[OpenAFS] /afs permissions
Todd M. Lewis
Todd_Lewis@unc.edu
Fri, 28 Oct 2005 13:32:57 -0400
slushpupie@gmail.com wrote:
> On 10/28/05, Joe Buehler <jbuehler@spirentcom.com> wrote:
> Something of importance, is putting sensitive information like ssh
> private keys and PGP keys, etc in AFS is a bad idea unless you have
> encryption in there someplace. Same is true for any network based
> filesystem.
Unfortunately, the only available "someplace" to turn on encryption is
on the client. Turning on encryption on a client encrypts all traffic
bound to that client (most of it unnecessarily). Yet the same data
passes in the clear if another client accesses it.
It would be a Good Thing if encryption were a per directory thing like
an ACL, enforced by the server, so you could make sure your sensitive
information was never passed in the clear. I have no idea how hard it
would be to implement an "encrypted directory" flag, but I suspect it
would mean breaking things. Would this be a reasonable thing to put on
the wish list?
--
+--------------------------------------------------------------+
/ Todd_Lewis@unc.edu 919-962-5273 http://www.unc.edu/~utoddl /
/ A bicycle can't stand alone because it is two-tired. /
+--------------------------------------------------------------+