Wednesday, 12 March 2014

Encrypted filesystems

EFS status

EFS was introduced at AIX 6.1. It enables files, directories, and filesystems to be encrypted so that even root cannot access them without having the key/credentials. It also means that if your system is booted in maintenance mode, or a disk misplaced, the data remains safe.

In order to use EFS you first install the CLIC (crypto) libraries:

# lslpp -l 'clic*'
  Fileset                      Level  State      Description
Path: /usr/lib/objrepos
  clic.rte.kernext   COMMITTED  CryptoLite for C Kernel
  clic.rte.lib       COMMITTED  CryptoLite for C Library

 Once installed you can run the "efseneable" command. This creates the "/var/efs" directory and adds entries to the ODM, "etc/security/user" and "/etc/security/group" files.

Risks and remediation

EFS is only secure so longer as the keys are not compromised.

WARNING! The default cipher is AES_128_CBC which is considered as breakable. If you are concerned you should use the "-f cipher" argument when running "efsenable". You should also check the "/etc/security/user" and "/etc/security/group" to ensure that the default is set correctly:
lssec -f /etc/security/user -s default -a efs_keystore_algo -a efs_file_algo
lssec -f /etc/security/group -s default -a efs_keystore_algo


No comments:

Post a Comment