Encrypted filesystems

EFS status

EFS was introduced at AIX 6.1. It enables files, directories, and filesystems to be encrypted so that even root cannot access them without having the key/credentials. It also means that if your system is booted in maintenance mode, or a disk misplaced, the data remains safe.

In order to use EFS you first install the CLIC (crypto) libraries:

# lslpp -l 'clic*'
  Fileset                      Level  State      Description
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  clic.rte.kernext           4.7.0.1  COMMITTED  CryptoLite for C Kernel
  clic.rte.lib               4.7.0.1  COMMITTED  CryptoLite for C Library

 Once installed you can run the "efseneable" command. This creates the "/var/efs" directory and adds entries to the ODM, "etc/security/user" and "/etc/security/group" files.

Risks and remediation

EFS is only secure so longer as the keys are not compromised.

WARNING! The default cipher is AES_128_CBC which is considered as breakable. If you are concerned you should use the "-f cipher" argument when running "efsenable". You should also check the "/etc/security/user" and "/etc/security/group" to ensure that the default is set correctly:

lssec -f /etc/security/user -s default -a efs_keystore_algo -a efs_file_algo
lssec -f /etc/security/group -s default -a efs_keystore_algo