This post will in short describe how to setup an Encrypted Filesystem on AIX 6.1.
EFS offers 2 modes of operation:
Root Admin mode
This is the default mode. Root can reset user and group keystore passwords.
This is the default mode. Root can reset user and group keystore passwords.
Root Guard mode
Root doeas not have access to user’s encrypted files and cannot change their passwords.
Root doeas not have access to user’s encrypted files and cannot change their passwords.
Note: NFS exports of EFS filesystems are not supported.
1. Prerequisites:
RBAC has to be enabled. Should be by default on AIX 6.1. If not use chdev to enable it.
RBAC has to be enabled. Should be by default on AIX 6.1. If not use chdev to enable it.
# lsattr -El sys0 | grep RBAC enhanced_RBAC true Enhanced RBAC Mode True
CryptoLite needs to be installed
# lslpp -l | grep clic clic.rte.kernext 4.7.0.1 COMMITTED CryptoLite for C Kernel clic.rte.lib 4.7.0.1 COMMITTED CryptoLite for C Library clic.rte.kernext 4.7.0.1 COMMITTED CryptoLite for C Kernel
2. EFS Commands:
efsenable – Enables EFS on a given system. This is run only once
efskeymgr – Encryption Key Management tool
efsmgr – File encryption and decryption
3. Setup:
To enable EFS on the system use:
efskeymgr – Encryption Key Management tool
efsmgr – File encryption and decryption
3. Setup:
To enable EFS on the system use:
# efsenable -a Enter password to protect your initial keystore: Enter the same password again:
If your password for EFS will be identical with your login password the EFS Kernel extention will be loaded automatically into the kernel. Thus
you will be able to access the encrypted files without having to provide a password.
Otherwise `efskeymgr -o ksh` has tto be executed in order to load the key’s.
you will be able to access the encrypted files without having to provide a password.
Otherwise `efskeymgr -o ksh` has tto be executed in order to load the key’s.
In order to have the ability to encrypt files, the filesystem that will hold this files needs to be EFS enabled (efs=yes) and Extended Attribute V2 has to be activated.
This can be verified using lsfs -q
# lsfs -q /archive Name Nodename Mount Pt VFS Size Options Auto Accounting /dev/fslv12 -- /archive jfs2 262144 rw yes no (lv size: 262144, fs size: 262144, block size: 4096, sparse files: yes, inline log: no, inline log size: 0, EAformat: v1, Quota: no, DMAPI: no, VIX: yes, EFS: no, ISNAPSHOT: no, MAXEXT: 0, MountGuard: no) # chfs -a efs=yes /archive # lsfs -q /archive Name Nodename Mount Pt VFS Size Options Auto Accounting /dev/fslv12 -- /archive jfs2 262144 rw yes no (lv size: 262144, fs size: 262144, block size: 4096, sparse files: yes, inline log: no, inline log size: 0, EAformat: v2, Quota: no, DMAPI: no, VIX: yes, EFS: yes, ISNAPSHOT: no, MAXEXT: 0, MountGuard: no)
Now we will have a look at the keys associated with the current shell.
# efskeymgr -V
List of keys loaded in the current process:
Key #0:
Kind ..................... User key
Id (uid / gid) ......... 0
Type ..................... Private key
Algorithm ................ RSA_1024
Validity ................. Key is valid
Fingerprint .............. 00f06152:be7cae83:a02379a0:82e30ab8:f6295ea1
Key #1:
Kind ..................... Group key
Id (uid / gid) ......... 7
Type ..................... Private key
Algorithm ................ RSA_1024
Validity ................. Key is valid
Fingerprint .............. 4a09752d:e19078be:354e4268:268c7d56:18928ecb
Key #2:
Kind ..................... Admin key
Id (uid / gid) ......... 0
Type ..................... Private key
Algorithm ................ RSA_1024
Validity ................. Key is valid
Fingerprint .............. 6f6e40e3:89c418ac:2e555ac4:60fdb6b5:630201f9
4. Encrypt file
Now we will create a file, try to encrypt it, have a problem with umask and finally encrypt the file.
# echo "I like black tee with milk." > secret.txt
# ls -U
total 8
-rw-r------ 1 root system 30 Jul 17 10:08 secret.txt
drwxr-xr-x- 2 root system 256 Jan 27 19:01 tmp
Encrypt file
|
# efsmgr -e secret.txt
./.efs.LZacya: Security authentication is denied.
# umask 077
# efsmgr -e secret.txt
# ls -U
total 16
drwxr-xr-x- 2 root system 256 Jul 17 10:01 lost+found
-rw-r-----e 1 root system 30 Jul 17 11:17 secret.txt
|
Indicates that this file is encrypted
Display file encryption information:
# efsmgr -l secret.txt EFS File information: Algorithm: AES_128_CBC List of keys that can open the file: Key #1: Algorithm : RSA_1024 Who : uid 0 Key fingerprint : 00f06152:be7cae83:a02379a0:82e30ab8:f6295ea1
Now I set the file permission’s to 644 and try to read the file as another user.
# chmod 644 secret.txt # ls -la -rw-r--r-- 1 root system 145 Jul 17 11:23 secret.txt user1 # file secret.txt secret.txt: 0653-902 Cannot open the specified file for reading. user1 # cat secret.txt cat: 0652-050 Cannot open secret.txt.
As root we will list the inode number of the file, get the block pointer and read directly from the filesystem using fsdb to see if the file is stored encrypted.
Display inode no.
|
# ls -iU
total 32
3 drwxr-xr-x- 2 root system 256 Jul 17 10:01 lost+found
5 -rw-r--r--e 1 root system 145 Jul 17 11:23 secret.txt
# istat 5 /dev/fslv12
Inode 5 on device 10/27 File
Protection: rw-r--r--
Owner: 0(root) Group: 0(system)
Link count: 1 Length 145 bytes
Last updated: Tue Jul 17 13:23:52 GMT+02:00 2012
Last modified: Tue Jul 17 13:23:52 GMT+02:00 2012
Last accessed: Tue Jul 17 13:23:52 GMT+02:00 2012
Block pointers (hexadecimal):
29
# fsdb /dev/fslv12
Filesystem /dev/fslv12 is mounted. Modification is not permitted.
File System: /dev/fslv12
File System Size: 261728 (512 byte blocks)
Aggregate Block Size: 4096
Allocation Group Size: 8192 (aggregate blocks)
> display 0x29
Block: 41 Real Address 0x29000
00000000: 119CB74E 637C6FE0 C0BF2DCD 36B775BB |...Nc|o...-.6.u.|
00000010: 569B5A6C 43476ED3 F4BFE938 7C662A3B |V.ZlCGn....8|f*;|
00000020: B5D89C51 FA2BE7B6 CEAF2D3E 555EAA06 |...Q.+....->U^..|
00000030: 4FF23413 B11D1170 982690B3 5F1BCA9A |O.4....p.&.._...|
00000040: 4AD3CEA5 A3CBFAD9 C730EE00 9BD1F409 |J........0......|
00000050: 71203B85 A51320C6 04A97DA4 43002DA7 |q ;... ...}.C.-.|
00000060: 994CC67B A1AC31DF 2C8201AD 3E5B50F7 |.L.{..1.,...>[P.|
00000070: 6BA7B01D EC5CB918 17E13F46 2935FA98 |k....\....?F)5..|
00000080: 718DF155 D6E69A41 EF592B60 EA5F7B24 |q..U...A.Y+`._{$|
00000090: 32521FE2 7AD8EC61 1A94413D A8338A26 |2R..z..a..A=.3.&|
000000a0: 62E4A319 D6251A66 F19D4739 2FC7E83A |b....%.f..G9/..:|
000000b0: DE0F878A 1F95AB89 5C7F3520 C65B7896 |........\.5 .[x.|
000000c0: 915A7655 EC269DFF 68E2B08A 871114A9 |.ZvU.&..h.......|
000000d0: E30B195F 280F7DCD 4F8BE094 4B5603D8 |..._(.}.O...KV..|
000000e0: 962303B0 D957A2A5 24A2A3A5 6260EA5E |.#...W..$...b`.^|
000000f0: A4C62B7D FB9B1841 893D253F 72E61065 |..+}...A.=%?r..e|
-hit enter for more-
00000100: 01A150FD AD54677D A856E9B1 320257E1 |..P..Tg}.V..2.W.|
00000110: 5F023AA3 0191E0D6 4B64583B D9F2A4C7 |_.:.....KdX;....|
00000120: F988937A E0117EB2 26E61976 E4860D7D |...z..~.&..v...}|
00000130: 0C724A4E 50616226 BDE06FEB 10A19564 |.rJNPab&..o....d|
00000140: 17C90BB7 774338B3 8525ED90 5EADFD8B |....wC8..%..^...|
00000150: 636FC1AF D46C2E64 6AC37082 3B0168BE |co...l.dj.p.;.h.|
00000160: 24C0CD2E D8587254 F6DBC1BA 93BE6AD6 |$....XrT......j.|
00000170: E89EEFF9 08000B07 E3827C10 AE0FD7DB |..........|.....|
00000180: 162D0E6D EF94D85A 3F09CD85 A19A31FF |.-.m...Z?.....1.|
00000190: 49E13BFC 5328F670 E0B50878 942CC4BB |I.;.S(.p...x.,..|
000001a0: BF1D6C4F 9DA72F3D 8DC90691 328A7053 |..lO../=....2.pS|
000001b0: 99C31EEB 1CD2208A CBF609C1 4DB86819 |...... .....M.h.|
000001c0: E2746288 5E152ECA 0E2BD9DF D1D1D210 |.tb.^....+......|
000001d0: 7ADDF0EC 522E93E2 CAA0A36F B3CBFB05 |z...R......o....|
000001e0: 4EA56F3C ECBA1A0C AA132269 2024E065 |N.o<......"i $.e|
000001f0: 00BC51B0 88BBCD8A 9C644F66 6A16DBC8 |..Q......dOfj...|
Above we see that the file on the disk is encrypted.
5. Decrypting a file
Decrypt file
|
# efsmgr -d secret.txt
# ls -U
total 24
drwxr-xr-x- 2 root system 256 Jul 17 10:01 lost+found
-rw-r--r--- 1 root system 145 Jul 17 12:07 secret.txt
6. Encryption Inheritance
If you enable Encryption Inheritance on a directory all newly created files in that directory will be automatically encrypted.
To enable Encryption inheritance use:
# efsmgr -E /archive # ls -U / | grep archive drwxr-xr-xe 3 root system 256 Jul 17 12:09 archive # touch next.txt # ls -U total 32 drwxr-xr-x- 2 root system 256 Jul 17 10:01 lost+found -rw-------e 1 root system 0 Jul 17 12:09 next.txt -rw-r--r--- 1 root system 145 Jul 17 12:07 secret.txt
7. Grant access to another user
Say we are user1 and want to have a look at who has EFS access to the file.
Say we are user1 and want to have a look at who has EFS access to the file.
user1 $ efsmgr -l secret.txt EFS File information: Algorithm: AES_128_CBC List of keys that can open the file: Key #1: Algorithm : RSA_1024 Who : uid 0 Key fingerprint : 00f06152:be7cae83:a02379a0:82e30ab8:f6295ea1
To grant access to a user use:
Add access to the specified file to a user or group(u/g)
|
# efsmgr -a secret.txt -u user1
|
Add user to EFS access list
user1 $ cat secret.txt
I like black tee with milk.
EFS Docmentation can be found in the following Redbooks:
AIX 6.1 Diffrence Guide SG24-7559-00 Page 40
AIX V6 Advanced Security Features SG24-7430-00 Page 59
AIX V6 Advanced Security Features SG24-7430-00 Page 59
No comments:
Post a Comment