[OpenAFS] data encryption

Jim Rees rees@umich.edu
Thu, 04 Jan 2001 12:12:57 -0500


We have been using full data encryption in our Transarc afs cell for about a
year now.  Before that, cpu load on the server was a problem, but upgrading
from a Sparc IPC to a Sparcstation (something) solved that.

The Transarc code requires a couple of small patches to make this work.  The
code is all there but "fs" needs to be able to turn encryption on and off,
and the encryption flag needs to get carried down to the proper place.  I
haven't looked at that part of the OpenAFS code but it shouldn't be hard.

The fcrypt altgorithm is better than nothing but less than ideal.

NFS v4 uses gss for authentication and encryption.  I suspect that's
overkill for afs, but it has some nice features.  For example, the OpenBSD
client will eventually use the OpenBSD kernel crypt library, and that means
a choice of algorithms, as well as hardware acceleration where it's
available.