[OpenAFS] AES Support ?

John Hascall john@iastate.edu
Thu, 27 Sep 2007 15:05:01 CDT

> On Thu, 27 Sep 2007, John Hascall wrote:
> >   By "not yet completed" I meant started.  If I'm understanding
> >   the process as it was outlined many messages ago it was:
> >       1) create afs-k5 or (or is it k5-afs?) key
> >       2) upgrade all your servers
> >       3) upgrade all your clients
> >       4) remove the old afs key

> actually, i think i'd upgrade the servers, then add the key, then upgrade 
> the clients, then remove the old keyS

   Well, if that's doable, it would be a big win.  Thanks.

> for experimental deployment i'd use a 3rd key that clients needed to know 
> about to use.

   I can see how doing the servers first, then the key,
   basically switches the whole cell to the method at once.

   So, I'm not sure I'm following exactly, but I think you are
   suggesting this as a way to test before then (which would
   be a good thing).  You seem to imply that a clients can
   somehow be manually instructed to use an arbitrary keyname
   (say afs-k5-test) -- is this correct?   Then you could create
   this key that other clients would not know about, and then
   I am assuming you could also configure a test server in your
   cell with this key name too?