Getting Started with IFS Encryption

To get started with IFS encryption, you need to first configure Powertech Encryption for IBM i’s Key Management settings.

Configure Settings and Keys

Use the commands (in the order listed) below to quickly configure Powertech Encryption for IBM i’s Automatic IFS Encryption:

Step 1 – Change system values and IFS object settings.

  1. QSCANFS set to *ROOTOPNUD.
  2. QSCANFSCTL set to *NONE.

  3. Create Object Scanning for the directory set to *YES.

    EXAMPLE:
    CHGATR OBJ('/home/lynn') ATR(*CRTOBJSCAN) VALUE(*YES)

  4. Object Scanning set to *YES on the IFS File.

    EXAMPLE:
    CHGATR OBJ('/home/lynn/audit.trc') ATR(*SCAN) VALUE(*YES)

    Each file that is to be encrypted needs to have the attribute *CRTOBJSCAN set to *YES.

Step 2 – Call the ADDIFSEXTP (adds the Powertech Encryption Exit Point Programs) command. Find this command in the IFS Utility Menu
(GO CRYPTO/CRYPTO14). This command adds the Fortra integrated exit programs to the QIBM_QPWFS_FILE_SERV, QIBM_QP0L_SCAN_CLOSE and QIBM_QP0L_SCAN_OPEN exit points on the system.

IMPORTANT: Fortra has integrated exit point sharing among select Fortra IBM i products. After you add the IFS exit points, a new EXITINT library and "Fortra Required Objects" will be created. The library and associated objects support the exit point sharing (for specific exit points).

Step 3 – Restart the QSERVER subsystem now or later.

After the exit programs have been added to the appropriate exit points, a pop-up window asks if you would like to restart the QSERVER subsystem now or later.

NOTE: The existing jobs under QSERVER will not recognize the newly added exit points until you restart QSERVER. You can press F12 to ignore the QSERVER restart and prevent jobs from ending. Based on your internal operations, you might want to wait to restart until the next IPL.

Later execution of ADDIFSEXTP will not prompt you to restart QSERVER. Once you add the Fortra integrated exit program, and QSERVER restarts the first time, you do not need to restart QSERVER again. See Remove IFS Exit Point Programs (RMVIFSEXTP).

Step 4 – Run the STRIFSENCJ command. This command will submit the IFS server job to batch. Find this command on the IFS Utility Menu
(GO CRYPTO/CRYPTO14).

This Job uses the CRYPTO Job Description shipped in the CRYPTO Library. Make any changes you want to this Job Description for your system before running the Command.

NOTE: If you have not yet set up Powertech Encryption for IBM i on your system, at this point, configure Powertech Encryption for IBM i’s Symmetric Key Management settings and establish your first Data Encryption Key. To do so:
  1. CHGKEYPCY (Review and/or change the Key Policy settings. Prompt command with F4)
  2. WRKKEYOFR (Indicate which users can create and manage Keys)
  3. LODMSTKEY (Prepare a Master Encryption Key (MEK) by loading the passphrase parts)
  4. CRYPTO/SETMSTKEY (Generate (set) the MEK using the loaded passphrase parts)

See Getting Started in the Powertech Encryption for IBM i User Guide for additional details.

Step 5 – CRTKEYSTR (create a key store to contain the Data Encryption Keys (DEK))

Step 6 – CRTSYMKEY (create a Data Encryption Key (DEK) and save it into the Key Store)

Step 7 – Create an authorization list for determining who is authorized to decrypt.

Step 8 – WRKIFSENC (create an entry to set up which directory(s) to encrypt)

The documentation for these commands (and all other Powertech Encryption for IBM i commands) is contained within this Powertech Encryption for IBM i Manual. All Powertech Encryption for IBM i commands also have online help text which can be accessed with the F1 key when a command is prompted.

NOTE: It is likely you will want a smaller group of users who can access (decrypt) sensitive data, compared to a larger group of users who can enter (encrypt) this data. This can be accomplished by using two Key Stores with their own respective authorities. In the first Key Store, you can store the Keys needed for encryption and give that Key Store a broader set of authorities.  In the second Key Store, you can place the Keys needed for decryption and give that Key Store a much smaller set of authorities. For more information, see Controlling Access to Decrypted Values.