Questions?
Let me know if you have an AIX Security question. I’ll do my best to answer it in a timely matter. Depending on the question, some questions might require a consulting engagement to be arranged. If assistance requires an engagement, I can talk to your customer representative to see if IBM funding could pay for the engagement at no cost to your organization.
Security Steve 
Steve, we talked at the Techu in Orlando. My desire is to encrypt all the files in filesystems, say /xx/yy with efs, whereupon any user upon login would read them assuming they had the proper group permissions for those files.
There shouldn’t be any other authentication than login. In our system a user must choose a permitted group to work on at login. They are then given privileges to access files belonging to that group. They should never need to know anything about encryption.
Can you tell me the necessary procedure for this?
Thanks,
Jon Brunson
Hi Jon,
I’ll take a look at this this week. I should be able to get back to you on this by Thursday sometime.
1. So the first thing to make sure is that you have a group keystore in order to access encrypted files by group:
# pwd ; ls -al
/var/efs/groups/test
total 8
drwx—— 2 root system 256 Dec 12 17:11 .
drwx—— 6 root system 256 Dec 12 17:12 ..
-rw——- 1 root system 0 Dec 11 21:46 .lock
-rw——- 1 root system 1914 Dec 12 17:11 keystore <————— NEED THIS
#
You can create a group keystore with: efskeymgr -C name_of_group
2. After that you need to make sure that you grant the user access to to the group keystore.
so let’s say the user is foo and you want to grant access to the test group keystore. You need to do the following:
# efskeymgr -k group/test -s user/foo
Those are the 2 key elements.
Thanks, Steve. The keystores for groups and users all appear to be there.
So if I associate each user with the appropriate group using efskeymgr, the proper keystore(s) will be opened upon login and files decrypted when they read them?
Thant seems simple enough.
Jon
Ok, Steve. I think I’ve got that part.
Now I need to know how to encrypt all the files in a directory recursively. Is that possible?
Thanks, Jon
There is an EFS thing called inheritance. You need to setup inheritance on your EFS filesystem. When inheritance is setup, any new file in that directory or any new files created in a directory will automatically be encrypted. Check out the AIX 6.1 Security Intro and Config for additional details. If you have files that are already created and are not encrypted you will need to probably either individually encrypt them or recreate them in an existing filesystem that has that EFS inheritance feature enabled.
Thanks Steve, that’s what it looked like. I was just hoping that the old files could be encrypted “en masse”.
Jon
How about writing a script that moves your old files into an EFS-inheritance-enabled filesystem? That might be a way to quickly encrypt all your files without having to manually encrypt them? Or you might be able to encrypt them where they are with a script, but you will have to convert the existing JFS2 filesystem to a JFS2-EFS enabled filesystem first.
Yes, the former is what I will do. I believe that would be the quickest way. No magic wand unfortunately. Thanks for your help. It will be cranking for a while on 20 – 30 TB.
Hi Steve,
In the user stanza of our /etc/security/audit/config file, every user /etc/password is listed and has a class in common (smt).
root = smt,widgit
bin = smt
sys = smt
jeff = smt
steve = smt
alice = smt
The user list is different for every LPAR. Naturally it’s difficult to maintain. Is there an easy button for this? I’m hoping it’s something where everyone can get the “smit” class and we can explicitly list any additional classes.
ALL = smit
root = widgit
Bonus points if we can add in multiple default classes, should a new class become necessary.
ALL = smit,newclass
root = widgit
Jeff,
Try using the “default” key word.
So by default, if a user isn’t specified explicitly, the system should audit the “default” set of classes.
For example:
default = smt
from Smit fs
is it possible to change the AES128 to AES256 for a partciular file system. Will those inheritence be passed onto the directory & files created under that file system.
Yes it is possible. See page 67 of the AIX v6 Advanced security Features intro and Config Redbook.