Options:

-c cmd

The command to run; one of:

• change-key — change a domain key; use -k old_key -K new_key.
• check — check for support of encryption given path.
• check-key — verify that the key given is is valid against a domain.
• create — create a domain given domain, type, and key. A domain is created in its locked state.
• destroy — destroy a domain; the given domain must be unlocked.
• enable — enable encryption support on path.
• get — determine the domain that the given path belongs to.
• lock — lock a domain within the given path.
• migrate-delay — change the migration delay between work units. Use -n val to indicate a period in milliseconds.
• migrate-path — parse a path, assigning the given domain to directories and tagging files to the given domain.
• migrate-state — determine the amount of remaining migration work.
• migrate-start — determine begin the background encryption of tagged files.
• migrate-status — reports the status of migration.
• migrate-stop — suspends background encryption migration.
• migrate-tag — tag a file for background encryption (tag is a synonym).
• migrate-units — set the amount of work to complete beween delay periods. Use -n val to indicate a number of blocks.
• query — query the status of a domain within the given path.
• read-key — read a file key information into file.
• set — set a given path to a numbered domain.
• set-whole-disk — enables whole-disk encryption using domain. There must be only one domain, domain.
  Plain-text files are hidden if you enable whole-disk encryption.
• setup — complete the domain setup based on the provided -k :str.
• unlock — unlock a domain given proper key data.
• write-key — write a file key described by file to file at path.

-d domain

The domain number to be used (1-100).

-f

If path is a directory, make the move or remove action on the files as well.

-K key

Specify a secondary key, in the same form as for -k.

-k key

Specify key data in one of the following forms:

• .salt.str — a 64-bit salt value expressed as a string of bytes in hexadecimal digits that may be postfixed to a plain-text string.
• :setup — command string used with the setup command. The string format is:

  domain:type:locked:provider:path

• +str — a user-supplied plain-text string (hashed to a 512-bit key).
• #str — a base-64 representation of a key (must be 512 bits long)
• @file — the name of a file that contains binary key data (must be 512 bits long)

-l log_path

The path of the log file to use (stdout is the default).

-n value

Specify a secondary value that some commands require.

-p path

The mountpoint of a Power-Safe (fs-qnx6.so) filesystem.

-r

If path is a directory, take action on the entire tree.

-t type

Used in the creation of a domain to set the encryption mechanism. The supported types include:

• 0 — no encryption
• 1 — XTS
• 2 — CBC

-v[v...]

Set verbosity. Each -v increases verbosity.

Description:

The fsencrypt utility manages the encryption of a Power-Safe (fs-qnx6.so) filesystem.