Subroutines > Detailed Descriptions

EFS

Updated May 2010

(Linux) This routine allows files to be encrypted and decrypted on command (via a subroutine) using AES encryption. Perhaps more importantly, you can read and write directly to encrypted files just as if they were normal files. This function was added to A-Shell for a single developer but which will likely be needed by others in the future. The objective is to provide a higher degree of privacy protection for sensitive data by closing three of the main security gaps in most organizations: 1) hackers breaking into the network and stealing data files directly; 2) employees or other insiders copying data from the server to the their PC and then to email or removable media, and 3) stealing backups.

EFS.SBR handles most of the operations related to encryption:

xcall EFS,0,STS                ! check if EFS is available

xcall EFS,1,STS,KEY            ! specify new encryption key

xcall EFS,2,STS,FSPEC          ! check if FSPEC file encrypted

xcall EFS,3,STS,ISPEC{,OSPEC}  ! encrypt ISPEC {into OSPEC}

xcall EFS,4,STS,ISPEC{,OSPEC}  ! decrypt ISPEC (into OSPEC}

 

STS (F,6) is returned as follows:

 0 = success

-1 = EFS not available

-2 = EFS not licensed

-3 = param error

>0 = errno

 

KEY (X,32) should be mapped as follows

MAP1 KEY,X,32

   MAP2 KEY$,S,32,@KEY

 

By specifying the unformatted KEY parameter, it will not show up in the trace log even if TRACE=XCALL is set. Furthermore, if your key is less than 32 bytes long, the remaining key bytes will be supplied from a default internal ashell key. By taking advantage of this feature, even if your part of the key was exposed and a copy of the file stolen, the culprit would still need a licensed copy of A-Shell to decrypt it.

ISPEC and OSPEC are AMOS or native filespecs.

When the EFS license option in enabled, A-Shell will automatically detect when a random, ISAM, or ISAM-A file has been encrypted and thus there is no need to specifically identify to A-Shell which files are encrypted, except with you create a new file. In that case, for RANDOM files created with ALLOCATE, use XCALL ASFLAG,512 prior to the allocate to set the encryption flag. (As with other ASFLAG values, the setting only lasts until the end of the current program.) For ISAM-A, you can use the new ISMUTL /E switch (requires ISMUTL.LIT 1.3(128) or higher). For old ISAM, you can first use ISMBLD, then use XCALL EFS,3,STS,ISPEC to encrypt the DAT and/or IDX file(s). (An ISMBLD switch may be added if there is a demand.)

Note that direct reading and writing of encrypted files only works for “contiguous” files (random, ISAM, ISAM-A). For print files, if you want to encrypt them, you will probably need to use XCALL EFS after closing (and after spooling, if applicable) the file. Similarly, you would use XCALL EFS again to decrypt it before accessing (viewing, reprinting) the file later.

Value

Function

0

Check if EFS is supported

1

Set key

2

Check if file is encrypted

3

Encrypt file

4

Decrypt file

5

Check key

6

Check efslib build

7

Enable/disable logging

8

Test read/write/allocate

9

Stream input/output

 

More detailed documentation on these functions is pending. In the meantime, check the sample program EFSTST for more information.

 

History

2010 May: Function table added to documentation.

2004 May, A-Shell 4.9.889: EFS.SBR added to A-Shell.