Manages user and group repositories for the Encrypted File System (EFS) keys (or keystores).
efskeymgr -?
efskeymgr -q
efskeymgr -V
efskeymgr [-L load_module]-C <group>
efskeymgr [-L load_module] [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -v
efskeymgr [-L load_module] [ -d ] [ -k <ks> ] -m
efskeymgr [-L load_module] [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -o <cmd>
efskeymgr [-L load_module] [ -d ] [ -c <cmd> ]
efskeymgr [-L load_module] [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -n
efskeymgr [-L load_module] [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -r <mode>
efskeymgr [-L load_module] [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -s <ks2>
efskeymgr [-L load_module] [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -S <ks2>
efskeymgr[-L load_module] [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -R <algo>
efskeymgr [-L load_module] [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -D <fp>
efskeymgr [-L load_module] [ -d ] [ -k <ks> ] [ -g ] [ -p <pw> ] -e <file>
The efskeymgr command is dedicated to all key management operations needed by an EFS. Once an EFS is enabled on the system with the efsenable command, the keystores (public and private key repositories) are created in the /var/efs directory.
The initial password of a user keystore is the user login password. Group keystores and admin keystores are not protected by a password but by an access key. Access keys are stored inside all user keystores that belong to this group.
When you open a keystore (at login or explicitly with the efskeymgr command), the private keys contained in this keystore are pushed to the kernel and associated with the process. If access keys are found in the keystore, the corresponding keystores are also opened and the keys are automatically pushed into their kernel.
When the keystore password is the same as the login password, the keystore is automatically opened at the login time and the keys are available in the session. The keystore password is kept in sync with the login password when the passwd command is used and the old password is provided. If at some point the keystore password is not in sync with the login password, you can change the keystore password using the efskeymgr command. When the passwords are not synchronized, the keys are no longer automatically associated with the session when you log in.
efskeymgr –o <cmd> and efskeymgr –c <cmd>
Delayed operations
You must run the efskeymgr -v command to process pending operations.
Item | Description |
---|---|
General flags: | |
-d | Verbose mode. |
-g | Does not process pending operations when opening the keystore. |
-k ks | The operation is targeted to the ks keystore instead
of the active user’s keystore. The ks value can be as follows:
|
-L load_module | Specifies the loadable module to use for keystore operations. |
-p pw | Password to use to open the keystore. It is not advised to use this flag as it can be seen by other users using the ps command, for example. |
-P filename | Push the public key cookies for all the keys present in the OpenSSH file located in the ~/.ssh/authorized_keys directory. |
Flags for commands (no access to the keystore files): | |
-? | Displays the command help and exits. |
-q | Displays a list of supported algorithms for the key regeneration. |
-V | Displays the keys associated with the active process credentials in the kernel. |
Flags for commands (read-only access to keystores): | |
-c <cmd> | Removes all keys from the kernel, then runs the cmd command. The keys are restored when the cmd command terminates. |
-m | Lists all pending operations on the keystore. |
-o <cmd> | Opens the keystore and pushes the keys, then runs the cmd command. The keys are discarded when the cmd command terminates. |
-v | Displays the content of the keystore file. |
Flags for commands (read/write access to keystores): | |
-C <group> | Creates the keystore of the group group. |
-D <fp> | Removes a deprecated private key from the keystore. The fp value is the key fingerprint. |
-e <file> | Exports a keystore to a file. The file is PKCS#12 encoded and contains the public and private keys from the keystore. This file can be used in openssh, for example. |
-n | For user keystores, prompts for a new password for the keystore. For group keystores, generates a new access key and sends to group members. For admin keystores, generates a new access key. The key must then be sent to the EFS administrators with the efskeymgr command. |
-R <algo> | Regenerates the keystore private key. See the -q flag for the valid values for the algo parameter. |
-r <mode> | Changes the keystore administration mode. The mode value
can be as follows:
|
-S <ks2> | Removes the ks2 access key from the keystore. On subsequent opening of keystore, the ks2 private key is no longer pushed automatically. |
-s <ks2> | Sends the keystore access key to the ks2 keystore. On subsequent opening of the ks2 key, the keystore private key is loaded automatically. |
Item | Description |
---|---|
0 | The command ran successfully. |
1 | An error occurred during the execution of the command. |
2 | A syntax error occurred on the command line. |
efskeymgr –v
efskeymgr -V
efskeymgr –R RSA_1024
efskeymgr –D dbb62547:d6925088:45357fd3:54cddbba:27b255a9
efskeymgr –k group/students –s user/joe
efskeymgr -P ~/.ssh/authorized_keys
efskeymgr -L LDAP -C staff
Item | Description |
---|---|
/var/efs | Contains all keystores. |
/etc/security/user | Contains the EFS attributes for the creation and management of users keystore. |
/etc/security/group | Contains the EFS attributes for the creation of groups keystore. |