IFS Encryption Processes and Notes

The IFS Encryption process works in the following way:

When an IFS Entry is activated, the following processes will occur for all files in the directory(s):

  1. When SAVDTA is set to *YES a backup of the directory and optionally subdirectories is created.
  2. Journaling is started for the directory(s) and all files in the directory(s).
  3. If the file is not zero bytes,
    1. the file is Encrypted into the Target directory
    2. The file is cleared and set to zero bytes.
    3. A record is added in the CRPFIFS File.

NOTE: A record is added to the CRPFIFS file for every directory encrypted.

When an IFS Entry is Deactivated, the process will do the following to every file found in the directory(s):

  1. When SAVDTA is set to *YES a backup of the directory and optionally subdirectories is created and a backup of the target directory is created.
  2. Journaling is stopped for the file.
  3. If the file has an entry in the CRPFIFS file and is zero bytes the file is Decrypted
  4. The Target Encrypted File is deleted.
  5. The record is removed from the CRPFIFS File.

NOTE: The directory records are removed from the CRPFIFS.

For an Activated IFS Entry, when a user attempts to Open a file and the QIBM_QP0L_SCAN_OPEN exit point program is called then the following processes occur:

  1. The User Authority is checked for the Decrypt Key Store
  2. If an Authorization List has been entered the User Authority is checked on the Authorization List.
  3. If the User is Authorized to read the file the file will be Decrypted back into the directory and the process will be allowed to continue.
  4. If the User is NOT authorized to view the file, then the file is locked and the Open Process will fail. The IBM Message put out when the Open Fails is “Object marked as a scan failure”.
  5. The file will remain locked until the IFS Server Job unlocks the file. If the Server Job is not running the File will remain locked.

For an Activated IFS Entry, when a File is Closed and the QIBM_QP0L_SCAN_CLOSE exit point program is called then the following processes occur:

  1. If the file is not zero bytes then the following occurs:
    1. Check if a record exists in the CRPFIFS file.
      1. If a record does not exist.
        1. Check if the Target directory exists. If not then create it.
        2. Encrypt the file.
        3. Start Journaling
        4. Add a record to the CRPFIFS File
      2. If the record exists
        1. Encrypt the file.
        2. Update the record in the CRPFIFS
NOTE: When a file or directory is copied or moved, a File Open or Close may not be called. When this occurs then the QIBM_QP0L_SCAN_OPEN or QIBM_QP0L_SCAN_CLOSE exit point programs would not be called. When these operations are performed a journal entry may be created that allows the IFSENCJOB Server program to be alerted that the file or directory was copied or moved.

There are some processes that you need to be aware of when using the IFS Encryption Process.

  1. When an unauthorized user tries to open a file to read, the file is locked on the system. The file will remain locked until the Server Program (IFSENCJOB) Opens and Clears the file. This process will unlock the file. Depending on how backed up the Server program (IFSENCJOB) is, this may not happen immediately.
  2. When Encrypting or Decrypting large files, files 10 MB or larger, the process of opening or closing a file may take a little longer than you are used to. The process has to decrypt the file before you access the file and encrypt the file when the file closes.
  3. If a user has a file decrypted and in edit mode, the file will stay decrypted until the file is closed by that user.
    1. If an unauthorized user tries to open the file to read it, the file will be locked.
    2. Also if another user tries to move that file out of the directory to another unencrypted directory, they will get the decrypted version of the file.
  4. If a user moves a file into or out of an Encrypted directory, our processes may not know about it until the IFS Server Program retrieves the Journal after the process has occurred. No immediate Encrypting or Decrypting may take place. If the QIBM_QP0L_SCAN_OPEN or QIBM_QP0L_SCAN_CLOSE exit programs are not called then no Authority checking will take place.
    1. When the server program (IFSENCJOB) encounters a Journal record showing a file or directory was copied or moved out of an Encrypted directory, the following process is ran.
      1. Check to see if a record exists in the CRPFIFS file for the Source file or directory. If the record does not exist we ignore the file or directory.
      2. If the source record still exists in the CRPFIFS file we
        1. Check to see if the user was authorized to Copy or Move the file.
        2. If they were not authorized and the process was a move we recreate the directory structure and zero byte files for the source.
        3. If the user was authorized to move the files we decrypt the files into the destination directories and then remove the source Encrypted files and directories and then remove the CRPFIFS records.
  5. When a user tries to Decrypt a file thru a mapped drive, the default user that is used is QUSER. Powertech Encryption for IBM i will use the exit point  QIBM_QPWFS_FILE_SERV to retrieve the User Id that the user signed in as. This user Id will be used to check for authority to Decrypt the File. When the exit point QIBM_QP0L_SCAN_OPEN is called to Decrypt the file, the user QUSER must be authorized to the Decrypt Key Store to be able to Decrypt the file.
    1. If you want all operations to be authorized from a mapped drive you can also give QUSER authority to the Authorization List.
    2. If you want certain users to have authority to Decrypt only when using a mapped drive, you need to give those users or groups *USE Authority to the Authorization List.