[OpenAFS] /afs permissions

Todd M. Lewis Todd_Lewis@unc.edu
Fri, 28 Oct 2005 13:32:57 -0400

slushpupie@gmail.com wrote:
> On 10/28/05, Joe Buehler <jbuehler@spirentcom.com> wrote:

> Something of importance, is putting sensitive information like ssh
> private keys and PGP keys, etc in AFS is a bad idea unless you have
> encryption in there someplace.  Same is true for any network based
> filesystem.

Unfortunately, the only available "someplace" to turn on encryption is 
on the client. Turning on encryption on a client encrypts all traffic 
bound to that client (most of it unnecessarily). Yet the same data 
passes in the clear if another client accesses it.

It would be a Good Thing if encryption were a per directory thing like 
an ACL, enforced by the server, so you could make sure your sensitive 
information was never passed in the clear.  I have no idea how hard it 
would be to implement an "encrypted directory" flag, but I suspect it 
would mean breaking things. Would this be a reasonable thing to put on 
the wish list?
   / Todd_Lewis@unc.edu  919-962-5273  http://www.unc.edu/~utoddl /
  /     A bicycle can't stand alone because it is two-tired.     /