acfsutil encr set

Purpose

Sets or changes encryption parameters for an Oracle ACFS file system.

Syntax and Description

acfsutil encr set -h
acfsutil encr set [ [-a {AES} -k {128|192|256}] [-e] | -u ] -m mount_point

acfsutil encr set -h displays help text and exits.

Table 16-83 contains the options available with the acfsutil encr set command.

Table 16-83 Options for the acfsutil encr set command

Option	Description
`-a` `algorithm`	Specifies the algorithm. Advanced Encryption Standard (`AES`) is the default value and the only encryption supported for this release. The algorithm must be specified if `-k` is specified.
`-k` {`128`\|`192`\|`256`}	Specifies the key length. The key length is set at the volume level. The default is `192`. Must be specified if `-a` is specified.
`-e`	Specifies to use Oracle Key Vault as the key store.
`-u`	Backs out encryption. Decrypts all encrypted files in the file system and reverts the file system to the state before `acfsutil` `encr` `set` was run on the file system. If security is being used, then this command can only be run after security has been backed out. To remove security, refer to "acfsutil sec prepare".
`-m` `mount_point`	Specifies the directory where the file system is mounted.

Before running the acfsutil encr set command, you must first run the acfsutil encr init command.

The acfsutil encr set command configures encryption parameters for a file system, transparently generates a volume encryption key, and stores that the generated key in the key store that was previously configured with the acfsutil encr init command.

If auditing is initialized on a cluster, this command also enables an Oracle ACFS encryption auditing source on the file system. The actions performed when enabling this audit source are the same as those done when the acfsutil audit enable command is run directly. For more information, refer to "acfsutil audit enable".

In addition acfsutil encr set creates the mount_point/.Security/encryption/logs/ directory that contains the log file (encr-hostname_fsid.log) that collects auditing and diagnostic data.

Password requirements when storing the key are dependent on how the encryption key storage was configured. If -p was specified with acfsutil encr init, then a password is required to run this command.

Before using the -e option to specify Oracle Key Vault as the key store, Oracle Key Vault must be configured first. If you want to choose Oracle Key Vault as the key store for the file system, then the Oracle Key Vault home environmental variable (OKV_HOME) must be set when running the command with the -e option. If the client was configured to use a password with Oracle Key Vault, then the same password must be entered when prompted.