efsenable Command

Purpose

Activates Encrypted File System (EFS) capability on a system.

Syntax

efsenable -a [ -v ] [ -k <algo> ] [ -f <cipher> ] [ -m <mode> ] [ -u <yes|no> ] [ -e <algo> ] [-d Basedn]

efsenable -q

Description

The efsenable command activates the EFS capability on a system. It creates the EFS administration keystore, the user keystore and the security group keystore. Keystore is a key repository that contains EFS security information. The access key to the EFS administration keystore is stored in the newly created active user’s keystore and in the security group keystore. The efsenable command creates the /var/efs directory. The /etc/security/user and /etc/security/group files are updated with new EFS attributes. The efsenable command also updates the Config_Rules ODM database.

Note: The Crypto Library (CLiC) package clic.rte must be installed on the system for this command to succeed. This EFS command also requires that Role Based Access Control (RBAC) is enabled on the system, which is the default setting.
Note: The Crypto Library (CLiC) fileset clic.rte.lib needs to be minimally at 4.6 for AIX® releases of efsenable 6.1 TL3 and later.

Flags

Item Description
-a Activates the EFS capability on a system.
-d Basedn Sets up the base distinguished names (DN) ou=UsrKeystore, ou=GrpKeystore, ou=EfsCookies and ou=AdmKeystore on the LDAP server to facilitate for the keystore entries to be created along with the local directory structure for the keystore. The Basedn passed as argument along with this flag will be used as the Basedn for the keystore base distinguished names.
-v Verbose mode.
-k algo Default algorithm for keys. The algo flag can be one of the following values:
  • RSA_1024 (by default)
  • RSA_2048
  • RSA_4096
-f cipher Default cipher for files. The cipher flag can be one of the following values:
  • AES_128_CBC (by default)
  • AES_192_CBC
  • AES_256_CBC
  • AES_128_ECB
  • AES_192_ECB
  • AES_256_ECB
-m mode Default mode for keystores. The mode flag can be one of the following values:
  • admin (by default)
  • guard
-u [yes|no] Specifies if the user can change the mode. Default value is "yes".
-e algo Algorithm for the EFS administration key. The possible algo values are the same as those of the -k flag.
-q Displays the list of available algorithms.

Exit status

Item Description
0 The command executed successfully.
1 An error occurred during the execution of the command.
2 A syntax error occurred on the command line.

Security

Item Description
Access Control: Only the root user or a user with the aix.security.efs authorization and being a member of the security group can run this command.

Examples

  1. To display the available algorithms, enter: 
    efsenable -q
  2. To activate an EFS with default parameters, enter: 
    efsenable –a
  3. To activate an EFS with a non-default algorithm for keys, and cipher for files, enter: 
    efsenable –a –k RSA_4096 –f AES_256_CBC –e RSA_4096
  4. To activate an EFS with base DN created on LDAP server along with the local directory structure, type the following command: 
    efsenable –a –d cn=aixdata

Files

Item Description
/etc/security/user Contains the updates of EFS attributes.
/etc/security/group Contains the updates of EFS attributes.
/var/efs/users/ Contains the directory for user keystores.
/var/efs/groups/ Contains the directory for group keystores.
/var/efs/efs_admin/ Contains the directory for EFS administration keystore.
/var/efs/efsenabled Instructs that the EFS is enabled on the system.