Filesystem encryption manager


fsencrypt -ppath -ccmd [-ddomain] [-ttype]
          [-k .|+|#|@key [-ooffset]]


-p path
The mountpoint of a Power-Safe (fs-qnx6.so ) filesystem.
-c cmd
The command to run; one of:
  • check — check for support of encryption given path.
  • create — create a domain given domain, type, and key. A domain is created in its locked state.
  • destroy — destroy a domain; the given domain must be unlocked.
  • query — query the status of a domain within the given path.
  • unlock — unlock a domain given proper key data.
  • lock — lock a domain within the given path.
  • set — set a given path to a numbered domain.
  • get — determine the domain that the given path belongs to.
  • enable — enable encryption support on path.
  • read-key — read a file key information into file.
  • write-key — write a file key described by file to file at path.
  • setup — complete the domain setup based on the provided -k: str.
-d domain
The domain number to be used (1-100).
-t type
Used in the creation of a domain to set the encryption mechanism. The supported types include:
  • 0 — no encryption
  • 1 — XTS
  • 2 — CBC
-k key
Specify key data in one of the following forms:
  • .salt.str — a 64-bit salt value expressed as a string of bytes in hexadecimal digits that may be postfixed to a plain-text string.
  • :setup — command string used with the setup command. The string format is:


  • +str — a user-supplied plain-text string (hashed to a 512-bit key).
  • #str — a base-64 representation of a key (must be 512 bits long)
  • @file — the name of a file that contains binary key data (must be 512 bits long)


The fsencrypt utility manages the encryption of a Power-Safe (fs-qnx6.so ) filesystem.


Create domain 10 on the root volume using a plain-text password with a 64-bit salt value:

fsencrypt -vc create -d10 -t1 -p/ -k.1234567890abcdef.mypassword

Unlock the domain:

# fsencrypt -vc unlock -d10 -p/ -k.1234567890abcdef.mypassword

Add a directory to this domain:

# fsencrypt -vc set -d10 -p/secure_dir