[OpenAFS] newbie observations...

Todd M. Lewis Todd_Lewis@unc.edu
Tue, 27 Sep 2005 10:52:02 -0400

Jiann-Ming Su wrote:
> On 9/27/05, Chris Crowther <chris@jm-crowther.co.uk> wrote:
>>Jiann-Ming Su wrote:
>>>Also,  I'm not at the point where I can sniff the traffic yet, but is
>>>the network traffic encrypted?   Thanks for any insights.
>>        If you choose for it to be, it is.
> And how do I verify that I've chosen it to be?

There's an option in "fs" to turn on encryption between the file server 
and the cache manager.  It's off by default. Behold:

$ fs help setcrypt
fs setcrypt: set cache manager encryption flag
Usage: fs setcrypt -crypt <on or off> [-help]

If you turn it on, it will be on for all file content traffic on that 

One could argue (and I guess I am) that a better design would be to have 
encryption set as part of a directory's ACL. You could then ensure that 
the data you really wanted to protect was always encrypted regardless of 
the client (mis)configuration. You also would avoid the overhead of 
encrypting all the other traffic to a given client for data in other 
directories that really doesn't matter so much.

Of course, changing things to work that way would break everybody 
overnight.  I would be cool, though.
   /   Todd_Lewis@unc.edu  919-962-5273  http://www.unc.edu/~utoddl  /
  / A Freudian slip is when you say one thing but mean your mother. /