lsencryption

Edit online

Use the lsencryption command to display system encryption information.

Syntax

Read syntax diagramSkip visual syntax diagram lsencryption -nohdr-delimdelimiter

Parameters

-nohdr
(Optional) By default, headings are displayed for each item of data in a detailed style view. The -nohdr parameter suppresses the display of these headings.
Note: If there is no data to be displayed, headings are not displayed.
-delim delimiter
(Optional) In a detailed view, each item of data has its own row, and if the headings are displayed, the data is separated from the heading by a space. The -delim parameter overrides this behavior. Valid input for the -delim parameter is a 1-byte character. In a detailed view, the data is separated from its heading by the specified delimiter.

Description

Use this command to display output that is related to the system encryption state.
This table describes possible outputs.
Table 1. lsencryption output
Attribute Value
status Indicates the system USB encryption status.
  • not_supported, which indicates that the system has no supported encryption function.
  • not_licensed, which indicates that the system supports USB encryption but not all licenses are installed.
  • licensed, which indicates that the system has licenses that are installed for all encryption-capable hardware.
  • enabled, which indicates that system encryption by using USB flash drives is working and ready to create encrypted storage.
error_sequence_number Indicates the event log sequence number of any problem that affects encryption. If there is no problem, it is blank.
usb_rekey Indicates the state of the Universal Serial Bus (USB) rekey process.
  • no, which indicates that there is no rekey process ongoing, but keys exist.
  • no_key, which indicates that there is no rekey process and keys do not exist.
  • prepared, which indicates that a rekey process is active and the system prepares a new key that is waiting for this command to be issued: chencryption -usb newkey -key commit.
  • committing, which indicates that a commit is in progress.
usb_key_copies Indicates the number of USB devices that prepared keys are written to.
usb_key_filename Indicates the name of the file that contains the current encryption key.
usb_rekey_filename Indicates the name of the file that contains the current prepared encryption key.
keyserver_status Indicates the encryption status for key server encryption. The values are:
  • not_supported, which indicates that the system has no supported encryption function.
  • not_licensed, which indicates that the system supports key server encryption but not all licenses are installed.
  • licensed, which indicates that the system has licenses that are installed for all encryption-capable hardware.
  • enabled, which indicates that system encryption by using key servers is working and ready to create encrypted storage.
keyserver_rekey Indicates the state of the key server rekey process. The values are:
  • no, which indicates that there is no rekey process ongoing, but keys exist.
  • no_key, which indicates that there is no rekey process and keys do not exist.
  • prepared, which indicates that a rekey process is active and the system prepares a new key that is waiting for this command to be issued: chencryption -keyserver newkey -key commit.
  • committing, which indicates that a commit is in progress.
keyserver_pmk_uid Indicates the UID for the key server.
keyserver_rekey_pmk_uid Indicates the UID (after a rekey process) for the key server.

An invocation example for an encrypted system with no rekey

lsencryption

The resulting output:

status enabled
error_sequence_number 
usb_rekey no
usb_key_copies 0
usb_key_filename 
usb_rekey_filename 
keyserver_status disabled
keyserver_rekey no_key
keyserver_pmk_uid
keyserver_rekey_pmk_uid

An invocation example for an encrypted system during the rekey

lsencryption

The resulting output:

status enabled
error_sequence_number 
usb_rekey prepared
usb_key_copies 3
usb_key_filename 
usb_rekey_filename encryptionkey_0000020061800028_0010030C00000007_Cluster_9.19.88.231
keyserver_status enabled
keyserver_rekey prepared
keyserver_pmk_uid 
keyserver_rekey_pmk_uid KEY-1b9dcbe7-8b1c-401d-9bc2-1791534689fc

An invocation example for an encrypted system after the rekey completes

lsencryption

The resulting output:

status enabled
error_sequence_number 
usb_rekey no
usb_key_copies 3
usb_key_filename encryptionkey_0000020061800028_0010030C00000007_Cluster_9.19.88.231
usb_rekey_filename 
keyserver_status enabled
keyserver_rekey committing
keyserver_pmk_uid 
keyserver_rekey_pmk_uid KEY-1a9hlfd8-8b1c-401d-9xy4-2948374653fc