Filesystem encryption manager


fsencrypt -p path -c cmd [-d domain] [-t type] [-K .|:|+|#|@key [-ooffset]]
          [-k .|:|+|#|@key [-ooffset]] [-v] [-f] [-r] [-l log_path]

Runs on:

QNX Neutrino


-c cmd
The command to run; one of:
  • change-key — change a domain key; use -k old_key -K new_key.
  • check — check for support of encryption given path.
  • check-key — verify that the key given is is valid against a domain.
  • create — create a domain given domain, type, and key. A domain is created in its locked state.
  • destroy — destroy a domain; the given domain must be unlocked.
  • enable — enable encryption support on path.
  • get — determine the domain that the given path belongs to.
  • lock — lock a domain within the given path.
  • migrate-delay — change the migration delay between work units. Use -n val to indicate a period in milliseconds.
  • migrate-path — parse a path, assigning the given domain to directories and tagging files to the given domain.
  • migrate-state — determine the amount of remaining migration work.
  • migrate-start — determine begin the background encryption of tagged files.
  • migrate-status — reports the status of migration.
  • migrate-stop — suspends background encryption migration.
  • migrate-tag — tag a file for background encryption (tag is a synonym).
  • migrate-units — set the amount of work to complete beween delay periods. Use -n val to indicate a number of blocks.
  • query — query the status of a domain within the given path.
  • read-key — read a file key information into file.
  • set — set a given path to a numbered domain.
  • set-whole-disk — enables whole-disk encryption using domain. There must be only one domain, domain.
    Note: Plain-text files are hidden if you enable whole-disk encryption.
  • setup — complete the domain setup based on the provided -k :str.
  • unlock — unlock a domain given proper key data.
  • write-key — write a file key described by file to file at path.
-d domain
The domain number to be used (1-100).
If path is a directory, make the move or remove action on the files as well.
-K key
Specify a secondary key, in the same form as for -k.
-k key
Specify key data in one of the following forms:
  • .salt.str — a 64-bit salt value expressed as a string of bytes in hexadecimal digits that may be postfixed to a plain-text string.
  • :setup — command string used with the setup command. The string format is:


  • +str — a user-supplied plain-text string (hashed to a 512-bit key).
  • #str — a base-64 representation of a key (must be 512 bits long)
  • @file — the name of a file that contains binary key data (must be 512 bits long)
-l log_path
The path of the log file to use (stdout is the default).
-n value
Specify a secondary value that some commands require.
-p path
The mountpoint of a Power-Safe (fs-qnx6.so) filesystem.
If path is a directory, take action on the entire tree.
-t type
Used in the creation of a domain to set the encryption mechanism. The supported types include:
  • 0 — no encryption
  • 1 — XTS
  • 2 — CBC
Set verbosity. Each -v increases verbosity.


The fsencrypt utility manages the encryption of a Power-Safe (fs-qnx6.so) filesystem.


Create domain 10 on the root volume using a plain-text password with a 64-bit salt value:

fsencrypt -vc create -d10 -t1 -p/ -k.1234567890abcdef.mypassword

Unlock the domain:

fsencrypt -vc unlock -d10 -p/ -k.1234567890abcdef.mypassword

Add a directory to this domain:

fsencrypt -vc set -d10 -p/secure_dir