Filesystem encryption manager
Syntax:
fsencrypt -c cmd [-d domain] [-f] [-K .|:|+|#|@key [-ooffset]]
[-k .|:|+|#|@key [-ooffset]] [-l log_path]
[-n value] -p path [-r] [-t type] [-v[v...]]
Options:
- -c cmd
- The command to run (see below).
- -d domain
- The domain number to be used (0–100).
Set the domain to 0 to remove encryption.
- -f
- If path is a directory, make the move or remove action on the files as well.
- -K key
- Specify a secondary key, in the same form as for -k.
- -k key
- Specify key data in one of the following forms:
- -l log_path
- The path of the log file to use (stdout is the default).
- -n value
- Specify a secondary value that some commands require.
- -o offset
- (“oh”) An offset into a key file specified with the -K@ or -k@ option.
- -p path
- The mountpoint of a Power-Safe
(fs-qnx6.so)
filesystem, or a file in the filesystem, depending on the command.
- -r
- If path is a directory, take action on the entire tree.
- -t type
- Identify the encryption mechanism.
The supported types include:
| type |
Key length |
Description |
| 0 |
Not applicable |
No encryption |
| 1 |
512 bits |
AES-256, in XTS mode. The two keys are randomly generated. |
| 2 |
256 bits |
AES-256, in CBC mode |
- -v[v...]
- Be verbose; each v increases the level of verbosity.
If you don't turn on verbosity, some commands indicate success or failure only by
fsencrypt's exit status.
Description:
The fsencrypt utility manages the encryption of a
Power-Safe
(fs-qnx6.so)
filesystem.
In order to use fsencrypt, you must have specified crypto=enable
for fs-qnx6.so.
Note:
In order to use filesystem encryption, download the Encrypted Filesystem package from the QNX Software Center.
The commands that you can specify with the -c option are given below, along with
the other options that you must specify for each command:
- change-key
- Change a domain key:
fsencrypt -p path -c change-key -d domain -k old_key -K new_key -t type
- check
- Check for support of encryption on a given filesystem:
fsencrypt -p path -c check
- check-key
- Verify that the key given is valid against a domain:
fsencrypt -p path -c check-key -d domain -k key -t type
- create
- Create a domain:
fsencrypt -p path -c create -d domain -k key -t type
The new domain is unlocked.
- destroy
- Destroy a domain:
fsencrypt -p path -c destroy -d domain
You must be in the group that owns the mountpoint.
CAUTION:
If you destroy a domain, you won't be able to access any of its contents because they'll be encrypted
and the domain's encryption key will have been destroyed.
The contents remain in the filesystem until you delete them.
- enable
- Enable encryption support on a volume that wasn't set up for it at formatting time:
fsencrypt -p path -c enable
- get
- Determine the domain that the given path belongs to:
fsencrypt -p path -c get
- lock
- Lock a domain within the given filesystem:
fsencrypt -p path -c lock -d domain
- migrate-delay
- Change the migration delay between work units.
Use the -n option to indicate a period in milliseconds:
fsencrypt -p path -c migrate-delay -n milliseconds
- migrate-path
- Parse a path, assigning the given domain to directories and tagging files to the given domain:
fsencrypt -p path -c migrate-path -d domain
Note:
In order for you to tag files for migration, the source and destination domains must be unlocked.
- migrate-state
- Determine the amount of remaining migration work:
fsencrypt -p path -c migrate-state
- migrate-start
- Start the background encryption of tagged files:
fsencrypt -p path -c migrate-start
- migrate-status
- Report the status of migration:
fsencrypt -p path -c migrate-status
- migrate-stop
- Suspend the background encryption migration:
fsencrypt -p path -migrate-stop
- migrate-tag
- Tag a file for migration into the given domain (tag is a synonym):
fsencrypt -p file -c migrate-tag -d domain
Note:
In order for you to tag a file for migration, the source and destination domains must be unlocked.
- migrate-units
- Set the amount of work to complete beween delay periods.
Use the -n option to indicate a number of blocks:
fsencrypt -p path -c migrate-units -n blocks
- query
- Query the status of a domain:
fsencrypt -p path -c query -d domain
- query-all
- Query the status of all the domains for a filesystem:
fsencrypt -p path -c query-all
- read-key
- Read a file key into file:
fsencrypt -p path -c read-key -k @file
- set
- Assign the given path to a numbered domain:
fsencrypt -p path -c set -d domain
The domain must be unlocked.
Regular files must have a length of zero.
The domain replaces any domain previously assigned to the path.
- set-whole-disk
- Enable whole-disk encryption using domain.
There must be only one domain:
fsencrypt -p path -c set-whole-disk -d domain
Note:
Plain-text files are hidden if you enable whole-disk encryption.
- setup
- Complete the domain setup based
on the provided -k :str option:
fsencrypt -p path -c setup -k :domain:type:locked:provider:path
- tag
- Tag a file for migration into the given domain (migrate-tag is a synonym):
fsencrypt -p file -c tag -d domain
Note:
In order for you to tag a file for migration, the source and destination domains must be unlocked.
- unlock
- Unlock a domain, given the correct key data:
fsencrypt -p path -c unlock -d domain -k key -t type
Examples:
Create domain 10 on the root volume using a plain-text password with a
64-bit salt value:
fsencrypt -vc create -d10 -t1 -p/ -k.1234567890abcdef.mypassword
Unlock the domain:
fsencrypt -vc unlock -d10 -t1 -p/ -k.1234567890abcdef.mypassword
Add a directory to this domain:
fsencrypt -vc set -d10 -p/secure_dir
Exit status:
- 0
- Success.
- > 0
- An error occurred.