[OpenAFS] encrypted volumes

Dirk Heinrichs dirk.heinrichs@online.de
Fri, 6 Feb 2009 19:22:01 +0100


--nextPart2152820.mAQUJEx9FA
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Freitag, 6. Februar 2009 02:09:09 schrieb David Bear:

> Has there ever been much discussion  on created encrypted volumes?  These
> would work like a local encrypted file system - without they key, they are
> useless.  I'm thinking that you might need an fs setkey or something like
> that to insert the key into the cache manager.. fs mkmount could have a
> switch that would specify it was an encrypted volume..

The problem is that volumes in AFS are not mounted and unmounted all the ti=
me.=20
The are mounted into the tree once and are usually available anytime. To=20
prevent access to sensitive files, use ACLs.

Things like ecryptfs, truecrypt or LUKS only protect data as long as the=20
volume is _not_ mounted. Once mounted, normal Unix access permissions or AC=
Ls=20
apply. So what you could do is to create encrypted vice partitions and put=
=20
volumes with sensitive data onto those, so that in case of theft or whateve=
r=20
the data cannot be read by the attacker.

HTH...

	Dirk

--nextPart2152820.mAQUJEx9FA
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iD8DBQBJjH/R8NVtnsLkZ7sRAv+lAJsG/EzMMOXcz6w3iMhwEdQfktejCQCbBTAQ
V7v3zK5Ml0WdAdYh5W9xnq4=
=ARt5
-----END PGP SIGNATURE-----

--nextPart2152820.mAQUJEx9FA--