Skip Headers
Oracle® Automatic Storage Management Administrator's Guide
12c Release 1 (12.1)

E17612-20
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

Oracle ACFS Command-Line Tools for Encryption

Table 16-77 contains a summary of the commands for Oracle ACFS encryption. For an overview of Oracle ACFS encryption, refer to "Oracle ACFS Encryption".

You can run acfsutil help on all platforms to display help text. You can run acfsutil version on all platforms to display the Oracle ACFS version.

When the options are entered with commands on a Windows platform, use / instead of - with the option. For example, you can display help for acfsutil on a Linux platform with acfsutil -h. On a Windows platform, use acfsutil /h.

A mount point on a Windows operating system can be a drive letter or a directory including the drive letter. When using a drive letter in a command, include the backslash (\) with the drive letter, such as in M:\, to avoid the possibility of triggering a Windows path substitution to the last accessed path on the specified drive.

Table 16-77 Summary of commands for Oracle ACFS encryption

Command Description

acfsutil encr info

Displays encryption-related information about Oracle ACFS file systems.

acfsutil encr init

Creates storage for encryption keys.

acfsutil encr off

Disables encryption for an Oracle ACFS file system.

acfsutil encr on

Encrypts an Oracle ACFS file system.

acfsutil encr rekey

Generates a new key and re-encrypts an Oracle ACFS file system.

acfsutil encr set

Sets or changes encryption parameters for an Oracle ACFS file system.

acfsutil keystore migrate

Migrates the encryption keystore.


acfsutil encr info

Purpose

Displays encryption-related information about Oracle ACFS file systems, directories, or files.

Syntax and Description


acfsutil encr info -h
acfsutil encr info -m mount_point [[-r] path [path…]]

acfsutil encr info -h displays help text and exits.

Table 16-78 contains the options available with the acfsutil encr info command.

Table 16-78 Options for the acfsutil encr info command

Option Description

-m mount_point

Specifies the directory where the file system is mounted.

-r

Specifies recursive action under an existing directory folder identified by path.

path

Specifies the absolute or relative path of a directory. Multiple path values are allowed.


If -m is specified without a path, the encryption status, algorithm, and key length are displayed for the file system level.

If -r is specified with a path, the encryption status, algorithm, and key length are displayed for all objects under the directory specified by path.

The acfsutil encr info command displays encryption status and parameters for files in a snapshot if the files are specified with the path option.

This command fails when it is run on realm-secured objects.

Any user can run this command to display encryption information about a file system, directory, or file.

Examples

The following are examples of the use of acfsutil encr info.

Example 16-71 Using the acfsutil encr info command

# /sbin/acfsutil encr info -m /acfsmounts/acfs1

# /sbin/acfsutil encr info -m /acfsmounts/acfs1 
                           -r /acfsmounts/acfs1/myfiles

acfsutil encr init

Purpose

Creates storage for encryption keys.

Syntax and Description


acfsutil encr init -h
acfsutil encr init [-p ]

acfsutil encr init -h displays help text and exits.

Table 16-79 contains the options available with the acfsutil encr init command.

Table 16-79 Options for the acfsutil encr init command

Option Description

-p

Creates PKCS (password-protected) storage for keys.


The acfsutil encr init command must be run before any other encryption acfsutil commands can be run. This command must be run once for each cluster on which Oracle ACFS encryption is run.

If the -p option is specified, you must provide a password when prompted. The password must conform to the format that is described in "acfsutil sec init".

If the -p option is not specified, a single sign-on (SSO) wallet is created.

Only a user with root or system administrator privileges can run this command.

Examples

The following is an example of the use of acfsutil encr init.

Example 16-72 Using the acfsutil encr init command

# /sbin/acfsutil encr init

acfsutil encr off

Purpose

Disables encryption for an Oracle ACFS file system, directories, or individual files.

Syntax and Description


acfsutil encr off -h
acfsutil encr off -m mount_point [[-r] path [ path...]]

acfsutil encr off -h displays help text and exits.

Table 16-81 contains the options available with the acfsutil encr off command.

Table 16-80 Options for the acfsutil encr off command

Option Description

-m mount_point

Specifies the directory where the file system is mounted.

-r

Specifies to disable encryption recursively under an existing directory identified by path.

path

Specifies the absolute or relative path of a directory. Multiple path values are allowed.


This command cannot be run on security realm-protected files.

Only an administrator can run this command on an Oracle ACFS file system (-m option without a path specified). When the -m option is specified without a path, all the files under the mount point are decrypted.

The path option can specify a path to a file or directory in a read-write snapshot. If the -r option is specified with the command on the root directory, the command does not transverse the snapshots under the .ACFS directory. If a decryption operation is specified at the file system level, then the operation does not process files and directories of snapshots in the .ACFS/snaps/ directory.

Only a user with root or system administrator privileges can run this command to disable encryption on a file system. The file owner can also run this command to disable encryption on a directory or file.

Examples

The following are examples of the use of acfsutil encr off.

Example 16-73 Using the acfsutil encr off command

# /sbin/acfsutil encr off -m /acfsmounts/acfs1

# /sbin/acfsutil encr off -m /acfsmounts/acfs1
                          -r /acfsmounts/acfs1/myfiles

acfsutil encr on

Purpose

Encrypts an Oracle ACFS file system, directories, or individual files.

Syntax and Description


acfsutil encr on -h
acfsutil encr on -m mount_point
     [-a {AES} -k {128|192|256}] [[-r] path [ path...]]

acfsutil encr on -h displays help text and exits.

Table 16-81 contains the options available with the acfsutil encr on command.

Table 16-81 Options for the acfsutil encr on command

Option Description

-m mount_point

Specifies the directory where the file system is mounted.

-a algorithm

Specifies the encryption algorithm type for a directory or file. Advanced Encryption Standard (AES) is the only encryption algorithm supported for this release.

-k key_length

Specifies the encryption key length for a directory or file.

-r

Specifies encryption recursively under existing directory folder identified by path.

path

Specifies the absolute or relative path of a directory. Multiple path values are allowed.


This command cannot be run on realm-protected files.

The default values for the -a and -k are determined by the volume parameters specified when acfsutil encr set was run. To set the key length at the volume level, use the acfsutil encr set command.

Only an administrator can run this command on an Oracle ACFS file system (-m option without a path specified). When the -m option is specified without a path, all the files under the mount point are encrypted.

The path option can specify a path to a file or directory in a read-write snapshot. If the -r option is specified with the command on the root directory, the command does not transverse the snapshots under the .ACFS directory. If an encryption operation is specified at the file system level, then the operation does not process files and directories of snapshots in the .ACFS/snaps/ directory.

Only a user with root or system administrator privileges can run this command to enable encryption on a file system. The file owner can also run this command to enable encryption on a directory or file.

Examples

The following are examples of the use of acfsutil encr on.

Example 16-74 Using the acfsutil encr on command

# /sbin/acfsutil encr on -m /acfsmounts/acfs1

# /sbin/acfsutil encr on -m /acfsmounts/acfs1
                         -a AES -k 128 -r /acfsmounts/acfs1/myfiles

acfsutil encr rekey

Purpose

Generates a new key and re-encrypts volume or file.

Syntax and Description


acfsutil encr rekey -h
acfsutil encr rekey -m mount_point
     {-f [-r] path [path…] |-v } [-a {AES} -k {128|192 |256}]

acfsutil encr rekey -h displays help text and exits.

Table 16-82 contains the options available with the acfsutil encr rekey command.

Table 16-82 Options for the acfsutil encr rekey command

Option Description

-m mount_point

Specifies the directory where the file system is mounted.

-f [-r] path ...

Generates a new file encryption key for the specified path and then encrypts the data with the new key.

If -r is specified, the rekey operation is performed recursively under path.

path specifies the absolute or relative path of a directory. Multiple path values are allowed.

-v

Generates a new volume encryption key (VEK) for the specified mount point and then encrypts all the file encryption keys in file system with the new key. Prompts for the wallet password because the wallet must be accessed to store the new VEK.

The generated key is stored in the key store that was previously configured with the acfsutil encr init command.

-a algorithm

Specifies the algorithm. Advanced Encryption Standard (AES) is the only encryption supported for this release.

-k key_length

Specifies the key length for the directory or file specified by path.


This command cannot be run on security realm-protected files.

The default values for the -a and -k are determined by the volume parameters specified when acfsutil encr set was run.

The path option can specify a path to a file or directory in a read-write snapshot. If the -r option is specified with the command on the root directory, the command does not transverse the snapshots under the .ACFS directory. If a rekey operation is specified at the file system level, then the operation does not process files and directories of snapshots in the .ACFS/snaps/ directory.

Only a user with root or system administrator privileges can run this command with the -v option. The file owner can also run this command with the -f option to rekey encryption on the directory or file.

Examples

The following are examples of the use of acfsutil encr rekey.

Example 16-75 Using the acfsutil encr rekey command

# /sbin/acfsutil encr rekey -m /acfsmounts/acfs1 -v

# /sbin/acfsutil encr rekey -m /acfsmounts/acfs1 -f
                            -r /acfsmounts/acfs1/myfiles

acfsutil encr set

Purpose

Sets or changes encryption parameters for an Oracle ACFS file system.

Syntax and Description


acfsutil encr set -h
acfsutil encr set [-a {AES } -k {128|192|256} | -u] -m mount_point

acfsutil encr set -h displays help text and exits.

Table 16-83 contains the options available with the acfsutil encr set command.

Table 16-83 Options for the acfsutil encr set command

Option Description

-a algorithm

Specifies the algorithm. Advanced Encryption Standard (AES) is the default value and the only encryption supported for this release. The algorithm must be specified if -k is specified.

-k {128|192|256}

Specifies the key length. The key length is set at the volume level. The default is 192. Must be specified if -a is specified.

-u

Backs out encryption. Decrypts all encrypted files in the file system and reverts the file system to the state before acfsutil encr set was run on the file system. If security is being used, then this command can only be run after security has been backed out. To remove security, refer to "acfsutil sec prepare".

-m mount_point

Specifies the directory where the file system is mounted.


Before running the acfsutil encr set command, you must first run the acfsutil encr init command.

The acfsutil encr set command configures encryption parameters for a file system, transparently generates a volume encryption key, and stores that the generated key in the key store that was previously configured with the acfsutil encr init command.

If auditing is initialized on a cluster, this command also enables an Oracle ACFS encryption auditing source on the file system. The actions performed when enabling this audit source are the same as those done when the acfsutil audit enable command is run directly. For more information, refer to "acfsutil audit enable".

In addition acfsutil encr set creates the mount_point/.Security/encryption/logs/ directory that contains the log file (encr-hostname_fsid.log) that collects auditing and diagnostic data.

Password requirements when storing the key are dependent on how the encryption key storage was configured. If -p was specified with acfsutil encr init, then a password is required to run this command.

The acfsutil encr set –u command is not allowed if any snapshots exist in the file system.

Only a user with root or system administrator privileges can run the acfsutil encr set command.

Examples

The following example shows the use of acfsutil encr set command.

Example 16-76 Using the acfsutil encr set command

# /sbin/acfsutil encr set -a AES -k 256 -m /acfsmounts/acfs1

acfsutil keystore migrate

Purpose

Migrates the encryption keystore.

Syntax and Description


acfsutil keystore migrate -h
acfsutil keystore migrate [-p ]

acfsutil keystore migrate -h displays help text and exits.

Table 16-79 contains the options available with the acfsutil keystore migrate command.

Table 16-84 Options for the acfsutil keystore migrate command

Option Description

-p

Converts the encryption keystore from a SSO wallet to a PKCS wallet.


If the -p option is specified, acfsutil keystore migrate converts the SSO wallet to a PKCS wallet. If the -p option is not specified, acfsutil keystore migrate converts the PKCS wallet to a SSO wallet.

Only a user with root or system administrator privileges can run this command.

Examples

The following is an example of the use of acfsutil keystore migrate.

Example 16-77 Using the acfsutil keystore migrate command

# /sbin/acfsutil keystore migrate