-glength-k<filetosaveas> [-kd<keydescriptor(uKAD)>]
Generates a key file of length (in bits) containing a random hexadecimal key. After entering this
option, you will be required to press random keys followed by the enter key. This will seed the
random number generator so that your key is more secure. Specify the file to save the key into
with the -k option (you will need write permissions to that file location). Lastly you can enter
an optional key description using the -kd flag (see KEYDESCRIPTORS). This key file can then be
used with the -k option. You should not generate a key file over an unsecured remote session.
Typically, key files should be set to 256 bits (32 hexadecimal bytes), however your device may
only support 128 bits.
-fdevice
Specifies the device to use (i.e. /dev/nst0,/dev/rmt0.1,/dev/sg0). Use the lsscsi command to
determine the appropriate device to use. You should always use a device name that does not rewind
(i.e. use /dev/nst0 instead of /dev/st0, /dev/rmt0.1 instead of /dev/rmt0). Use commands like
'cat /proc/scsi/scsi', 'lsscsi', and 'lsdev' to determine the proper device to use. On some
distros, a /dev/sg device must be used instead of a /dev/st device.
If this is the only option specified, the status of the device will be displayed. To retrieve
more detailed status information, add --detail. If you are root and the status command fails,
either the device is incorrect (try another link to the device: /dev/rmt0.1, /dev/nst0, /dev/tape,
etc.), a tape may not be in the drive, you may be using the wrong algorithm for the tape drive
(see the -a option), or the device does not support SCSI Security Protocol. stenc may read up to
100 blocks of the tape, starting at the current position, in order to determine if the volume has
been encrypted. For this reason, you should not run the status command while another process is
accessing the drive. If the device returns Unabletodetermine for the volume encryption status,
you may need to move to a section of the tape that contains data (i.e. mt-f<device>fsr<count>)
or rewind the tape in order for stenc to output the volume status.
-eon | mixed | rawread | off
Sets the encryption mode for the device specified with -f option. Successful operations of this
type will create an audit entry in the /var/log/stenc file. If off is not specified and the -k
option is not specified, the program will require the user to enter a hexadecimal key (see KEYINPUTSYNTAX) and an optional key description (see KEYDESCRIPTORS).
on - The drive will encrypt all data sent to it and will only output data it is able to decrypt,
ignoring unencrypted data on the drive.
mixed - The drive will encrypt all data sent to it and will output both encrypted data and
unencrypted data, providing the drive is able to do so.
rawread - The drive will encrypt all data sent to it and will output unencrypted data and raw
encrypted data. You will probably need to have specified --unprotect when the data was written in
order to read it with this option. Some drives do not support this option. See the --protect
option.
off - The drive will neither encrypt data sent to it, or decrypt encrypted data found on the
drive. If this command fails you may have switch your algorithm or specify a different default
key size when you configure the program
WARNING: The SCSI device will revert all encryption settings if the tape device is power cycled
(if the tape drive is extenal, it may keep the settings even if the system is rebooted). You can
modify you local startup script (/etc/rc.local, /etc/rc, etc.) to set encryption at reboot if need
be. If you do this, you will need to use the -k option to prevent the system from waiting on the
local console user to enter the encryption key.
-aindex
Only valid when setting encryption (see the -e option). Specifies the algorithm index to use for
the device (defaults to 0, which can be changed using the --with-default-algorithm configure
option). Setting encryption on/off may fail on some devices if this is not the correct algorithm
for the drive (i.e. HP drives use an algorithm index of 1).
--ckod
Only valid when setting encryption (see the -e option). Instructs the drive to clear its
encryption keys when the volume is unmounted instead of keeping it until the drive is power
cycled. Some devices may not support this option.
--protect | --unprotect
Only valid when setting encryption (see the -e option). Instructs the drive to protect or
unprotect any encrypted data from being raw read. See the -erawread option. Some devices may
not support these options.
-kfile
Only valid when turning encryption on (see the -e option) or generating a new key (see the -g
option). When turning encryption on, this specifies the location of a key file previously
generated with the -g option. When generating a new key with the -g option, this specifies the
key file that the new key will be saved into. Key files should be owned by root ('chownroot')
and only readable by root ('chmod600'). stenc automatically chmods key files generated with the
-g option.
Install Now
PNG Icons
