[OpenAFS] newbie observations...
Todd M. Lewis
Todd_Lewis@unc.edu
Tue, 27 Sep 2005 10:52:02 -0400
Jiann-Ming Su wrote:
> On 9/27/05, Chris Crowther <chris@jm-crowther.co.uk> wrote:
>
>>Jiann-Ming Su wrote:
>>>Also, I'm not at the point where I can sniff the traffic yet, but is
>>>the network traffic encrypted? Thanks for any insights.
>>
>> If you choose for it to be, it is.
>>
> And how do I verify that I've chosen it to be?
There's an option in "fs" to turn on encryption between the file server
and the cache manager. It's off by default. Behold:
$ fs help setcrypt
fs setcrypt: set cache manager encryption flag
Usage: fs setcrypt -crypt <on or off> [-help]
If you turn it on, it will be on for all file content traffic on that
client.
One could argue (and I guess I am) that a better design would be to have
encryption set as part of a directory's ACL. You could then ensure that
the data you really wanted to protect was always encrypted regardless of
the client (mis)configuration. You also would avoid the overhead of
encrypting all the other traffic to a given client for data in other
directories that really doesn't matter so much.
Of course, changing things to work that way would break everybody
overnight. I would be cool, though.
--
+-----------------------------------------------------------------+
/ Todd_Lewis@unc.edu 919-962-5273 http://www.unc.edu/~utoddl /
/ A Freudian slip is when you say one thing but mean your mother. /
+-----------------------------------------------------------------+