This section discusses the basic operations to manage encryption on an Oracle ACFS file system on Linux. The examples in this section show a scenario in which the medical history files are encrypted in an Oracle ACFS file system.
The steps in this section assume Oracle ACFS security is not configured for the file system; however, you can use both Oracle ACFS security and encryption on the same file system. If you decide to use both security and encryption, then both encryption and security must be initialized for the cluster containing the file system. After security is initialized on the file system, then an Oracle ACFS security administrator runs acfsutil
sec
commands to provide encryption for the file system. For information about setting up security with encryption, refer to "Securing Oracle ACFS File Systems".
Because the acfsutil
encr
set
and acfsutil
encr
rekey
-v
commands modify the encryption key store, you should back up the Oracle Cluster Registry (OCR) after running these commands to ensure there is an OCR backup that contains all of the volume encryption keys (VEKs) for the file system.
The disk group on which the volume is created for the file system has compatibility attributes for ASM
and ADVM
set to 11.2.0.3
or higher. For information about disk group compatibility, refer to "Disk Group Compatibility".
For the examples in this section, various operating system users, operating system groups, and directories must exist.
The basic steps to manage encryption are:
Initialize encryption.
Run the acfsutil
encr
init
command to initialize encryption and create the storage necessary for the encryption keys. This command must be run one time for each cluster on which encryption is set up.
For example, the following command initializes encryption for a cluster.
# /sbin/acfsutil encr init
This command must be run before any other encryption command and requires root or administrator privileges to run.
For more information, refer to "acfsutil encr init".
Set encryption parameters.
Run the acfsutil
encr
set
command to set the encryption parameters for the entire Oracle ACFS file system.
For example, the following command sets the AES
encryption algorithm and a file key length of 128
for a file system mounted on the /acfsmounts/acfs1
directory.
# /sbin/acfsutil encr set -a AES -k 128 -m /acfsmounts/acfs1/
The acfsutil
encr
set
command also transparently generates a volume encryption key which is stored in the key store that was previously configured with the acfsutil
encr
init
command.
This command requires root or administrator privileges to run.
For more information, refer to "acfsutil encr set".
Enable encryption.
Run the acfsutil
encr
on
command to enable encryption for directories and files.
For example, the following command enables encryption recursively on all files in the /acfsmounts/acfs1/medicalrecords
directory.
# /sbin/acfsutil encr on -r /acfsmounts/acfs1/medicalrecords -m /acfsmounts/acfs1/
For users that have appropriate permissions to access files in the /acfsmounts/acfs1/medicalrecords
directory, they can still read the decrypted files.
This command can be run by an administrator or the file owner.
For more information, refer to "acfsutil encr on".
Display encryption information.
Run the acfsutil
encr
info
command to display encryption information for directories and files.
# /sbin/acfsutil encr info -m /acfsmounts/acfs1/ -r /acfsmounts/acfs1/medicalrecords
This command can be run by an administrator or the file owner.
For more information, refer to "acfsutil encr info".
Auditing and diagnostic data for Oracle ACFS encryption is saved to log files. For more information about Oracle ACFS encryption, including the log files, refer to "Oracle ACFS Encryption".