[OpenAFS] Encryption in OpenAFS

Ted Anderson ota@transarc.com
Thu, 21 Feb 2002 09:14:02 -0500 (EST)


On Thu, 21 Feb 2002 10:52:15 +0100 Marc Schmitt <schmitt@inf.ethz.ch> wrote:
> I thought, the opposite is true: only the cache will be encrypted, not
> the data that goes over the network.
> 
> fs help setcrypt
> fs setcrypt: set cache manager encryption flag
> Usage: fs setcrypt -crypt <on or off> [-help]
> 
> It refers to the cache manager. So, what`s correct now??

Perhaps the usage message is not clear.  The client controls the
encryption state of the Rx connections it makes to the file server.
Using "fs setcrypt on" tells the client to use encryption for file data
transfers.

> * Charles Clancy (security@xauth.net) [20020220 09:36]:
> 
> > If you would like to encrypt everything, do an "fs setcrypt on".
> 
> However, this will *not* encrypt client cache contents, which may or
> may not be a problem for you (it certainly is a problem for us).

This is interesting.  Your users don't trust the client to protect the
data?  Or are you worried about the client's disks being exposed during
service calls or sold after a hardware upgrade?

Ted Anderson