lsencryption

Use the lsencryption command to display system encryption information.

Syntax

Read syntax diagramSkip visual syntax diagram
>>- lsencryption -- --+----------+-- --------------------------->
                      '- -nohdr -'      

>--+-----------------------+-----------------------------------><
   '- -delim -- delimiter -'   

Parameters

-nohdr
(Optional) By default, headings are displayed for each item of data in a detailed style view. The -nohdr parameter suppresses the display of these headings.
Note: If there is no data to be displayed, headings are not displayed.
-delim delimiter
(Optional) In a detailed view, each item of data has its own row, and if the headings are displayed, the data is separated from the heading by a space. The -delim parameter overrides this behavior. Valid input for the -delim parameter is a one-byte character. In a detailed view, the data is separated from its heading by the specified delimiter.

Description

Use this command to display output related to the system encryption state.
Table 1 describes possible outputs.
Table 1. lsencryption output
Attribute Value
status Indicates the system encryption status.
  • not_supported, which indicates that the system has no supported encryption function.
  • not_licensed, which indicates that the system supports encryption but not all licenses are installed.
  • licensed, which indicates that the system has licenses installed for all encryption-capable hardware.
  • enabled , which indicates that system encryption is working and ready to create encrypted storage.
error_sequence_number Indicates the event log sequence number of any problem affecting encryption. If there is no problem it is blank.
usb_rekey Indicates the state of the Universal Serial Bus (USB) rekey process.
  • no, which indicates that there is no rekey process ongoing, but keys exist.
  • no_key, which indicates that there is no rekey process and keys do not exist.
  • prepared, which indicates that a rekey process is active and the system has prepared a new key that is waiting for this command to be issued: chencryption -usb newkey -key commit.
  • committing, which indicates that a commit is in progress.
usb_key_copies Indicates the number of USB devices that prepared keys have been written to. The value must be a numeric string.
usb_key_filename Indicates the name of the file containing the current encryption key. The value must be an alphanumeric string containing between 1 and 110 ASCII characters.
usb_rekey_filename Indicates the name of the file containing the current prepared encryption key.
keyserver_status Indicates the encryption status for key server encryption. The values are:
  • not_supported, which indicates that the system has no supported encryption function.
  • not_licensed, which indicates that the system supports encryption but not all licenses are installed.
  • licensed, which indicates that the system has licenses installed for all encryption-capable hardware.
  • enabled , which indicates that system encryption is working and ready to create encrypted storage.
keyserver_rekey Indicates the state of the key server rekey process. The values are:
  • no, which indicates that there is no rekey process ongoing, but keys exist.
  • no_key, which indicates that there is no rekey process and keys do not exist.
  • prepared, which indicates that a rekey process is active and the system has prepared a new key that is waiting for this command to be issued: chencryption -keyserver newkey -key commit.
  • committing, which indicates that a commit is in progress.
keyserver_pmk_uid Indicates the UID for the key server.
keyserver_rekey_pmk_uid Indicates the UID (after a rekey process) for the key server.

An invocation example for an encrypted system with no rekey

lsencryption

The resulting output:

status enabled
error_sequence_number 
usb_rekey no
usb_key_copies 0
usb_key_filename 
usb_rekey_filename 
keyserver_status disabled
keyserver_rekey no_key
keyserver_pmk_uid
keyserver_rekey_pmk_uid

An invocation example for an encrypted system during the rekey

lsencryption

The resulting output:

status enabled
error_sequence_number 
usb_rekey prepared
usb_key_copies 3
usb_key_filename 
usb_rekey_filename encryptionkey_0000020061800028_0010030C00000007_Cluster_9.19.88.231
keyserver_status enabled
keyserver_rekey prepared
keyserver_pmk_uid 
keyserver_rekey_pmk_uid KEY-1b9dcbe7-8b1c-401d-9bc2-1791534689fc

An invocation example for an encrypted system after the rekey completes

lsencryption

The resulting output:

status enabled
error_sequence_number 
usb_rekey no
usb_key_copies 3
usb_key_filename encryptionkey_0000020061800028_0010030C00000007_Cluster_9.19.88.231
usb_rekey_filename
Parent topic: Encryption commands
Related concepts:
Rekeying an encryption-enabled system using a key server
Rekeying an encryption-enabled system using a USB flash drive
Related reference:
chencryption