Filesystem encryption manager
fsencrypt -c cmd [-d domain] [-f] [-K .|:|+|#|@key [-ooffset]] [-k .|:|+|#|@key [-ooffset]] [-l log_path] [-n value] -p path [-r] [-t type] [-v[v...]]
- -c cmd
- The command to run (see below).
- -d domain
- The domain number to be used (1–100).
- If path is a directory, make the move or remove action on the files as well.
- -K key
- Specify a secondary key, in the same form as for -k.
- -k key
- Specify key data in one of the following forms:
- .salt.str — a 64-bit salt value expressed as a string of bytes in hexadecimal digits that may be postfixed to a plain-text string
- :setup — a command string used with the
The string format is:
- +str — a user-supplied plain-text string, to be hashed into a 512-bit key
- #str — a base-64 representation of a key, which must be 512 bits long
- @file — the name of a file that contains binary key data, which must be 512 bits long
- -l log_path
- The path of the log file to use (stdout is the default).
- -n value
- Specify a secondary value that some commands require.
- -o offset
- ("oh") An offset into a key file specified with the -K@ or -k@ option.
- -p path
- The mountpoint of a Power-Safe ( fs-qnx6.so ) filesystem, or a file in the filesystem, depending on the command.
- If path is a directory, take action on the entire tree.
- -t type
- Used in the creation of a domain to set the encryption mechanism.
The supported types include:
- 0 — no encryption
- 1 — AES-256, in XTS mode. The two keys are randomly generated.
- 2 — AES-256, in CBC mode
- Be verbose; each v increases the level of verbosity. If you don't turn on verbosity, some commands indicate success or failure only by fsencrypt's exit status.
The fsencrypt utility manages the encryption of a Power-Safe ( fs-qnx6.so ) filesystem. In order to use fsencrypt, you must have formatted the filesystem with the -E option for mkqnx6fs , and then specified crypto=enable for fs-qnx6.so.
The commands that you can specify with the -c option are given below, along with the other options that you must specify for each command:
- Change a domain key:
fsencrypt -p path -c change-key -d domain -k old_key -K new_key
- Check for support of encryption on a given filesystem:
fsencrypt -p path -c check
- Verify that the key given is is valid against a domain:
fsencrypt -p path -c check-key -d domain -k key
- Create a domain:
fsencrypt -p path -c create -d domain -k key -t type
The new domain is unlocked.
- Destroy a domain.
The domain must be unlocked, and you must be in the group that owns the mountpoint:
fsencrypt -p path -c destroy -d domain
If you destroy a domain, you won't be able to access any of its contents because they'll be encrypted and the domain's encryption key will have been destroyed. The contents remain in the filesystem until you delete them.
- Enable encryption support on a volume that wasn't set up for it at formatting time:
fsencrypt -p path -c enable
- Determine the domain that the given path belongs to:
fsencrypt -p path -c get
- Lock a domain within the given filesystem:
fsencrypt -p path -c lock -d domain
- Change the migration delay between work units.
Use the -n option to indicate a period in milliseconds.
fsencrypt -p path -c migrate-delay -n milliseconds
- Parse a path, assigning the given domain to directories and tagging files to the given domain:
fsencrypt -p path -c migrate-path -d domain
- Determine the amount of remaining migration work:
fsencrypt -p path -c migrate-state
- Start the background encryption of tagged files:
fsencrypt -p path -c migrate-start
- Report the status of migration:
fsencrypt -p path -c migrate-status
- Suspend the background encryption migration:
fsencrypt -p path -migrate-stop
- Tag a file for migration into the given domain (tag is a synonym):
fsencrypt -p file -c migrate-tag -d domain
- Set the amount of work to complete beween delay periods.
Use the -n option to indicate a number of blocks:
fsencrypt -p path -c migrate-units -n blocks
- Query the status of a domain:
fsencrypt -p path -c query -d domain
- Query the status of all the domains for a filesystem
fsencrypt -p path -c query-all
- Read a file key into file.
fsencrypt -p path -c read-key -k @file
- Assign the given path to a numbered domain.
The domain must be unlocked.
fsencrypt -p path -c set -d domain
- Enable whole-disk encryption using domain.
There must be only one domain:
fsencrypt -p path -c set-whole-disk -d domain
Plain-text files are hidden if you enable whole-disk encryption.
- Complete the domain setup based
on the provided -k :
fsencrypt -p path -c setup -k :domain:type:locked:provider:path
- Tag a file for migration into the given domain (migrate-tag is a synonym):
fsencrypt -p file -c tag -d domain
- Unlock a domain, given the correct key data:
fsencrypt -p path -c unlock -d domain -k key
- Write a file key described by file to file at path:
fsencrypt -p path -c write-key -k @file
Create domain 10 on the root volume using a plain-text password with a 64-bit salt value:
fsencrypt -vc create -d10 -t1 -p/ -k.1234567890abcdef.mypassword
Unlock the domain:
fsencrypt -vc unlock -d10 -p/ -k.1234567890abcdef.mypassword
Add a directory to this domain:
fsencrypt -vc set -d10 -p/secure_dir
- > 0
- An error occurred.
Last modified: 2013-12-21