from developerWorks.

Discuss

• Participate in the developerWorks blogs and get involved in the developerWorkscommunity.

• Participate in the AIX and UNIX forums:

• AIX —technical forum

• AIX 6 Open Beta

• AIX for Developers Forum

• Cluster Systems Management

• IBM Support Assistant

• Performance Tools—technical

• Virtualization—technical

• More AIX and UNIX forums

About the author

Anto A. JohnAnto John is an AIX development support specialist for the IBM India Software Labsin Bangalore, India. He works on AIX security components (security library), loadmodules (LDAP and Kerberos), and new AIX 6.1 security features (EFS). For thepast year and a half, he has worked on AIX security components as well as opensource components like OpenSSH and OpenSSL. He graduated from BITS Pilaniwith a Master of Engineering degree in computer science. You can contact him atantojohn@in.ibm.com.

Trademarks

IBM, AIX, and Redbooks are registered trademarks of International Business

ibm.com/developerWorks developerWorks®

Understanding EFS© Copyright IBM Corporation 1994, 2007. All rights reserved. Page 11 of 12

Machines Corporation in the United States, other countries, or both.Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in theUnited States, other countries, or both.Linux is a trademark of Linus Torvalds in the United States, other countries, or both.UNIX is a registered trademark of The Open Group in the United States and othercountries.

developerWorks® ibm.com/developerWorks

Understanding EFSPage 12 of 12 © Copyright IBM Corporation 1994, 2007. All rights reserved.