fsencrypt

Filesystem encryption manager

Syntax:

fsencrypt -c cmd [-d domain] [-f] [-K .|:|+|#|@key [-ooffset]]
          [-k .|:|+|#|@key [-ooffset]] [-l log_path]
          [-n value] -p path [-r] [-t type] [-v[v...]]

Options:

-c cmd
The command to run (see below).
-d domain
The domain number to be used (1–100).
-f
If path is a directory, make the move or remove action on the files as well.
-K key
Specify a secondary key, in the same form as for -k.
-k key
Specify key data in one of the following forms:
  • .salt.str — a 64-bit salt value expressed as a string of bytes in hexadecimal digits that may be postfixed to a plain-text string
  • :setup — a command string used with the setup command. The string format is:

    domain:type:locked:provider:path

  • +str — a user-supplied plain-text string, to be hashed into a 512-bit key
  • #str — a base-64 representation of a key, which must be 512 bits long
  • @file — the name of a file that contains binary key data, which must be 512 bits long
-l log_path
The path of the log file to use (stdout is the default).
-n value
Specify a secondary value that some commands require.
-o offset
("oh") An offset into a key file specified with the -K@ or -k@ option.
-p path
The mountpoint of a Power-Safe ( fs-qnx6.so ) filesystem, or a file in the filesystem, depending on the command.
-r
If path is a directory, take action on the entire tree.
-t type
Used in the creation of a domain to set the encryption mechanism. The supported types include:
  • 0 — no encryption
  • 1 — AES-256, in XTS mode. The two keys are randomly generated.
  • 2 — AES-256, in CBC mode
-v[v...]
Be verbose; each v increases the level of verbosity. If you don't turn on verbosity, some commands indicate success or failure only by fsencrypt's exit status.

Description:

The fsencrypt utility manages the encryption of a Power-Safe ( fs-qnx6.so ) filesystem. In order to use fsencrypt, you must have formatted the filesystem with the -E option for mkqnx6fs , and then specified crypto=enable for fs-qnx6.so.

The commands that you can specify with the -c option are given below, along with the other options that you must specify for each command:

change-key
Change a domain key:
fsencrypt -p path -c change-key -d domain -k old_key -K new_key
  
check
Check for support of encryption on a given filesystem:
fsencrypt -p path -c check
  
check-key
Verify that the key given is is valid against a domain:
fsencrypt -p path -c check-key -d domain -k key
  
create
Create a domain:
fsencrypt -p path -c create -d domain -k key -t type
  

The new domain is unlocked.

destroy
Destroy a domain. The domain must be unlocked, and you must be in the group that owns the mountpoint:
fsencrypt -p path -c destroy -d domain
  

If you destroy a domain, you won't be able to access any of its contents because they'll be encrypted and the domain's encryption key will have been destroyed. The contents remain in the filesystem until you delete them.

enable
Enable encryption support on a volume that wasn't set up for it at formatting time:
fsencrypt -p path -c enable
  
get
Determine the domain that the given path belongs to:
fsencrypt -p path -c get
  
lock
Lock a domain within the given filesystem:
fsencrypt -p path -c lock -d domain
  
migrate-delay
Change the migration delay between work units. Use the -n option to indicate a period in milliseconds.
fsencrypt -p path -c migrate-delay -n milliseconds
  
migrate-path
Parse a path, assigning the given domain to directories and tagging files to the given domain:
fsencrypt -p path -c migrate-path -d domain
  
migrate-state
Determine the amount of remaining migration work:
fsencrypt -p path -c migrate-state
  
migrate-start
Start the background encryption of tagged files:
fsencrypt -p path -c migrate-start
  
migrate-status
Report the status of migration:
fsencrypt -p path -c migrate-status
  
migrate-stop
Suspend the background encryption migration:
fsencrypt -p path -migrate-stop
  
migrate-tag
Tag a file for migration into the given domain (tag is a synonym):
fsencrypt -p file -c migrate-tag -d domain
  
migrate-units
Set the amount of work to complete beween delay periods. Use the -n option to indicate a number of blocks:
fsencrypt -p path -c migrate-units -n blocks
  
query
Query the status of a domain:
fsencrypt -p path -c query -d domain
  
query-all
Query the status of all the domains for a filesystem
fsencrypt -p path -c query-all
  
read-key
Read a file key into file.
fsencrypt -p path -c read-key -k @file
  
set
Assign the given path to a numbered domain. The domain must be unlocked.
fsencrypt -p path -c set -d domain
  
set-whole-disk
Enable whole-disk encryption using domain. There must be only one domain:
fsencrypt -p path -c set-whole-disk -d domain
  

Plain-text files are hidden if you enable whole-disk encryption.

setup
Complete the domain setup based on the provided -k : str.
fsencrypt -p path -c setup -k :domain:type:locked:provider:path
  
tag
Tag a file for migration into the given domain (migrate-tag is a synonym):
fsencrypt -p file -c tag -d domain
  
unlock
Unlock a domain, given the correct key data:
fsencrypt -p path -c unlock -d domain -k key
  
write-key
Write a file key described by file to file at path:
fsencrypt -p path -c write-key -k @file
  

Examples:

Create domain 10 on the root volume using a plain-text password with a 64-bit salt value:

fsencrypt -vc create -d10 -t1 -p/ -k.1234567890abcdef.mypassword

Unlock the domain:

fsencrypt -vc unlock -d10 -p/ -k.1234567890abcdef.mypassword

Add a directory to this domain:

fsencrypt -vc set -d10 -p/secure_dir

Exit status:

0
Success.
> 0
An error occurred.

Last modified: 2013-12-21



Got questions about leaving a comment? Get answers from our Disqus FAQ.

comments powered by Disqus