[OpenAFS] Encryption in OpenAFS

Derek Atkins derek@ihtfp.com
26 Feb 2002 11:01:41 -0500


What key would you suggest the cache manager use to encrypt the cache?
Where would that key be stored?

Before you answer, keep in mind that the cache is long-lived and
shared across all users on the machine.

-derek

PS: I agree with all the others -- if this is really an issue for
you then you've got bigger problems than just the cache contents.

KELEMEN Peter <fuji@elte.hu> writes:

> * Nathan Neulinger (nneul@umr.edu) [20020225 11:07]:
>=20
> > Right, but what good does encrypting the cache do if the windows
> > user could just copy in a "turn off cache encryption" config. Or
> > replace afsd to copy all data elsewhere, or install a sniffer,
> > or whatever.
>=20
> I get your point, and we are aware of all these.  But you have
> to admit that it is relatively easy for maintenance to ensure
> AFS config and daemon and whatever OS part integrity, and for
> the attacker it is an order of magnitude harder to modify Linux
> partitions (or install a sniffer, or whatever) than just looking
> over cache contents.  In other words, probably not worth.
>=20
> I am not trying to push "cache encryption for president!" ideas,
> just presented a situation where cache content encryption would be
> considered as a goodie.
>=20
> > My point is that worrying about the cache being encrypted in
> > your environment is like worrying about your car doors being
> > locked when you don't have any window glass.
>=20
> I would use another analogy.  Worrying about the cache being
> encrypted is like worrying about having shaded window glass not
> to be able to see the color of the seats; to do that, you have to
> attempt to open the (not locked) doors (and risking triggering the
> alarm).
>=20
> Peter
>=20
> --=20
>     .+'''+.         .+'''+.         .+'''+.         .+'''+.         .+''
>  Kelemen P=E9ter     /       \       /       \       /      fuji@elte.hu
> .+'         `+...+'         `+...+'         `+...+'         `+...+'
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

--=20
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com