fsencrypt

Filesystem encryption manager

Syntax:

fsencrypt -c cmd [-d domain] [-f] [-K .|:|+|#|@key [-ooffset]]
          [-k .|:|+|#|@key [-ooffset]] [-l log_path]
          [-n value] -p path [-r] [-t type] [-v[v...]]

Runs on:

QNX Neutrino

Options:

-c cmd
The command to run (see below).
-d domain
The domain number to be used (0–100). Set the domain to 0 to remove encryption.
-f
If path is a directory, make the move or remove action on the files as well.
-K key
Specify a secondary key, in the same form as for -k.
-k key
Specify key data in one of the following forms:
  • .[salt.]str — an optional 64-bit salt value expressed as a string of up to 16 hexadecimal digits, followed by a period and a plain-text string.
  • :setup — a command string used with the setup command. The string format is:

    domain:type:locked:provider:path

  • +str — a user-supplied plain-text string, to be hashed into a 512-bit key
  • #str — A base-64 representation of the raw key. The length of the provided string must be a multiple of 4 characters. If str is shorter than the key size for the encryption type identified with the -t option, the key is padded with zeroes.
  • @file — the name of a file that contains binary key data. The length of the key depends on the encryption type; see the description of the -t option.
-l log_path
The path of the log file to use (stdout is the default).
-n value
Specify a secondary value that some commands require.
-o offset
(“oh”) An offset into a key file specified with the -K@ or -k@ option.
-p path
The mountpoint of a Power-Safe (fs-qnx6.so) filesystem, or a file in the filesystem, depending on the command.
-r
If path is a directory, take action on the entire tree.
-t type
Identify the encryption mechanism. The supported types include:
type Key length Description
0 Not applicable No encryption
1 512 bits AES-256, in XTS mode. The two keys are randomly generated.
2 256 bits AES-256, in CBC mode
-v[v...]
Be verbose; each v increases the level of verbosity. If you don't turn on verbosity, some commands indicate success or failure only by fsencrypt's exit status.

Description:

The fsencrypt utility manages the encryption of a Power-Safe (fs-qnx6.so) filesystem. In order to use fsencrypt, you must have specified crypto=enable for fs-qnx6.so.

Note: In order to use filesystem encryption, download the Encrypted Filesystem package from the QNX Software Center.

The commands that you can specify with the -c option are given below, along with the other options that you must specify for each command:

change-key
Change a domain key:
fsencrypt -p path -c change-key -d domain -k old_key -K new_key -t type
check
Check for support of encryption on a given filesystem:
fsencrypt -p path -c check
check-key
Verify that the key given is valid against a domain:
fsencrypt -p path -c check-key -d domain -k key -t type
create
Create a domain:
fsencrypt -p path -c create -d domain -k key -t type

The new domain is unlocked.

destroy
Destroy a domain:
fsencrypt -p path -c destroy -d domain

You must be in the group that owns the mountpoint.

CAUTION:
If you destroy a domain, you won't be able to access any of its contents because they'll be encrypted and the domain's encryption key will have been destroyed. The contents remain in the filesystem until you delete them.
enable
Enable encryption support on a volume that wasn't set up for it at formatting time:
fsencrypt -p path -c enable
get
Determine the domain that the given path belongs to:
fsencrypt -p path -c get
lock
Lock a domain within the given filesystem:
fsencrypt -p path -c lock -d domain
migrate-delay
Change the migration delay between work units. Use the -n option to indicate a period in milliseconds:
fsencrypt -p path -c migrate-delay -n milliseconds
migrate-path
Parse a path, assigning the given domain to directories and tagging files to the given domain:
fsencrypt -p path -c migrate-path -d domain
Note: In order for you to tag files for migration, the source and destination domains must be unlocked.
migrate-state
Determine the amount of remaining migration work:
fsencrypt -p path -c migrate-state
migrate-start
Start the background encryption of tagged files:
fsencrypt -p path -c migrate-start
migrate-status
Report the status of migration:
fsencrypt -p path -c migrate-status
migrate-stop
Suspend the background encryption migration:
fsencrypt -p path -migrate-stop
migrate-tag
Tag a file for migration into the given domain (tag is a synonym):
fsencrypt -p file -c migrate-tag -d domain
Note: In order for you to tag a file for migration, the source and destination domains must be unlocked.
migrate-units
Set the amount of work to complete beween delay periods. Use the -n option to indicate a number of blocks:
fsencrypt -p path -c migrate-units -n blocks
query
Query the status of a domain:
fsencrypt -p path -c query -d domain
query-all
Query the status of all the domains for a filesystem:
fsencrypt -p path -c query-all
read-key
Read a file key into file:
fsencrypt -p path -c read-key -k @file
set
Assign the given path to a numbered domain:
fsencrypt -p path -c set -d domain

The domain must be unlocked. Regular files must have a length of zero. The domain replaces any domain previously assigned to the path.

set-whole-disk
Enable whole-disk encryption using domain. There must be only one domain:
fsencrypt -p path -c set-whole-disk -d domain
Note: Plain-text files are hidden if you enable whole-disk encryption.
setup
Complete the domain setup based on the provided -k :str option:
fsencrypt -p path -c setup -k :domain:type:locked:provider:path
tag
Tag a file for migration into the given domain (migrate-tag is a synonym):
fsencrypt -p file -c tag -d domain
Note: In order for you to tag a file for migration, the source and destination domains must be unlocked.
unlock
Unlock a domain, given the correct key data:
fsencrypt -p path -c unlock -d domain -k key -t type

Examples:

Create domain 10 on the root volume using a plain-text password with a 64-bit salt value:

fsencrypt -vc create -d10 -t1 -p/ -k.1234567890abcdef.mypassword

Unlock the domain:

fsencrypt -vc unlock -d10 -t1 -p/ -k.1234567890abcdef.mypassword

Add a directory to this domain:

fsencrypt -vc set -d10 -p/secure_dir

Exit status:

0
Success.
> 0
An error occurred.