Filesystem encryption manager


fsencrypt -c cmd [-d domain] [-f] [-K .|:|+|#|@key [-ooffset]]
          [-k .|:|+|#|@key [-ooffset]] [-l log_path]
          [-n value] -p path [-r] [-t type] [-v[v...]]


-c cmd
The command to run (see below).
-d domain
The domain number to be used (1–100).
If path is a directory, make the move or remove action on the files as well.
-K key
Specify a secondary key, in the same form as for -k.
-k key
Specify key data in one of the following forms:
  • .salt.str — a 64-bit salt value expressed as a string of bytes in hexadecimal digits that may be postfixed to a plain-text string
  • :setup — a command string used with the setup command. The string format is:


  • +str — a user-supplied plain-text string, to be hashed into a 512-bit key
  • #str — a base-64 representation of a key, which must be 512 bits long
  • @file — the name of a file that contains binary key data, which must be 512 bits long
-l log_path
The path of the log file to use (stdout is the default).
-n value
Specify a secondary value that some commands require.
-o offset
("oh") An offset into a key file specified with the -K@ or -k@ option.
-p path
The mountpoint of a Power-Safe ( fs-qnx6.so ) filesystem, or a file in the filesystem, depending on the command.
If path is a directory, take action on the entire tree.
-t type
Used in the creation of a domain to set the encryption mechanism. The supported types include:
  • 0 — no encryption
  • 1 — AES-256, in XTS mode. The two keys are randomly generated.
  • 2 — AES-256, in CBC mode
Be verbose; each v increases the level of verbosity. If you don't turn on verbosity, some commands indicate success or failure only by fsencrypt's exit status.


The fsencrypt utility manages the encryption of a Power-Safe ( fs-qnx6.so ) filesystem. In order to use fsencrypt, you must have formatted the filesystem with the -E option for mkqnx6fs , and then specified crypto=enable for fs-qnx6.so.

The commands that you can specify with the -c option are given below, along with the other options that you must specify for each command:

Change a domain key:
fsencrypt -p path -c change-key -d domain -k old_key -K new_key
Check for support of encryption on a given filesystem:
fsencrypt -p path -c check
Verify that the key given is is valid against a domain:
fsencrypt -p path -c check-key -d domain -k key
Create a domain:
fsencrypt -p path -c create -d domain -k key -t type

The new domain is unlocked.

Destroy a domain. The domain must be unlocked, and you must be in the group that owns the mountpoint:
fsencrypt -p path -c destroy -d domain

If you destroy a domain, you won't be able to access any of its contents because they'll be encrypted and the domain's encryption key will have been destroyed. The contents remain in the filesystem until you delete them.

Enable encryption support on a volume that wasn't set up for it at formatting time:
fsencrypt -p path -c enable
Determine the domain that the given path belongs to:
fsencrypt -p path -c get
Lock a domain within the given filesystem:
fsencrypt -p path -c lock -d domain
Change the migration delay between work units. Use the -n option to indicate a period in milliseconds.
fsencrypt -p path -c migrate-delay -n milliseconds
Parse a path, assigning the given domain to directories and tagging files to the given domain:
fsencrypt -p path -c migrate-path -d domain
Determine the amount of remaining migration work:
fsencrypt -p path -c migrate-state
Start the background encryption of tagged files:
fsencrypt -p path -c migrate-start
Report the status of migration:
fsencrypt -p path -c migrate-status
Suspend the background encryption migration:
fsencrypt -p path -migrate-stop
Tag a file for migration into the given domain (tag is a synonym):
fsencrypt -p file -c migrate-tag -d domain
Set the amount of work to complete beween delay periods. Use the -n option to indicate a number of blocks:
fsencrypt -p path -c migrate-units -n blocks
Query the status of a domain:
fsencrypt -p path -c query -d domain
Query the status of all the domains for a filesystem
fsencrypt -p path -c query-all
Read a file key into file.
fsencrypt -p path -c read-key -k @file
Assign the given path to a numbered domain. The domain must be unlocked.
fsencrypt -p path -c set -d domain
Enable whole-disk encryption using domain. There must be only one domain:
fsencrypt -p path -c set-whole-disk -d domain

Plain-text files are hidden if you enable whole-disk encryption.

Complete the domain setup based on the provided -k : str.
fsencrypt -p path -c setup -k :domain:type:locked:provider:path
Tag a file for migration into the given domain (migrate-tag is a synonym):
fsencrypt -p file -c tag -d domain
Unlock a domain, given the correct key data:
fsencrypt -p path -c unlock -d domain -k key
Write a file key described by file to file at path:
fsencrypt -p path -c write-key -k @file


Create domain 10 on the root volume using a plain-text password with a 64-bit salt value:

fsencrypt -vc create -d10 -t1 -p/ -k.1234567890abcdef.mypassword

Unlock the domain:

fsencrypt -vc unlock -d10 -p/ -k.1234567890abcdef.mypassword

Add a directory to this domain:

fsencrypt -vc set -d10 -p/secure_dir

Exit status:

> 0
An error occurred.

Last modified: 2013-12-21

Got questions about leaving a comment? Get answers from our Disqus FAQ.

comments powered by Disqus