Manages the files encryption and decryption for the Encrypted File System (EFS).
efsmgr -?
efsmgr [ -c <file> ] -e <file> [-v]
efsmgr [ -c <cipher> ] [ -s ] -E <dir> [-v]
efsmgr [ -c <cipher> ] -t <file> [-v]
efsmgr [ -c <cipher> ] [ -s ] -T <dir> [-v]
The efsmgr command is dedicated to the files encryption management inside EFS. Encrypted files can only be created on the EFS-enabled JFS2 file systems. For more information about enabling EFS on your system, see the mkfs, chfs, crfs, and efsenable commands.
efsmgr -e <file>
When inheritance is set on a directory, all new files created in this directory are encrypted by default. The cipher used to encrypt files is the inherited cipher. New directories also inherit the same cipher. If inheritance is disabled on a subdirectory, the new files created in this subdirectory will not be encrypted.
When inheritance is set on a file system, all new files created in this file system are encrypted using the inherited cipher. If inheritance is set both on a directory and a file system with different ciphers, new files created in this directory will be encrypted using the cipher inherited from the directory.
Setting or removing inheritance on a directory or a file system has no effect on the existing files. The efsmgr command must be used explicitly to encrypt or decrypt files.
The file owner's private key must be loaded into the process before the encrypted file can be created. The access to the encrypted file can be granted to any user or group with a keystore, which is a key repository that contains EFS security information. For more information about managing user and group repositories, see the efskeymgr command.
When an encrypted file is being opened, the Discretionary Access Control (DAC) and the Access Control List (ACL) are checked for the file access permission. If the access is granted, the keys loaded into the kernel for the process are searched for a private key matching one of the file's protection keys. If a matching key is found, the file content can be read, otherwise the access is denied.
Item | Description |
---|---|
-c <cipher> | Uses this cipher instead of the inherited or the default cipher. See the -q command for the valid cipher values. |
-g <group> | This group must be added or removed from the EFS access list. The group value can be either the gid or the group name. |
-s | The operation is targeted to a file system rather than a directory. In this case, the dir parameter must be the mount point of a file system with EFS support. |
-u <user> | This user must be added or removed from the EFS access list. The user value can be either the uid or the login name. |
-v | Verbose mode. |
-? | Displays the command help and exits. |
-a <file> | Adds access to the specified file to a list of users and groups specified with the -u and -g flags. |
-C <cipher> | Changes the default cipher for your user to the cipher value. |
-D <dir> | Removes the inheritance on the directory. To apply the command on the whole file system, you must add the -s flag. |
-d <file> | Decrypts the specified file. |
-E <dir> | Sets the inheritance on the dir directory. To apply the command on the whole file system, you must add the -s flag. |
-e <file> | Encrypts the specified file. |
-L <dir> | Displays the inherited cipher on the specified directory. |
-l <file> | Lists the encryption information of the specified file: cipher, and keys that can decrypt the file. |
-q | Displays a list of supported ciphers. |
-r <file> | Revokes access to the specified file to a list of users and groups specified with the -u and -g flags. |
-T <dir> | Changes the inherited cipher on the specified directory. To apply the command on the complete file system, you must add the -s flag. |
-t <file> | Refreshes the encryption keys of the specified file. This can also be used to change the file cipher. |
Item | Description |
---|---|
0 | The command executed successfully. |
1 | An error occurred during the execution of the command. |
2 | A syntax error occurred on the command line. |
efsmgr –e database.txt –c AES_256_CBC
efsmgr –l database.txt
efsmgr –a database.txt –u joe –g maintainers
efsmgr –c AES_128_CBC –s –E /home
Item | Description |
---|---|
/etc/security/user | Contains the default cipher attributes for the user. |