Let me know if you have an AIX Security question.  I’ll do my best to answer it in a timely matter.  Depending on the question, some questions might require a consulting engagement to be arranged.  If assistance requires an engagement, I can talk to your customer representative to see if IBM funding could pay for the engagement at no cost to your organization.


13 Responses to Questions?

  1. jonbfl says:

    Steve, we talked at the Techu in Orlando. My desire is to encrypt all the files in filesystems, say /xx/yy with efs, whereupon any user upon login would read them assuming they had the proper group permissions for those files.

    There shouldn’t be any other authentication than login. In our system a user must choose a permitted group to work on at login. They are then given privileges to access files belonging to that group. They should never need to know anything about encryption.

    Can you tell me the necessary procedure for this?


    Jon Brunson

    • sdoming868 says:

      Hi Jon,
      I’ll take a look at this this week. I should be able to get back to you on this by Thursday sometime.

    • sdoming868 says:

      1. So the first thing to make sure is that you have a group keystore in order to access encrypted files by group:
      # pwd ; ls -al
      total 8
      drwx—— 2 root system 256 Dec 12 17:11 .
      drwx—— 6 root system 256 Dec 12 17:12 ..
      -rw——- 1 root system 0 Dec 11 21:46 .lock
      -rw——- 1 root system 1914 Dec 12 17:11 keystore <————— NEED THIS
      You can create a group keystore with: efskeymgr -C name_of_group

      2. After that you need to make sure that you grant the user access to to the group keystore.
      so let’s say the user is foo and you want to grant access to the test group keystore. You need to do the following:
      # efskeymgr -k group/test -s user/foo

      Those are the 2 key elements.

  2. jonbfl says:

    Thanks, Steve. The keystores for groups and users all appear to be there.

    So if I associate each user with the appropriate group using efskeymgr, the proper keystore(s) will be opened upon login and files decrypted when they read them?

    Thant seems simple enough.


    • jonbfl says:

      Ok, Steve. I think I’ve got that part.

      Now I need to know how to encrypt all the files in a directory recursively. Is that possible?

      Thanks, Jon

      • sdoming868 says:

        There is an EFS thing called inheritance. You need to setup inheritance on your EFS filesystem. When inheritance is setup, any new file in that directory or any new files created in a directory will automatically be encrypted. Check out the AIX 6.1 Security Intro and Config for additional details. If you have files that are already created and are not encrypted you will need to probably either individually encrypt them or recreate them in an existing filesystem that has that EFS inheritance feature enabled.

  3. jonbfl says:

    Thanks Steve, that’s what it looked like. I was just hoping that the old files could be encrypted “en masse”.


    • sdoming868 says:

      How about writing a script that moves your old files into an EFS-inheritance-enabled filesystem? That might be a way to quickly encrypt all your files without having to manually encrypt them? Or you might be able to encrypt them where they are with a script, but you will have to convert the existing JFS2 filesystem to a JFS2-EFS enabled filesystem first.

      • jonbfl says:

        Yes, the former is what I will do. I believe that would be the quickest way. No magic wand unfortunately. Thanks for your help. It will be cranking for a while on 20 – 30 TB.

  4. Jeff Prince says:

    Hi Steve,

    In the user stanza of our /etc/security/audit/config file, every user /etc/password is listed and has a class in common (smt).
    root = smt,widgit
    bin = smt
    sys = smt
    jeff = smt
    steve = smt
    alice = smt

    The user list is different for every LPAR. Naturally it’s difficult to maintain. Is there an easy button for this? I’m hoping it’s something where everyone can get the “smit” class and we can explicitly list any additional classes.
    ALL = smit
    root = widgit

    Bonus points if we can add in multiple default classes, should a new class become necessary.
    ALL = smit,newclass
    root = widgit

    • sdoming868 says:


      Try using the “default” key word.
      So by default, if a user isn’t specified explicitly, the system should audit the “default” set of classes.
      For example:
      default = smt

  5. Vin says:

    from Smit fs

    is it possible to change the AES128 to AES256 for a partciular file system. Will those inheritence be passed onto the directory & files created under that file system.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: