[OpenAFS] encrypted volumes

[Christof Hanke]

> Am Freitag, 6. Februar 2009 02:09:09 schrieb David Bear:
 
>> Has there ever been much discussion  on created encrypted volumes?  These
>> would work like a local encrypted file system - without they key, they are
>> useless.  I'm thinking that you might need an fs setkey or something like
>> that to insert the key into the cache manager.. fs mkmount could have a
>> switch that would specify it was an encrypted volume..
 
>The problem is that volumes in AFS are not mounted and unmounted all the 
time.
>The are mounted into the tree once and are usually available anytime. To
>prevent access to sensitive files, use ACLs.
 
>Things like ecryptfs, truecrypt or LUKS only protect data as long as the
>volume is _not_ mounted. Once mounted, normal Unix access permissions or ACLs
>apply. So what you could do is to create encrypted vice partitions and put
>volumes with sensitive data onto those, so that in case of theft or whatever
>the data cannot be read by the attacker.
 
Sorry, but I think you see this from the wrong angle.
The point I think here is to protect sensitive data even against admins, the 
guys who can read /vicep* anyway...

Having said this, it is clear the encryption has to be on the client side.

Thus I guess a way to implement this could be :
* each Volume has an attribute "encryption-UUID"
if the Volume is not encrypted this value is just empty.
* A client can have multiple encryption-keys wich are set with  
"fs setkey -uuid=blah -passphrase=blahblah -alg=superblah" 
* if the client wants to read from a volume which has an "encryption-UUID" it 
looks into it's internal table for this UUID and tries to encrypt it with the 
matching parameters, if there's no such entry it just returns the raw data.

I haven't thought about how to implement this *really*, but I hope this could 
continue the discussion...

T/Christof 

BTW: this could be "easily" extended to the directory- or file-level...